.webp)
.webp)
EU Cybersecurity Act 2026: What the Proposed Revision Means for Your Business
EU Cybersecurity Act 2026: Key Changes Explained
Why the Revision Was Necessary
The original Cybersecurity Act, adopted in 2019 as Regulation (EU) 2019/881, established two foundational pillars: a permanent mandate for the European Union Agency for Cybersecurity (ENISA) and a voluntary European Cybersecurity Certification Framework for ICT products, services, and processes. While groundbreaking at the time, the intervening years exposed critical gaps and identified cybersecurity related problems—from fragmented governance to inconsistent uptake of European certification schemes.
The threat landscape has evolved dramatically. State-sponsored cyberattacks, ransomware campaigns targeting essential services, and the proliferation of hybrid threats have underscored the need for a more robust and coordinated response to modern cybersecurity threats. As ENISA's own analysis of the certification framework confirms, the growing complexity of global ICT supply chains has introduced strategic dependencies on third-country suppliers, creating vulnerabilities that purely technical standards cannot address. In practice, a single supplier issue can cascade into an IT security incident with a strong cross-border dimension, affecting the wider internet ecosystem and multiple regulated companies at once.
The European Commission's proposal for a revised Cybersecurity Act, published on January 20, 2026, responds to these realities. It is part of a broader Cybersecurity Package that also includes targeted amendments to the NIS2 Directive (building on the earlier NIS Directive), aiming to reduce regulatory fragmentation, avoid a growing legislative patchwork, and create a unified governance model for digital security across the internal market. This direction also aligns with priorities discussed in the European Commission Work Programme and broader policy messaging (including the annual Union address) around resilience and Europe’s digital future.
The Three Pillars of the Revised Regulation
The proposed revision is built on three interconnected pillars, each designed to address a specific dimension of the EU's cybersecurity challenge and to support a high common level of protection through common cybersecurity rules.
A Stronger ENISA
ENISA's role is expanding from a primarily advisory body to an operational powerhouse with a key role in EU cyber security coordination. Under the revised regulation, the agency will manage European repositories of threats and incidents, issue EU-wide early warnings, coordinate cybersecurity exercises, and operate the unified incident notification platform envisioned by the Digital Omnibus package. To support these expanded responsibilities, the Commission has proposed increasing ENISA's budget by more than 75%, and each Member State will designate two liaison officers to facilitate operational cooperation.
This operational shift is intended to complement national authorities (for example, Germany’s BSI—its Federal Office for Information Security—particularly in KRITIS contexts) while ensuring consistent EU-level handling of cross-border issues.
A Modernized Certification Framework
The European Cybersecurity Certification Framework (ECCF) is being overhauled to become a more agile and practical compliance tool—and, in effect, a more usable form of information security certification for the market. The most significant change is the expansion of certification scope: it will no longer be limited to individual ICT products or services but may extend to organizational risk management practices and overall cybersecurity posture. This allows organizations to use certification to demonstrate conformity with the NIS2 Directive and other EU legislation, effectively turning it into a strategic compliance instrument.
The reform also introduces a strict 12-month timeline for ENISA to develop candidate certification schemes after a Commission request, addressing the slow pace that has been a recurring criticism since 2019 and a focal point of the broader Cybersecurity Act review. While certification remains voluntary at the EU level, it may become de facto mandatory through procurement rules, market expectations, or national requirements—especially where Member States want certified suppliers for sensitive or critical use cases.
In addition, the revised framework strengthens governance around European certification schemes, including a clearer role for expert coordination bodies such as the European Cybersecurity Certification Group, to streamline scheme development and reduce uncertainty for organizations trying to market products across borders.
An Unprecedented Supply Chain Security Framework
Perhaps the most transformative element is the introduction of a horizontal framework for trusted ICT supply chain security. This provision empowers the Commission to designate third countries posing cybersecurity concerns, identify high-risk suppliers based on both technical and non-technical factors, and define key ICT assets used by entities subject to NIS2. The framework covers 18 critical sectors of the European economy, reflecting the geopolitical dimension of modern cybersecurity.
For many companies, this will impact procurement decisions not just for “core infrastructure,” but also for certain products that now contain software, connectivity, or other digital elements. Depending on final scope and implementing acts, the practical effect may extend into everyday market products—including consumer categories such as connected toys—where supply chain trust and vulnerability management are increasingly viewed as inseparable.
Who the EU Cybersecurity Act Affects
The revised regulation significantly broadens the scope of entities subject to specific Union cybersecurity requirements. The table below summarizes the key stakeholder groups and their primary obligations, including obligations that will apply to many regulated companies operating in the EU.
| ICT manufacturers and service providers | Comply with updated certification schemes; prepare for expanded scope covering cybersecurity posture |
|---|---|
| Operators in critical sectors (energy, telecom, cloud, finance) | Assess and manage exposure to high-risk suppliers; ensure no reliance on restricted vendors for key ICT assets |
| Managed security service providers | Align with certification requirements extended by the January 2025 amendment |
| ENISA and national authorities | Expanded supervisory, coordination, and incident management functions |
| SMEs and end-user companies | Adapt to harmonized regulatory environment; potential increased costs from certified supplier requirements |
The enforcement mechanisms are robust. Breaches of the supply chain restrictions can result in fines of up to 7% of worldwide turnover, a penalty structure that signals the seriousness with which the EU views these obligations. High-risk suppliers themselves face exclusion from public procurement, prohibition from obtaining EU cybersecurity certification, and exclusion from EU funding programs.
For organizations, the practical compliance focus will often come down to a few building blocks: supplier due diligence, incident readiness, certification strategy, and governance. While some requirements will hinge on certain aspects of the final text, the direction is clear: be able to evidence trust, resilience, and supplier control—particularly where key ICT assets are involved.
The Legislative Timeline
Understanding where the regulation stands in the legislative process is essential for strategic planning. According to the European Parliament's Legislative Observatory, the proposal is currently undergoing the ordinary legislative procedure (codecision), and the timeline below outlines the key milestones.
| June 27, 2019 | Original Cybersecurity Act (Regulation 2019.881) enters into force |
| January 15, 2025 | Targeted amendment adopted, extending certification to managed security services |
| January 20, 2026 | Commission publishes revised Cybersecurity Act proposal (CSA 2.0) |
| March 19, 2026 | EDPB and EDPS publish Joint Opinion on the proposal |
| April 2026 | European Parliament ITRE Committee begins examination; status: awaiting committee decision |
| TBD | Trilogue negotiations between Parliament, Council, and Commission |
The proposal would repeal and replace the original 2019 Regulation entirely. While the final adoption date remains unspecified, organizations should begin preparing now, as the direction of travel is clear and the Cyber Resilience Act and other complementary regulations are already advancing on parallel tracks—together forming the European cybersecurity resilience act “stack” that will influence how companies build, sell, and operate connected technology in the EU. Some stakeholders also expect follow-on guidance, and potentially a future directive or implementing measures, to clarify sector-by-sector application and supervision.
Strategic Implications: From Compliance to Competitive Advantage
The revised regulation presents both significant challenges and strategic opportunities. On the challenge side, the supply chain security provisions introduce a new dimension of geopolitical risk into procurement and IT strategy. Companies may face the costly prospect of replacing already deployed infrastructure if their vendors are designated as high-risk. The expanded certification and reporting obligations will also require substantial investments in compliance, documentation, and technical adaptation. Especially where organizations want to use certification as a repeatable way to demonstrate trust across products, services, and internal operations.
However, organizations that approach this proactively can turn compliance into a differentiator. Achieving certification for overall cybersecurity posture provides verifiable evidence of trust, which is increasingly demanded by enterprise clients and government procurement processes. The harmonization of certification schemes across the EU reduces long-term compliance burdens for companies operating across multiple Member States. Furthermore, staying ahead of the broader cybersecurity landscape positions organizations to anticipate regulatory shifts rather than react to them—whether they build software, deliver managed security services, or manufacture connected hardware with digital elements.
From a preventive perspective, organizations should consider the following strategic actions: review supply chain resilience and map dependencies on third-country suppliers; strengthen internal cybersecurity policies and update risk analyses; prepare for new certification schemes and update contracts to address potential migration scenarios; and implement robust incident notification and management mechanisms aligned with the unified EU platform—so that when an IT security incident occurs, reporting and containment are operationally realistic.
Navigate the Regulation with Confidence
Trust in the digital world must be earned through rigorous, evidence-based practices. As the regulatory environment becomes more demanding, organizations need a partner who can simplify complexity without oversimplifying the risks.
Nemko Digital provides the expertise and authoritative guidance necessary to align your operations with the latest European cybersecurity standards. From comprehensive risk assessments to strategic compliance planning, we help you turn governance into growth. Explore our regulatory compliance services to ensure your organization is prepared for the future of digital regulation, and build the confidence needed to thrive in a secure, interconnected ecosystem.