On 20 January 2026, the European Commission proposed a new cybersecurity package, aimed at strengthening the EU’s cybersecurity resilience and capabilities. The package includes a revised Cybersecurity Act (“CSA“) and targeted amendments to the NIS2 Directive (see our blog post for further information on the amendments to the NIS2 Directive). The revised CSA aims to enhance coherence across the EU’s cybersecurity legal framework, reflecting both the evolving threat landscape since the adoption of the Cybersecurity Act in 2019 and an increasingly complex geopolitical environment.

Summary of key changes:

  • ICT supply chain security challenges – the revised CSA introduces a new horizontal framework for assessing ICT supply chain risks across NIS2 ‘critical’ and ‘highly critical’ sectors. Under the proposal, the European Commission would identify “key ICT assets” used by essential and important entities under NIS2.

    The framework sets out EU‑level risk‑assessment mechanisms and minimum protection standards to address ICT supply chain risks. There is an emphasis on “non‑technical risks”, referring to the likelihood of the supplier being subject to negative “influence by a third country” which could cause loss or disruptionof the service provided or compromise a product. Where a third country is assessed as posing non‑technical risks to the ICT supply chain, the revised CSA allows the European Commission to designate that country and any entities it controls as ‘high‑risk suppliers’. When designating a supplier as ‘high risk’, the Commission will take into account factors such as: requirements in the third country to report information on software or hardware vulnerabilities to authorities prior to those vulnerabilities being known to have been exploited; the absence of effective judicial remedies and independent and democratic control mechanisms that can correct the identified security concerns; and incidents of threat actors controlled and operating out of that third country. High‑risk suppliers will be subject to restrictions, including exclusion from participating in procurement procedures for the provision of ICT components in key ICT assets and preventing high-risk suppliers from obtaining EU cybersecurity certification and conformity‑assessments.

    The revised CSA also includes targeted mitigation measures, such as prohibiting the use of ICT components from such suppliers in key ICT assets. Other potential measures include restrictions on data transfers or remote processing from third countries; additional transparency obligations; third‑party audits of technical measures, including the disabling of any remote or physical access to key ICT assets; restrictions related to operational control, including outsourcing of organisational functions to managed service providers; requirements relating to personnel vetting by the relevant national competent authorities; and diversification of supply of ICT components.
  • Stricter requirements for telecommunications – the revised CSA contains stricter, more onerous, requirements for key ICT assets for mobile, fixed and satellite electronic communications networks. ICT components provided by high-risk suppliers must be phased out within 36 months from the publication of the list of high-risk suppliers. Providers must also stop using, installing or integrating ICT components from high-risk suppliers in the operation of key ICT assets.
  • A more agile certification process – through a renewed European Cybersecurity Certification Framework (ECCF), the revised CSA will implement a more streamlined certification process, aimed at simplifying procedures and shortening timelines—responding to longstanding criticisms that certification is too slow and burdensome. The certification will no longer just cover ICT products, services, processes, and managed security services but will also allow organisations to certify their broader ‘cybersecurity posture’. This will allow organisations to use certification to demonstrate compliance and get presumption of conformity with other EU legislation, such as NIS2.
  • A stronger Role for ENISA – the revised CSA will enhance ENISA’s role, particularly in operational cooperation and the exchange of information on cyber threats and incidents. ENISA will oversee European repositories of threats and incidents and issue EU‑wide early alerts of emerging cyber threats. It will also support organisations with ransomware mitigation efforts and support the implementation of the Cybersecurity Skills Academy. In addition, ENISA’s involvement in the development of cybersecurity standards at both European and international level will be strengthened, including work on technical specifications for European cybersecurity schemes. ENISA will also serve as the single-entry point for incident reporting proposed under the Digital Omnibus.

Next steps

The proposals will now move through trilogue negotiations with the European Parliament and the EU Council. Progress will take time with amendments and changes expected as the CSA moves through the legislative process. The proposal is expected to be adopted in late 2026 or, more likely, in 2027. After that, there will be a 12-month period for Member States to implement the Directive into national law and communicate the relevant texts to the Commission.

For organisations both within and outside the EU likely to be caught by the proposals, there are some practical steps that can be taken: including reviewing ICT supply chains; assessing the risk of suppliers being designated as ‘high risk’; strengthening internal cybersecurity policies and procedures; and continuing to monitor developments across the EU. Organisations should continue to follow current national rules, while also preparing for the introduction of new certification-based systems, more coordinated oversight and more onerous requirements in relation to risk management.