EU Cybersecurity Act Proposal: Key Provisions, Scope, and Implications for Organisations

On 20 January 2026, the European Commission published a comprehensive new Cybersecurity Package including a Proposal for a revised Cybersecurity Act and targeted amendments to the NIS2 Directive. 

The original framework of the Cybersecurity Act, adopted in 2019, established the basis for the European Cybersecurity Certification System and strengthened the mandate of the European Union Agency for Cybersecurity (ENISA) as the Union’s technical reference authority.

The evolution of the threat landscape in recent years, marked by the rise in attacks targeting critical infrastructure, essential services, and supply chains, together with an increasingly complex geopolitical context, characterised by strategic technological dependencies on third countries and the proliferation of hybrid threats, has highlighted the need to update this framework.

The proposed revision responds to this situation with the objective of strengthening the European Union’s resilience, improving regulatory coherence, and providing operators with a clearer, more effective system that is truly aligned with risk and the operational requirements of the internal market.

Who is it aimed at?

The proposal expands the material and subjective scope of the European cybersecurity framework and primarily affects:

• Manufacturers and providers of ICT products and services, who will have to comply with broader, more demanding, and more harmonised certification schemes across the European Union.
• Companies using critical technologies, which will need to align their internal risk management processes with European cybersecurity standards.
• Operators in essential or highly critical sectors, such as energy, telecommunications, cloud services, digital infrastructure, or financial services, who will have to assess and supervise their exposure to suppliers considered “high risk.”

In addition, the proposal strengthens the role of ENISA and national competent authorities by expanding their supervisory, operational coordination, incident management functions, and managing certification schemes. Indirectly, the text will also affect end user companies, including SMEs, which will need to adapt to a more harmonised regulatory environment with increased risk governance requirements.

Main developments

Beyond addressing shortcomings identified since the adoption of the 2019 framework, the proposed revision introduces a more solid, coherent regulatory architecture tailored to the growing complexity of the European digital ecosystem, enhancing the practical effectiveness of the EU’s cybersecurity instruments.

1. Strengthening the European Cybersecurity Certification Framework (ECCF) 

The European Commission proposes accelerating and making the certification system more efficient through clearer procedural rules, simplified timelines, and greater alignment across existing schemes. The aim is for certification to become a practical tool for companies and authorities, not an additional administrative burden, which has been a recurring criticism since 2019, reducing regulatory duplication and offering greater market predictability. 

A notable new feature is the expansion of certification scope: it will no longer be limited to technological products or services but may extend to organisational risk management practices, integrating companies’ internal maturity levels in cybersecurity. Political considerations should not be in scope. This approach responds to the need for a holistic assessment of security, including corporate practices, policies, and governance. 

Notably, the Commission explicitly rejected making the certification generally mandatory at this stage. Certification may, however, become de facto mandatory through procurement rules, market expectations, or national requirements.

2. Strengthening ENISA’s Operational and Strategic Role

ENISA will take on new operational functions, including:

• Managing European repositories of threats and incidents.
• Issuing EU wide early warnings.
• Coordinating cybersecurity exercises under the new European programme.
• Operating the unified incident notification platform provided for in EU digital legislation.

It will also play a central role in developing and updating EU certification schemes, reinforcing its status as the Union’s technical reference body. This expansion responds to practical challenges identified in implementing the certification framework since 2019.

3. Reinforced Supply Chain Security Measures

One of the most innovative elements is the introduction of mechanisms to identify, restrict, or even exclude suppliers considered “high-risk” across 18 critical sectors of the European economy.

These mechanisms will consider both technical and non‑technical factors, including the potential influence of third states over certain suppliers, in a global environment marked by geopolitical tensions and technological rivalry.

The revision even foresees the unprecedented possibility, at EU level, of withdrawing already deployed products if a supplier is reclassified as high-risk. This could require costly and complex replacements in critical infrastructure, such as energy networks, cloud infrastructures, or telecommunications equipment.

4. Simplification and Regulatory Coherence in the Digital Ecosystem 

The Commission acknowledges the increasing regulatory complexity faced by companies, particularly in the interaction between the Cybersecurity Act, NIS2 Directive, the Cyber Resilience Act, the GDPR, and sector specific regulations. The revision therefore promotes greater harmonisation not only of technical requirements but also of incident notification procedures, assessment criteria, and governance obligations to avoid duplication and improve legal clarity.

5. More Agile Procedures and International Alignment

The reform includes modernisation of the procedures for developing and updating certification schemes, incorporating proportionality criteria, international cooperation, and mutual recognition with allied countries. This seeks to facilitate interoperability, reduce regulatory costs for European companies, and position the European framework as a global reference standard. The reform introduces a 12-month timeline for ENISA for developing candidate schemes with streamlined procedures.

Impact on Companies

The revision of the Cybersecurity Act will have a significant impact on organisations that operate, provide services, or rely on digital infrastructure within the European Union. Its implications can be grouped into five main areas:

1. Governance and Risk Management

Companies will need to demonstrate an advanced level of cybersecurity maturity, establishing policies, processes, and control structures that prove adequate risk management at the organisational level, not solely at product level.

2. ICT Products, Services, Processes and Certification

The expansion of the certification framework will affect cloud, 5G, managed security services and cyber posture of entities, which will entail:

• Greater regulatory pressure on technology providers
• Increased costs and timeframes associated with placing products on the market in critical sectors
• An increase in security and reliability for companies that utilise ICT products, services, or technologies provided by third parties

3. Supply Chain and Technological Dependencies

 The incorporation of mechanisms to identify and restrict high-risk suppliers will have direct effects on the technological supply chain, including:

• Ongoing assessment of geopolitical and strategic dependencies
• Potential replacement of already deployed hardware or software, with economic and operational consequences
• Review of interconnected critical infrastructures, such as solar inverters, energy equipment, networks, cloud services, or data centres
• SMEs and non‑technical businesses may face increased costs and greater dependence on certified suppliers

And last but not least, the ICT supply chain toolbox may have a chilling effect for the customers of suppliers who are eligible to be qualified as high-risk vendors, even if no measures are taken.

4. Operations and Incident Response

The strengthened role of ENISA and the unified reporting platform will entail increased reporting obligations and a direct impact on SOC and CSIRT operational capacities.

5. Regulatory Compliance and Administrative Burden

Although the goal is regulatory harmonisation, companies will still need to undertake substantial documentary, technical, and legal adaptation efforts during the transition period.

Next Steps

The proposal will follow the ordinary legislative procedure and must be examined by the European Parliament and the Council before final approval. A period of consultations, technical adjustments, and interinstitutional negotiations is expected before it enters into force.

Strategic Recommendations for Companies

From a preventive perspective, companies are advised to:

• Review supply chain resilience
• Strengthen internal cybersecurity policies and update risk analyses
• Prepare for new certification schemes and update contracts to address potential substitution or migration scenarios
• Implement robust incident notification and management mechanisms

In the medium to long term, the strategic objective will be to progressively migrate to certified technologies, integrate into European reporting systems, and move toward automation of regulatory compliance.