European Commission announces new Cybersecurity Package, including proposed amendments to the Cybersecurity Act

Cybersecurity Act 2 Proposal

The Cybersecurity Act 2:

• introduces new information and communication technologies (ICT) supply chain provisions to reduce the risk to EU supply chains of certain vendors and third countries that pose cybersecurity concerns; 
• looks to address the limited uptake of the existing European cybersecurity certification framework (ECCF) with schemes expected to be simpler and quicker (within 12 months) to develop. Businesses will be able to certify their broader cybersecurity posture as well as their ICT products, services, process and managed security services, with certification used to demonstrate legal compliance (including a presumption of compliance with NIS2); and 
• is intended to reinforce and extend the role of the EU Agency for Cybersecurity (ENISA) in supporting the EU and Member States in managing cyber threats. Amongst other things, ENISA will issue alerts of cyber threats and incidents and support essential and important companies through ransomware attacks and responses. ENISA will take a strengthened role in providing guidance, carrying out risk assessments, supporting cybersecurity sandboxes and developing cybersecurity standards. ENISA will manage the certification schemes to ensure EU product safety and operate the single-entry point for incident reporting as proposed by the Digital Omnibus in November 2025.

The proposed ICT supply chain framework under the Cybersecurity Act 2 targets non-technical risks in sectors of high criticality as well as other sectors defined as critical under NIS2. Following a process of risk assessment, the European Commission will have the right to designate, through implementing acts: 

• a third country as posing cybersecurity concerns where it presents non-technical risks to the ICT supply chain that are serious and structural;
• high-risk suppliers determined by reference to the supplier entity’s relationship with a third country posing cybersecurity concerns;
• key ICT assets (determined by reference to specified criteria) used in the manufacturing of products or provision of services by certain NIS2 entities. In the context of mobile, fixed and satellites electronic communications networks, the Cybersecurity Act 2 itself specifies a list of key ICT assets without need for a further implementing act; and
• mitigation measures (referenced further below). 

High-risk suppliers will be prohibited from, for example, participating in public tenders to provide ICT components for key ICT assets, unless they obtain an exemption; participating in EU funding programs relating to ICT assets; or obtaining an EU cybersecurity certification.

NIS2 entities will be prohibited from using, installing or integrating ICT components from high-risk suppliers in their key ICT assets (with a requirement to phase out any such existing components). They might also be expected to put in place targeted mitigation measures in relation to their ICT supply chains (including transparency requirements, prohibiting transfers of data to third countries, requiring third party audits of technical measures, restrictions on outsourcing and supplier contracting, diversity of supply requirements and requirements regarding personnel vetting). 

Breach of the ICT supply chain measures may lead to fines of up to 7% of the operator’s worldwide turnover, depending on the nature of the breach.

On January 21 2026, the European Commission also adopted its proposal for a Digital Networks Act (DNA) intended to modernise the rules regarding communications networks and digital infrastructure. The proposal includes an express link between the DNA and the Cybersecurity Act 2 by requiring compliance with the Cybersecurity Act 2 information technology supply chain measures as a condition for an operator to obtain a general authorisation to provide networks and services or an individual rights of use of radio spectrum. 

NIS2 Proposal 

The NIS2 Proposal makes targeted amendments to NIS2 including, amongst other things: 

• an extension of the scope of NIS2 to cover digital and business wallet providers, submarine infrastructure operators, dual use-infrastructure (regardless of their size);
• clarification on the scope of NIS2 with respect to the electricity (>1MW), hydrogen, healthcare and chemical sectors;
• an easing of the compliance burden for certain micro, small and small mid-cap enterprises; 
• the potential for Member States to require certain essential and important entities to obtain a cybersecurity posture certificate under the Cybersecurity Act 2 (noting that such certification would not exempt NIS2 entities from their responsibility to comply with its NIS2 obligations); 
• a requirement for essential or important entities that are not established in the EU but offer services in the EU to designate an EU-based representative; and 
• requirements regarding harmonised data collection in relation to ransomware attacks that could be imposed upon request of the CSIRT or competent authority and/or through Commission’s implementing acts. 

The press release on the cybersecurity package here, the Cybersecurity Act 2 Proposal is available here, the NIS 2 Proposal is available here and the DNA is available here.