The European Union aims to raise its digital defense standards at a time when cyberattacks and hybrid actions have become a daily routine against essential services and democratic institutions. On January 20, 2026, the European Commission unveiled a new cybersecurity measures package with a clear goal: strengthening the resilience and capabilities of the EU in an increasingly sophisticated threat ecosystem where state-sponsored and criminal groups converge.
The core of the package revolves around two key components: firstly, a revision of the Cybersecurity Act to tighten the approach on ICT supply chains and streamline European certification; secondly, specific adjustments to NIS2 to reduce regulatory friction, enhance legal clarity, and bolster coordination, with a more active role for ENISA, the EU Agency for Cybersecurity.
A central idea: supply chains are no longer just “a technical matter”
The Commission starts from a premise that by 2026 is hard to contest: many of the most serious breaches stem not from isolated failures but from dependencies, third parties, and supply chains. In community language, supply security evolves from mere product or service robustness to include provider-linked risks, strategic dependencies, and even external interference in a tense geopolitical context.
Within this framework, the revision of the Cybersecurity Act aims to establish a “trustworthy ICT supply chain security framework”, harmonized and risk-based, to identify and mitigate risks in a coordinated manner across the 18 critical sectors of the EU, taking into account economic impact and market supply availability.
Practical proposal: what does the package entail?
Table — The 4 levers of the European package
| Leverage | What changes | Who it impacts most | Purpose |
|---|---|---|---|
| ICT supply chain | Trustworthy, harmonized, and risk-based framework; focus on third-country providers with cybersecurity concerns | Operators, public sector, ICT providers, critical sectors | Reduce dependency and systemic risk |
| European certification | Simpler procedures and more agile default timelines (schemes in 12 months) | Manufacturers, service providers, MSSPs, public procurement | “Cyber-secure by design” and verifiable trust signals |
| Simplified compliance | Targeted changes in NIS2 to clarify jurisdiction and reduce burdens | Companies affected by NIS2 (including SMEs) | Less complexity and improved cross-border supervision |
| ENISA strengthened | Early warning alerts, ransomware support, vulnerability management, coordination | Member states, CSIRTs, critical organizations and companies | Faster response and genuine European coordination |
(Summary based on documentation published by the Commission.)
“Derisking” in mobile networks: the package leverages the 5G toolbox
A particularly sensitive point is mobile networks. The Commission states that the cybersecurity law revision will enable a “mandatory derisking” process for third-country providers considered high risk in mobile networks, supported by work already done with the 5G security toolbox.
Translated to practical terms: Brussels seeks a more robust legal instrument so that the approach isn’t based solely on recommendations or uneven paces among countries, but on a shared capacity to reduce exposure when significant risks are identified.
Certification: less bureaucracy, more market signals
The second major lever is certification. The Commission proposes an overhaul of the European Cybersecurity Certification Framework (ECCF) to make it clearer and more operational, with simplified procedures and an agile principle: by default, certification schemes should be developed within 12 months.
The core idea is twofold:
- For companies, certification is envisioned as a voluntary and practical tool to demonstrate compliance with European regulations and reduce costs and administrative load.
- For the market, ECCF is presented as a competitive asset: a way to elevate trust and security in complex supply chains where buyers (and public procurement) need verifiable criteria.
The Commission also suggests expanding the scope: not only ICT products and services but also processes, managed security services, and even certifying an organization’s cybersecurity posture when the market demands.
NIS2: adjustments to reduce friction and improve coordination
The package also includes amendments to NIS2 aimed at increasing legal clarity and easing compliance. The Commission targets the relief of burden for 28,700 companies, including 6,200 micro and small businesses, and the creation of a new small mid-cap category to reduce compliance costs for 22,500 organizations.
Among the announced changes are simplified jurisdiction rules, improved data collection on ransomware, and more efficient oversight of cross-border entities, with ENISA playing a stronger coordinator role.
ENISA: more than just a technical agency — early alerts, ransomware, and vulnerability management
Since the adoption of the Cybersecurity Act in 2019, ENISA has gained influence within the European ecosystem. With the January 2026 package, the Commission proposes strengthening it to help the EU and Member States understand common threats and improve incident preparedness and response.
Highlighted functions include:
- Issuance of early warning alerts on threats and incidents.
- Support for organizations in response and recovery to ransomware, working alongside Europol and CSIRTs.
- Development of a EU approach for better vulnerability management.
- Boosting talent capabilities through the Cybersecurity Skills Academy and European skills accreditation schemes.
On the political level, Executive Vice President Henna Virkkunen framed the package as a response to strategic risks affecting democracy and the economy, and as a step toward ensuring European technological sovereignty.
Timeline: proposal today, negotiations tomorrow
The Commission is now submitting the package to the European Parliament and the Council. As announced, the revised Cybersecurity Act would be applicable after its approval, while amendments to NIS2 would require transposition: Member States would have 1 year to implement the amended Directive into national law once adopted.
Frequently Asked Questions
What does it mean that the EU wants to secure the “ICT supply chain”?
It involves treating cybersecurity as a systemic risk: not only does the software or hardware matter, but also dependencies, providers, subcontractors, and geopolitical risks linked to specific suppliers in critical sectors.
What changes for companies selling technology or services in Europe?
The emphasis is on a more agile and clear certification process and a “secure by design” approach. For manufacturers, integrators, and service providers, European certification could become a trust signal with commercial value, particularly in public procurement and regulated sectors.
Does the Cybersecurity Act revision affect 5G networks and telecommunications?
Yes. The Commission links the new framework to the ability to reduce risks (“derisking”) of high-risk providers in mobile networks, leveraging work already done with the 5G toolbox.
When will the real impact of these measures be felt?
Not immediately: they first need to be negotiated and adopted. However, the package sets the regulatory and market direction: increased supply chain requirements, more focus on certification, and a stronger role for ENISA in coordination and response.