Privacy & Information Security Law Blog

On January 20, 2026, the European Commission proposed a comprehensive new cybersecurity package aimed at strengthening the EU’s cybersecurity resilience and enhancing its capacity to manage evolving threats. The cybersecurity package proposes revisions to the EU Cybersecurity Act, the EU Directive on measures for a high common level of cybersecurity across the European Union (the “NIS2 Directive”), and the European Cybersecurity Certification Framework (the “ECCF”).

The proposed revisions to the Cybersecurity Act will introduce four key elements:

• ICT Supply Chain Security Framework: A comprehensive framework shall be established to address information and communication technologies (“ICT”) supply chain security challenges in critical infrastructure.
• Enhanced Cybersecurity Certification: The European cybersecurity certification framework will be streamlined and improved to increase efficiency and better respond to market needs.
• Administrative Simplification: New measures will be introduced to reduce administrative requirements deemed unnecessary burdens associated with implementing the NIS2 Directive.
• Reinforcement of ENISA’s Role: The European Union Agency for Cybersecurity (“ENISA”) will be strengthened. EU Member States will be required to support this enhancement by appointing two liaison officers each.

Amendments to the NIS2 Directive proposed by the European Commission include:

• Clarified Scope and Definitions: Amendments will clarify the scope for certain sectors and entities, including healthcare, electricity, hydrogen and chemical providers, and will set clear rules for electricity producers with more than 1 MW of generation capacity.
• New Entity Categories: Small mid-cap enterprises will be designated as important entities, lowering compliance and supervisory burdens. Micro and small-sized Domain Name System service providers will be excluded from the scope.
• Streamlined Risk Management: Maximum harmonisation for cybersecurity risk-management measures and incident reporting will be introduced, supported by European certification schemes to facilitate cross-border compliance.
• Digital Identity & Wallets: Providers of European Digital Identity and Business Wallets will be classified as essential entities and will be subject to cybersecurity obligations regardless of size.
• Supply Chain Security: The Commission will develop guidelines to harmonize and simplify information requests for supply chain security, reducing duplicative administrative burdens.
• Ransomware Reporting: Rules for reporting information regarding ransomware attacks will be introduced. In the event of a ransomware attack, certain entities will be required to report sensitive information (such as whether the entity has paid a ransom and, if so, what amount and to whom) to computer security incident response teams (“CSIRTs”) and national authorities.  The intention is to enable CSIRTs and national authorities to, amongst other things, compile the intelligence and evidence that law enforcement agencies need to disrupt and dismantle ransomware gangs and sanction their operatives.
• Enhanced Cross-Border Supervision: ENISA will support risk analysis and joint supervisory actions for essential and important entities operating across multiple Member States.

The updated ECCF will feature three main changes:

• Expanded and Clarified Scope: The ECCF will be broadened for greater legal certainty and market relevance. Entities will be able to certify ICT products, services, managed security services and their overall cyber posture, supporting compliance and presumed conformity with NIS2 and other EU laws.
• Defined Timelines and Improved Governance: The ECCF will introduce clear deadlines and deliverables, supported by a more efficient and effective governance model. ENISA, as the scheme manager, will be responsible for maintaining certification schemes and must develop candidate schemes within one year of a European Commission request, as a general rule.
• Harmonized Compliance Tools: Certification schemes will serve as practical compliance tools for businesses, fully aligned with existing EU cybersecurity legislation.

The package is to be presented to the European Parliament and European Council for approval.  Once approved, the revised Cybersecurity Act will be applicable immediately, and Member States will have one year to transpose the updated NIS2 Directive into national law.

Read the press release here. Read the revised Cybersecurity Act here. Read the proposed NIS2 amendments here.