On 20 January 2026, the European Commission published a new cybersecurity reform package to substantially strengthen the European Union’s cyber resilience and operational capabilities, taking into account the rapid technological developments and the growing cybersecurity threats. The package comprises two proposals: (i) a new regulation – the Cybersecurity Act 2 (CSA2), which will replace the Cybersecurity Act adopted in 2019 (Regulation (EU) 2019/881), and (ii) targeted amendments to the NIS2 Directive (Directive (EU) 2022/2555).

Many EU Member States have only recently completed or are still in the process of transposing the NIS2 Directive into national law. However, in response to the rapidly evolving geopolitical situation and increasingly serious supply chain security risks, the Commission is pressing ahead with strengthening cybersecurity resilience across the Union.

The cybersecurity package aims to make the EU cybersecurity framework more effective and adaptable, to facilitate compliance for NIS2 entities, and to enhance legal certainty. At the same time, the proposals mark a structural shift in the approach to cybersecurity certification, which is being elevated as a compliance and risk-management instrument, and to ICT supply chain security, which becomes a mandatory horizontal EU requirement. The mandate of ENISA (the European Union Agency for Cybersecurity) is also significantly expanded, with the Agency assuming a more operational role in EU cybersecurity governance.

The cybersecurity package complements the EU Digital Omnibus proposal published in November 2025, which, among other things, provides for the establishment of a single-entry point for incident reporting and the alignment of NIS2 requirements with other EU digital legislation.

Below is a summary of the most significant proposals.

Targeted NIS2 amendments: refined scope and new in-scope entities

The targeted amendments to the NIS2 Directive introduce proportionate refinements to the scope of in-scope entities, aimed at reducing the compliance burden while maintaining a high level of cybersecurity. The key amendments are as follows:

Refined scope The proposal refines definitions across several sectors that have given rise to uncertainties and implementation fragmentation across Member States since the adoption of NIS2, specifically in relation to:

  • Healthcare service providers
  • Electricity producers (a 1 MW generation capacity threshold is introduced)
  • Chemical manufacturers
  • DNS service providers (standard size-cap thresholds apply)
New in-scope entities The scope of NIS2 in-scope entities is expanded to include:

  • providers of European Digital Identity Wallets
  • providers of European Business Wallets
  • operators of submarine data transmission infrastructure
  • owners, managers, and operators of strategic dual-use infrastructure
New entity category A new category of “small mid-cap enterprises” is introduced. These entities will be classified as important (rather than essential) entities, thereby reducing the supervisory intensity and compliance burden for a significant number of companies.

 

Technical requirements harmonisation: one standard for all Member States

While NIS2 remains a minimum-harmonisation directive, the amendments introduce a significant change: where the Commission adopts implementing acts specifying the technical or methodological risk-management requirements, Member States will no longer be permitted to impose additional national requirements on those matters. This effectively creates a uniform level of cybersecurity controls at EU scale, precluding divergent national interpretations.

New ransomware reporting requirements

The NIS2 amendments introduce more harmonised data collection at EU level on ransomware attacks. Entities will be required to report on the attack vectors used and the mitigation measures implemented. Upon request from the authorities, entities will additionally need to disclose whether a ransom demand was received, whether a payment was made, the amount, and the payment method. Companies will need to adapt their incident response procedures accordingly and ensure more granular reporting capabilities.

Post-Quantum Cryptography (PQC)

The proposed NIS2 amendments require Member States to include policies for the transition to post-quantum cryptography in their national cybersecurity strategies, targeting 2030 for critical use cases and 2035 for broader adoption. While no direct implementation obligation is currently imposed on companies, those processing sensitive or long-term encrypted data should proactively assess the integration of PQC into their IT and cyber risk management strategies.

ICT supply chain security – a new mandatory EU framework

The Cybersecurity Act 2 introduces a new horizontal EU-level framework for the security of information and communications technology (ICT) supply chains across all NIS2 sectors, with a particular focus on risks that are non-technical in nature. This represents a significant departure from the previous voluntary approach under the 5G Cybersecurity Toolbox. This framework will have a substantial impact on companies that have so far procured ICT technologies and components from suppliers in high-risk jurisdictions.

Identification of key ICT assets

Based on coordinated EU-level security risk assessments, the Commission will be empowered to identify, by means of implementing acts, which ICT solutions or components should be regarded as “key ICT assets” for NIS2 entities. Components may be designated as key ICT assets where they perform essential or sensitive functions, where exploitation of their vulnerabilities could cause serious supply chain disruptions or data exfiltration, where there is excessive dependency on a particular supplier, or where EU-level risk assessments so warrant.

Designation of high-risk suppliers

The Commission will have the power to designate third countries and entities established in or controlled by such countries as “high-risk suppliers” where serious and structural non-technical risks are identified. The assessment may take into account factors such as vulnerability disclosure obligations to government authorities in the relevant country, lack of effective oversight mechanisms, or substantiated indications of malicious cyber activities. High-risk suppliers may be barred from participation in EU standardisation, certification, public procurement, or EU-funded projects relating to key ICT assets.

Prohibitions and risk mitigation

The Commission will be empowered to impose binding restrictions, including prohibiting specific categories of NIS2 entities from using components from high-risk suppliers in key ICT assets. Additional binding risk mitigation measures may also be imposed, such as supplier transparency requirements, restrictions on data flows to third countries, independent audit requirements, outsourcing restrictions, personnel vetting, or supply source diversification.

Rights of defence and exemption procedure

Designated high-risk suppliers are afforded procedural safeguards – the Commission will share its preliminary findings and provide an opportunity to be heard before a final decision is taken. Listed suppliers may request a reassessment by submitting evidence of significant changes in their structure. Entities established in or controlled by a high-risk third country may submit a reasoned exemption request to the Commission, demonstrating the effective implementation of risk mitigation measures. Exemptions may be time-limited and subject to conditions, including regular audits and reporting obligations. All decisions are recorded in a publicly accessible register.

Supervision and penalties

Compliance enforcement will be organised similarly to the NIS2 framework – primarily in the Member State where the entity is established, with specific rules for cross-border digital service providers and entities registered outside the EU. Infringements of the Commission’s prohibitions or mitigation measures can lead to penalties of up to 7% of global annual turnover for the most serious violations.

Electronic Communications Networks: mandatory phase-out of high-risk components

CSA2 introduces a particularly stringent regime for mobile, fixed and satellite electronic communications networks. Key ICT assets will be pre-defined in an Annex to the Act, and a mandatory obligation to phase out ICT components from high-risk suppliers is imposed. For mobile networks, the phase-out period may not exceed 36 months from the publication of the relevant high-risk supplier list; for fixed and satellite networks, timelines will be set by the Commission via implementing acts.

Network operators are directly prohibited from using, installing, or integrating components from high-risk suppliers in the operation of key ICT assets. Supervision will be carried out in close cooperation between the competent authorities, which will have a significant impact on infrastructure planning, procurement, and capital expenditure.

Cybersecurity certification and expansion of ENISA’s mandate

CSA2 substantially transforms the European cybersecurity certification system. The scope of certification is expanded to cover not only ICT products and services but also an organisation’s overall cybersecurity posture. Organisations will be able to obtain EU-recognised certificates attesting to their overall cyber resilience. Where an entity holds a valid such certificate, competent authorities will not be permitted to subject it to additional security audits in areas already covered by the certificate. National certification schemes will cease to apply where an EU scheme covers the same domain.

ENISA’s mandate is significantly expanded, with its budget increased by more than 75%. ENISA will assume a more operational role, including coordinating EU-level security risk assessments, maintaining the European Vulnerability Database, managing the EU Cybersecurity Reserve, running the ransomware assistance service in cooperation with Europol, and operating as a central incident reporting platform.

Next steps

The cybersecurity package is currently at the early stage of the EU legislative process, and its content may still be significantly refined during negotiations. The proposals address strategically sensitive issues relating to technology security and EU autonomy. They are expected to be adopted no earlier than late 2026 or early 2027. The Cybersecurity Act 2, as a regulation, will be directly applicable in all Member States, while the NIS2 amendments will need to be transposed into national law within one year.

This initiative forms part of the broader EU trajectory towards technological sovereignty and regulatory rationalisation, including in the context of the Digital Omnibus and other simplification measures. Companies should proactively assess the potential impact and monitor the ongoing discussions in order to implement the necessary changes and compliance processes in a timely manner.