Open navigation
Search
Search
All Expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
All Insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Global Press Room
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Strengthening EU cyber resilience: an overview of the new cybersecurity package

03 Feb 2026 EU 5 min read

The European Commission unveiled a new digital cybersecurity package to strengthen EU cyber resilience and coordination. The package includes the proposed Cybersecurity Act 2 and targeted NIS2 amendments, marking a further step toward a more robust EU cybersecurity framework.

1. The Cybersecurity Act 2

In light of renewed threats from cyber and hybrid attacks, the Commission’s cybersecurity package includes a proposal for a revised Cybersecurity Act, (the “Cybersecurity Act 2” or “CSA2”).[1] These measures aim to reduce fragmentation, support faster, clearer compliance, and raise resilience against evolving cyber threats across critical sectors. The key proposed changes are as follows:

Improving security and reducing risk in ICT supply chains in the EU

  • The CSA2 sets out a trusted and harmonised EU-level ICT supply chain security framework for the EU’s critical sectors as referred to in Directive (EU) 2022/2555 (“NIS2”)[2] with a strong risk-based approach. (Articles 98-99, 101)
  • The CSA2 empowers the Commission to flag third countries posing systemic non‑technical risks and to identify “key ICT assets” following Union risk assessments. (Articles 100, 102)
  • EU wide mitigation measures are also enabled, such as prohibiting high‑risk suppliers in key assets, data‑transfer limits, third‑party‑audited controls and vetting of personnel. (Article 103)
  • Article 104 also requires the Commision to establish a list of high-risk suppliers.

Simplifying and enhancing European Cybersecurity Certification Framework (ECCF)

  • The CSA2 aims to streamline and harmonise product and service testing through a renewed ECCF, helping businesses build trust across complex ICT supply chains.
  • The ECCF scope is expanded beyond ICT products, services, processes, and managed services to allow organisations themselves to have their cybersecurity posture certified (Article 71), helping reduce compliance burdens and costs.
  • ENISA will manage cybersecurity certification schemes, described as a “practical, voluntary tool” for businesses; certification under a scheme provides a presumption of conformity with relevant cybersecurity obligations (Article 78).

Empowering ENISA to strengthen Europe’s cyber resilience

  • The CSA2 aims to strengthen the powers of ENISA, and outlines their obligations, organisational provisions and purpose in relation to enforcing EU laws on cybersecurity. (Articles 3-5).
  • The CSA2 empowers ENISA to assist Member States in preparing for and responding to cyber threats and incidents.
  • ENISA manages the EU Cybersecurity Reserve and a helpdesk to support companies in preventing, responding to, and recovering from ransomware, in cooperation with Europol and CSIRTs (Article 13)
  • To enhance situational awareness, ENISA maintains verified threat intelligence repositories, issues early alerts, and provides technical analyses and regular reports to Union actors (Articles 11–12).

Facilitating compliance with cybersecurity

  • The CSA2 obliges ENISA to provide tools and technical guidance which will help companies in the EU comply with EU cybersecurity rules and risk-management requirements. (Article 15, 18)
  • Having a ‘single entry point’ for incident reporting also eases the compliance burden on EU companies. (Article 15)

2. Targeted Amendments to the NIS2 Directive

The EU’s latest cybersecurity package also includes a proposal with amendments to the NIS2 Directive (“NIS2 Amendments”)[3] to simplify compliance and provide clearer, more coherent cross‑border supervision in response to evolving cyber threats. The targeted amendments are as follows:

Changes to Scope

  • Providers of European Digital Identity Wallets and European Business Wallets are brought into scope, and listed expressly among entities covered by NIS2 (Article 1(1))
  • A new definition of a “small mid-cap enterprise” is introduced as defined in the  Annex to Commission Recommendation (EU) 2025/1099. [4] (Article 1(4))
  • Small mid-caps will be classified as important entities, which means they will be subject to simpler compliance requirements and lighter supervisory oversight. (Article 1(2))

Simplification and Easing Compliance Burdens

  • Any Commission implementing acts specifying cybersecurity risk-management measures under Article 21(5) are fully harmonised, preventing Member States from imposing additional technical or methodological requirements (Article 1(7)).

Strengthening of ENISA’s role

  • The scope of entities of whom ENISA must create and maintain a registry is to be extended and streamlined to key sectors and service types (Article 1(11))
  • The amendments formalise ENISA’s role in mutual assistance in a new Article 37a. ENISA must analyse cross‑border risks, recommend joint examination teams, issue joint‑supervision guidelines, and, upon request, assist or participate in joint supervisory actions. (Article 1(12)).
  • ENISA is confirmed as part of the CSIRTs network to support operational cooperation (Article 1(7)).

Other amendments

  • The CSA2 introduces a harmonised ransomware data collection: implementing acts require reporting of detections, attack vectors, mitigations, and - if requested - ransom demands and payments to CSIRTs or competent authorities (Article 1(8)).
  • Member States must include policies for the transition to post‑quantum cryptography within national cybersecurity strategies, aligned with EU timelines and requirements (Article 1(5)).

For more information on the proposed Cybersecurity Act or the NIS2 Amendments, please contact your CMS client partner or these CMS experts.

This article is co-authored by Thomas Samuel, Trainee Solicitor.
 

[1] Proposal for a Regulation for the EU Cybersecurity Act | Shaping Europe’s digital future

[2] EUR-Lex - 02022L2555-20221227 - EN - EUR-Lex

[3] Proposal for a Directive as regards simplification measures and alignment with the Cybersecurity Act | Shaping Europe’s digital future

[4] EUR-Lex - 32025H1099 - EN - EUR-Lex

More insights
Energy & Climate Change TMC - Technology, Media & Communications

Explore more

Event International

Green claims in focus

18 Mar 2026
Expert Guide International

CMS Expert Guide to consequential loss in the energy sector

4 min read
Publication International

Emerging Europe M&A Report 2025/2026

27 Jan 2026 4 min read
Back to top Back to top
Warning: Fraudulent emails and messages
Find out more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. LawNow have moved to CMS.law. LEXplicite have moved to CMS.law. Blogtt have moved to CMS.law.
Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.