January 20, 2026 — The European Commission has released a comprehensive revision of the EU Cybersecurity Act, marking the most significant evolution in European cybersecurity policy since the framework’s initial adoption in 2019. The proposal arrives as Europe faces an escalating threat landscape characterized by daily sophisticated cyberattacks targeting critical infrastructure, essential services, and democratic institutions.

The revised Act represents a fundamental shift in how the EU approaches cybersecurity resilience, introducing three interconnected pillars designed to address both technical vulnerabilities and geopolitical supply chain risks while simultaneously reducing the compliance burden that has plagued organizations since NIS2’s implementation.

Commission strengthens EU cybersecurity resilience and capabilities

The Three-Pillar Framework

Pillar 1: Strengthened EU Cybersecurity Agency (ENISA)

ENISA’s transformation from primarily advisory body to operational cybersecurity coordinator represents perhaps the most significant institutional shift in the proposal. The agency gains substantial new capabilities that fundamentally alter how the EU responds to cyber threats.

Navigating NIS2 Compliance: A Deep Dive into ENISA’s Technical Implementation Guidance for Robust Cybersecurity Risk Management

Operational Mandate Expansion:

  • Early Warning System: ENISA will issue real-time threat alerts to companies and stakeholders operating across the EU, functioning as a centralized threat intelligence hub- Ransomware Response Coordination: Working directly with Europol and national Computer Security Incident Response Teams (CSIRTs), ENISA will coordinate responses to ransomware attacks and support recovery operations- Vulnerability Management Services: The agency will develop and operate a Union-wide approach to vulnerability disclosure and management, providing standardized services to all stakeholders

Incident Reporting Hub: ENISA will operate the single-entry point for incident reporting proposed under the Digital Omnibus regulation, finally addressing the fragmented reporting requirements that currently plague organizations operating across multiple member states. This consolidation directly responds to years of industry complaints about duplicative and contradictory reporting obligations across NIS2, GDPR, CRA, and other frameworks.

Skills Development Leadership: Recognizing the critical shortage of cybersecurity professionals across Europe, ENISA will pilot the Cybersecurity Skills Academy and establish EU-wide skills attestation schemes. This represents a long-term investment in addressing what many consider the EU’s most pressing cybersecurity challenge beyond technical vulnerabilities.

Germany Completes NIS2 Implementation: A Watershed Moment for European Cybersecurity

Pillar 2: Trusted ICT Supply Chain Security Framework

The supply chain security provisions represent the proposal’s most controversial element, introducing mandatory measures that target what EU officials describe as “high-risk third-country suppliers” — terminology that clearly references longstanding concerns about Chinese technology vendors like Huawei and ZTE.

Mandatory Derisking Requirements: The Act will enable mandatory derisking of European mobile telecommunications networks from high-risk suppliers, building on the largely ineffective voluntary 5G Security Toolbox introduced in 2020. The new framework applies across 18 critical sectors and uses a harmonized, risk-based approach that considers:

  • Technical product vulnerabilities- Supplier dependencies and concentration risks- Foreign interference potential- Economic impacts and market supply availability

Beyond Technical Security: Critically, the framework acknowledges that supply chain security extends beyond traditional technical assessments. Organizations will need to evaluate geopolitical dependencies, vendor reliability under various scenarios, and the potential for state-sponsored interference — factors that pure technical certifications cannot address.

Sectoral Coverage: The framework applies to companies providing equipment and services for:

  • Telecommunications networks- Data centers- Cloud services infrastructure- Connected devices and IoT ecosystems- Social media platforms

Pillar 3: Streamlined Certification Framework

The European Cybersecurity Certification Framework (ECCF) receives substantial overhauls designed to address its implementation failures. Since 2019, only one scheme — the European Common Criteria (EUCC) — has been formally adopted, while cloud, 5G, digital identity wallet, and managed security service certifications remain stalled in development.

Accelerated Development Timeline: The revised framework introduces a 12-month default timeline for certification scheme development, down from the multi-year delays that have characterized the current system. This timeline includes public consultation periods and stakeholder involvement, making the acceleration all the more remarkable.

Expanded Scope: Beyond traditional ICT products and services, organizations can now certify:

  • Organizational Cyber Posture: Companies can obtain certification for their overall security governance, risk management, and supply chain practices- Managed Security Services: Incident response, penetration testing, security audits, and consultancy services become eligible for EU-wide certification- Operational Technology Systems: Industrial control systems and OT environments receive dedicated certification pathways

Practical Business Tool: Most significantly, certification becomes a mechanism to demonstrate compliance with EU cybersecurity legislation, potentially reducing audit burden and creating a streamlined path through the regulatory maze. The framework establishes tiered assurance levels (basic, substantial, high) aligned with risk profiles and technical requirements.

International Alignment: The Commission commits to participation in ISO/IEC and ITU-T standards development, ensuring EU schemes remain competitive globally and facilitating third-country manufacturer participation.

The Dutch NIS2 Law (Cbw) is Delayed to 2026. Acting Now is Not Optional—It’s a Fiduciary Duty.

NIS2 Simplification: Reducing Compliance Burden

Running parallel to the Cybersecurity Act revision, targeted amendments to the NIS2 Directive aim to address widespread industry criticism about implementation complexity.

Numerical Impact:

  • 28,700 companies will benefit from increased legal clarity- 6,200 micro and small-sized enterprises receive simplified compliance pathways- 22,500 companies gain relief through a new “small mid-cap enterprise” category with reduced compliance costs

Specific Improvements:

  • Jurisdictional Clarity: Simplified rules for determining which member state has supervisory authority for cross-border entities- Ransomware Data Collection: Streamlined processes for collecting and sharing ransomware attack data across borders- ENISA Coordination: Enhanced agency role in supervising cross-border entities, reducing conflicts between national authorities

Strategic Implications for Organizations

For EU-Based Companies

Immediate Actions:

  1. Supply Chain Assessment: Begin mapping third-country suppliers across critical systems, particularly telecommunications and cloud infrastructure2. Certification Strategy: Evaluate which certification schemes will provide maximum compliance leverage once the 12-month development timeline begins3. Incident Reporting Preparation: Prepare for single-entry point implementation by inventorying all current reporting obligations

Mid-Term Planning: Organizations should anticipate mandatory supply chain derisking requirements in critical sectors. Companies heavily dependent on potentially high-risk suppliers should develop contingency plans and alternative vendor relationships. The political nature of “high-risk” determinations means technical compliance alone may not satisfy regulatory expectations.

For Non-EU Suppliers

Market Access Considerations: Third-country suppliers, particularly those from geopolitical competitors, face potential exclusion from critical EU sectors. The framework’s explicit focus on foreign interference and dependencies suggests purely technical certifications may not guarantee market access.

Competitive Response:

  • Pursue EU cybersecurity certifications aggressively once streamlined processes become available- Consider EU data localization strategies or partnerships with EU-based entities- Prepare for enhanced transparency requirements around ownership, data handling, and government relationships

For Managed Security Service Providers

The certification of managed security services represents significant new market opportunities. MSSPs that achieve EU certification gain:

  • Competitive differentiation in a crowded market- Streamlined compliance demonstration for EU clients- Potential requirement-by-reference in procurement specifications

Service providers should engage with ENISA’s scheme development process early to ensure certifications align with actual market practices rather than theoretical frameworks.

Timeline and Political Process

Immediate Implementation: Unlike directives requiring national transposition, the Cybersecurity Act regulation becomes directly applicable across all member states immediately upon approval by the European Parliament and Council.

NIS2 Amendments: Member states will have one year following adoption to implement the Directive amendments into national law.

Political Challenges: Analysis from Euronews suggests resistance from some capitals wary of increased EU involvement in national security matters. The supply chain security provisions, in particular, face pushback from member states concerned about sovereignty implications and from industry groups worried about market fragmentation.

Several stakeholders, including major cloud providers, oppose granting ENISA binding regulatory authority, arguing the agency should maintain purely technical and advisory functions. The final legislative text will likely reflect compromises on these points.

Critical Gaps and Ongoing Concerns

Voluntary vs. Mandatory Certification

While most stakeholders support keeping certification voluntary to maintain innovation flexibility, the framework creates tension: how can voluntary schemes deliver the security assurances that critical sectors require? The proposal suggests mandatory certification for specific critical applications, but details remain unclear.

Resource Requirements

ENISA’s dramatically expanded mandate requires commensurate increases in funding and staffing. Current budget allocations through the Digital Europe Programme and Connecting Europe Facility may prove insufficient for the agency’s new operational responsibilities. Previous EU initiatives have foundered on inadequate operational resources — the success of this revision depends heavily on avoiding that pattern.

Geopolitical Complications

The supply chain security framework’s implicit targeting of Chinese vendors, while politically understandable, risks retaliatory trade measures and complicates the EU’s stated commitment to open markets. Excluding suppliers based on nationality rather than demonstrated security failures sets precedent that could fragment global technology markets.

Alignment with Existing Frameworks

Despite explicit goals to harmonize requirements across NIS2, CRA, GDPR, and other regulations, implementation details remain murky. Organizations need concrete guidance on how certifications will map to specific compliance obligations — guidance that likely won’t emerge until after adoption.

Recommendations for CISOs and Security Leaders

Near-Term (Next 6 Months):

  1. Monitor legislative negotiations closely — the final text may differ substantially from the proposal2. Conduct supply chain risk assessment focused on third-country dependencies in critical systems3. Engage with ENISA’s public consultations on certification scheme development4. Prepare internal stakeholders for potential supplier changes driven by mandatory derisking requirements

Mid-Term (6-18 Months):

  1. Develop organizational certification strategy aligned with business objectives and compliance needs2. Establish processes for single-entry point incident reporting once operational3. Build relationships with ENISA-accredited certification bodies4. Train security teams on new vulnerability disclosure and management processes

Long-Term (18+ Months):

  1. Pursue relevant certifications as schemes become available2. Integrate ENISA threat intelligence and early warning systems into security operations3. Leverage certifications to streamline procurement and vendor management4. Participate in Skills Academy initiatives to address talent pipeline challenges

The Bottom Line

The revised Cybersecurity Act represents the EU’s most ambitious attempt yet to build resilient cybersecurity capabilities while reducing the compliance burden that has frustrated organizations since NIS2’s implementation. The proposal’s success depends on execution factors largely beyond the legislation itself: adequate ENISA resourcing, rapid certification scheme development, and political will to resist protectionist pressures that could fragment rather than strengthen European cybersecurity.

For organizations operating in or serving EU markets, the message is clear: cybersecurity is becoming a fundamental market access requirement. The era of security as pure risk management is ending — it’s now a competitive differentiator and regulatory prerequisite. Companies that proactively pursue certification, build supply chain resilience, and align with ENISA’s emerging frameworks will find themselves better positioned not just for compliance, but for the trust-based competition that increasingly defines digital markets.

The European Parliament and Council negotiations will take months, with final adoption unlikely before late 2026. Organizations have a narrow window to influence the process through industry associations and public consultations — a window that’s rapidly closing. The time to act is now.

About this Analysis

This article synthesizes information from the European Commission’s official proposal (COM(2026) 11), European Parliament research documents, and industry analysis. Organizations should monitor official Commission, ENISA, and national competent authority channels for implementation guidance as the legislative process progresses.

For More Information:

Key Contacts:

  • European Commission Press: [Press release available at ec.europa.eu/commission/presscorner]- ENISA Media Relations: press@enisa.europa.eu- National Cybersecurity Authorities: Contact your national CSIRT or NIS2 competent authority for country-specific guidance