The European Commission proposed a new cybersecurity package to bolster the EU’s cybersecurity resilience and capabilities in the face of these growing threats. The package includes a proposal for a revised Cybersecurity Act, which enhances the security of the EU’s ICT (information and communication technologies) supply chains. It ensures that products reaching EU citizens are cyber-secure by design through a simpler certification process. It also facilitates compliance with existing EU cybersecurity rules and reinforces the EU Agency for Cybersecurity (ENISA) in supporting Member States and the EU in managing cybersecurity threats.
The package introduces measures to simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU, complementing the single-entry point for incident reporting proposed in the Digital Omnibus.
Immediately applicable after approval by the European Parliament and the Council of the EU, the Cybersecurity Act will enter into force alongside proposed amendments to the NIS2 Directive, which will also be presented for approval. Once adopted, Member States will have one year to transpose the Directive into national law and notify the Commission of the relevant texts.
Targeted amendments to the NIS2 Directive aim to increase legal clarity to ease compliance for 28,700 companies, including 6,200 micro and small-sized enterprises. They will also introduce a new category of small mid-cap enterprises to lower compliance costs for 22,500 companies. The amendments will simplify jurisdictional rules, streamline the collection of data on ransomware attacks, and facilitate the supervision of cross-border entities with ENISA’s reinforced coordinating role.
“Cybersecurity threats are not just technical challenges. They are strategic risks to our democracy, economy, and way of life,” Henna Virkkunen, executive vice-president for tech sovereignty, security, and democracy, said in a Tuesday media statement. “With the new Cybersecurity Package, we will have the means in place to better protect our critical ICT supply chains, but also to combat cyber attacks decisively. This is an important step in securing our European technological sovereignty and ensuring a greater safety for all.”
The Union has expanded its legal and policy toolkit through a series of new instruments and measures. The NIS2 Directive strengthens cybersecurity across critical infrastructure, while its sister legislation, the Critical Entities Resilience Directive, sets out physical security requirements. The Cyber Resilience Act raises the cybersecurity baseline for products placed on the market, and the Cyber Solidarity Act builds EU-wide incident response capabilities.
The EU Cyber Blueprint underpins crisis management cooperation at the EU level, defining the roles of the Commission and the High Representative in preparing for and responding to large-scale cyber incidents. The 5G Cybersecurity Toolbox supports security across 5G networks, the European action plan on the cybersecurity of hospitals and healthcare providers targets resilience in the health sector, and the Cybersecurity Skills Academy tackles the widening shortage of cyber talent.
The Commission detailed that a shared European cybersecurity approach is essential for protecting Europe’s overall security. The proposal will enhance the cybersecurity resilience of Europe’s critical infrastructures by setting up a horizontal framework for trusted ICT supply chain security. This will allow the EU and Member States to address strategic risks of undue foreign interference and critical dependencies in critical ICT supply chains with targeted and proportionate measures. It will also ensure that operators of electronic communications networks do not rely on high-risk suppliers for their critical assets.
The proposed Cybersecurity Act aims to reduce risks in the EU’s ICT supply chain from third-country suppliers with cybersecurity concerns. It sets out a trusted ICT supply chain security framework based on a harmonized, proportionate, and risk-based approach. This will enable the EU and Member States to jointly identify and mitigate risks across the EU’s 18 critical sectors, considering economic impacts and market supply.
The Cybersecurity Act proposes a horizontal framework to address security risks linked to third countries that pose cybersecurity concerns. It introduces Union-level coordinated security risk assessments to identify risks and vulnerabilities in specific ICT supply chains.
The framework calls for identifying key assets within ICT supply chains to understand where systemic weaknesses may exist. Based on these assessments, it delivers targeted mitigation measures to address the identified risks. These include, where necessary, prohibitions on the use of ICT components from high-risk suppliers in key ICT assets, grounded in market analysis and a thorough economic impact assessment.
Recent cybersecurity incidents highlighted the major risks posed by vulnerabilities in the ICT supply chains, which are essential to the functioning of critical services and infrastructure. In today’s geopolitical landscape, supply chain security is no longer just about technical product or service security, but also about risks related to a supplier, particularly dependencies and foreign interference.
The Cybersecurity Act will enable the mandatory derisking of European mobile telecommunications networks from high-risk third-country suppliers, building on the work already carried out under the 5G security toolbox.
The revised Cybersecurity Act will ensure that products and services reaching EU consumers are tested for security more efficiently. This will be done through a renewed European Cybersecurity Certification Framework (ECCF). The ECCF will bring more clarity and simpler procedures, allowing certification schemes to be developed within 12 months by default. It will also introduce more agile and transparent governance to better involve stakeholders through public information and consultation.
The ECCF will introduce three main changes. First, the scope of the framework will be clarified and extended to provide greater legal certainty and better reflect market needs. Certification will serve as a form of technical cybersecurity assurance, complemented by an ICT supply chain security mechanism. Entities will be able to certify their overall cyber posture, in addition to ICT products, services, processes, and managed security services. These certificates can then be used to demonstrate compliance and obtain a presumption of conformity with NIS2 and other Union legislation.
Second, the framework will establish clear deadlines and deliverables, alongside a more efficient and effective governance structure for developing and maintaining certification schemes. ENISA, as the scheme manager, will be responsible for maintaining the schemes and for defining legal timelines for their development. As a general rule, following a request from the Commission, ENISA will be required to develop a candidate scheme within one year.
Third, the schemes are intended to function as practical compliance tools for businesses. Each scheme must be aligned with existing cybersecurity legislation, and greater consistency and harmonisation across schemes are expected to reduce the overall compliance burden on companies.
Certification schemes, managed by ENISA, will become a practical, voluntary tool for businesses. They will allow businesses to demonstrate compliance with EU legislation, reducing the burden and costs. Beyond ICT products, services, processes, and managed security services, companies and organisations will be able to certify their cyber posture to meet market needs. Ultimately, the renewed ECCF will be a competitive asset for EU businesses. For EU citizens, businesses, and public authorities, it will ensure a high level of security and trust in complex ICT supply chains.
Since the adoption of the first Cybersecurity Act in 2019, ENISA has grown as a cornerstone of the EU cybersecurity ecosystem. The revised Cybersecurity Act enables ENISA to help the EU and its Member States understand the common threats. It also enables them to prepare and respond to cyber incidents.
The agency will further support companies and stakeholders operating in the EU by issuing early alerts of cyber threats and incidents. In cooperation with Europol and Computer Security Incident Response Teams, it will support companies in responding to and recovering from ransomware attacks. ENISA will also develop a Union approach to provide better vulnerability management services to stakeholders. It will operate the single-entry point for incident reporting proposed in the Digital Omnibus.
The proposal for the revised Cybersecurity Act is complementary to the upcoming Cloud and AI Development Act (CADA) and the Digital Omnibus. The CADA will ensure highly critical use cases in the public sector are powered by secure EU-based cloud and AI computing services. The Digital Omnibus aims to simplify the implementation of EU cybersecurity rules.
ENISA will continue to play a key role in further building a skilled cybersecurity workforce in Europe. It will do so by piloting the Cybersecurity Skills Academy and establishing EU-wide cybersecurity skills attestation schemes.
The agency’s role in cybersecurity standardisation will be strengthened to ensure that European and international standards align with EU values and legal requirements, giving the agency a more active hand in shaping how cybersecurity rules are applied in practice. Standards and technical specifications help businesses and public authorities implement cybersecurity obligations and guarantee uniform application of rules across the internal market, particularly those arising from the Cyber Resilience Act.
At the international level, standards also shape state-of-the-art cybersecurity practices and influence how technologies are designed and maintained. In line with the European Standardisation Regulation, ENISA will be more directly involved in developing cybersecurity standards at both European and international levels, support the Commission in assessing harmonised standards, and step in to develop technical specifications, especially for European cybersecurity schemes, where legislative needs are not met by existing standards.
