EU cyber reforms proposed, including overhauled Cybersecurity Act
2 February 2026
On 20 January 2026, the European Commission proposed a new cybersecurity package intended to strengthen the EU's cybersecurity resilience and capabilities. The package responds to the increasing threat of cyber and hybrid attacks on essential services and democratic institutions. It has two parts: the first proposes to amend and restate the EU's Cybersecurity Act with a new version (Cybersecurity Act 2); and the second to amend the NIS2 Directive.
This briefing overviews key changes that are intended to:
- enhance the security of ICT supply chains in NIS2 "highly critical" or "critical" sectors, particularly regarding foreign suppliers with cybersecurity concerns;
- simplify the EU Cybersecurity Certification Framework (ECCF) process, notably by relying solely on technical criteria and excluding any sovereignty-related requirements as far as certification is concerned;
- improve coordination between EU Member States and EU-level actors and support ENISA to act as a central coordinator, including during major cyber incidents, sharing cyber threat intelligence, and vetting suppliers of critical technology; and
- complement revisions proposed under the EU Digital Simplification Package (Digital Omnibus), including the single-entry point for reporting and the simplification and clarification of the NIS2 regime.
