The European Commission has introduced the Cybersecurity Act 2 proposal to revise the EU Cybersecurity Act as a key component of the broader cybersecurity package, addressing escalating cyber risks and the increasingly complex threat landscape confronting the EU’s digital infrastructure. (digital-strategy.ec.europa.eu)

On 20 January 2026, the European Commission presented a draft regulation aimed at updating and replacing the EU Cybersecurity Act (Regulation 2019/881). This legislative proposal, known as Cybersecurity Act 2 (CSA2), forms part of a broader package of measures to modernize and streamline the EU cybersecurity framework and is closely linked to the Commission’s parallel proposal to amend Directive (EU) 2022/2555 (NIS2).

This initiative comes against a backdrop of structural weaknesses, slow implementation of the existing certification framework, and growing pressure in a highly competitive global environment. The European digital market faces significant challenges regarding the security of information and communication technology (ICT) supply chains, as well as risks arising from overdependence on certain suppliers.

Key Objectives and Rationale

Cybersecurity Act 2 aims to achieve several strategic objectives:

1. Strengthening EU Cybersecurity

The proposal seeks to enhance the resilience of critical infrastructures and essential services through more effective mechanisms for preventing, detecting, and responding to cyberattacks, including hybrid threats that increasingly target public services and democratic institutions on a daily basis.

2. Securing ICT Supply Chains

The revised framework expands risk management capabilities across ICT supply chains, including mechanisms to reduce dependencies on suppliers that pose security risks. This includes the ability to prohibit or exclude so-called “high-risk” suppliers from critical networks and infrastructure.

3. Clearer and More Effective Certification Schemes

The European Cybersecurity Certification Framework (ECCF) will be streamlined to simplify the development of certification schemes and provide clearer rules for market access for products, services, and processes. Certification under the new Act will follow the “cyber-secure by design” principle, requiring technologies to be built with integrated security measures from the earliest stages of development.

The Role of ENISA and Certification

The EU Agency for Cybersecurity (ENISA) will continue to play a central role in managing the European cybersecurity framework. Policies foresee that ENISA will:

•  Be strengthened in its support to Member States for incident response and coordination during cross-border cyberattacks (digital-strategy.ec.europa.eu).

•  Develop shared services for vulnerability management and operate as an early-warning hub for emerging threats.

•  Ensure certification schemes cover a broad range of ICT products, services, and processes, including managed security services.

The framework aims to reduce fragmentation within the internal market by providing uniform rules applicable across all Member States, as well as EU-wide recognition of cybersecurity certificates.

Regulatory Context and Strategic Significance

The revision of the Cybersecurity Act forms part of a broader EU regulatory ecosystem, which includes:

• •  The NIS2 Directive, expanding cybersecurity obligations across key sectors.
• •  The Cyber Solidarity Act, establishing pan-European cooperation mechanisms, including a shared “cyber shield” and incident-sharing   mechanisms.
• •  Other initiatives such as the Cyber Resilience Act, which set higher safety standards for products with digital components.

Together, these legislative measures build a comprehensive cybersecurity framework designed to ensure operational resilience and improve conditions for businesses within the European digital single market.

Challenges and Next Steps

•  While the strategic direction is clear, implementing the revised framework poses several challenges:Delays in developing certification schemes: Experts have noted that slow rollout and limited transparency of certification schemes under the current Cybersecurity Act have been key obstacles. Balancing security and competitiveness: The revision must strengthen security without hindering innovation or the global competitiveness of European companies (DIGITALEUROPE).

•  The proposal will now undergo discussion and negotiation between the European Parliament and the Council of the EU before becoming a binding regulation at EU level.

Conclusion

Cybersecurity Act 2 represents a significant step forward in European cybersecurity policy, addressing not only technological threats but also strategic risks arising from global dynamics and potential dependencies. Strengthened certification frameworks, clearer rules for supply chains, and an enhanced role for ENISA establish an integrated approach to cyber risk management, shaping the resilience of Europe’s digital market over the next decade.