The European Commission recently proposed a new cybersecurity package to strengthen the EU’s cybersecurity resilience and capabilities Since the adoption of the Cybersecurity Act in 2019, the geopolitical landscape has changed, with a significant worsening of the cyber threat landscape, affecting critical sectors in the EU.
The package includes a proposal for a revised Cybersecurity Act (via a new Regulation) and targeted amendments to the NIS2 Directive (via a new Directive). It aims to simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU, complementing the single-entry point for incident reporting proposed in the EU Digital Omnibus Package (previously discussed here).
The revised Cybersecurity Act replaces the existing Cybersecurity Act 2019; strengthens the role of the EU Agency for Cybersecurity (“ENISA“) in supporting Member States and the EU in managing cybersecurity threats; provides a more harmonised European cybersecurity certification framework; and enhances the security of Information and Communication Technology (“ICT”) supply chains.
In addition, targeted amendments to the NIS2 Directive aim to increase legal certainty by simplifying jurisdictional rules, streamlining the collection of data on ransomware attacks and facilitating the supervision of cross-border entities with ENISA’s reinforced coordinating role.
The cybersecurity package is now expected to progress through the ordinary EU legislative process. We are still at the beginning of that process and the texts of the revised Cybersecurity Act and Directive are likely to be subject to intense negotiation.
Key highlights of the revised Cybersecurity Act
Enhanced role for ENISA
The revised Cybersecurity Act strengthens the ENISA’s operational capabilities and role as the central hub for EU cybersecurity. The proposal aims to ensure that ENISA has the resources to carry out its tasks by increasing its budget by more than 75%. Member States would contribute to this increase by designating two liaison officers per Member State, facilitating operational cooperation and the exchange of information between Member States.
The revised Cybersecurity Act further facilitates the production of early alerts of a potential or ongoing significant or large-scale incident, or cross-border cyber threats by requiring ENISA to develop repositories of cyber threat intelligence, including trends in incidents, tactics, techniques, and procedures. ENISA will collaborate with the European cyber crisis liaison organisation network (“EU-CyCLONe“), the Computer Security Incident Response Teams (“CSIRTs“) network, the European Commission, CERT-EU and other relevant EU entities to develop these repositories of cyber threat intelligence.
Furthermore, to assist essential and important entities in preparing for, responding to, and recovering from ransomware incidents, ENISA will co-operate with CSIRTs , Europol or other competent authorities as applicable. ENISA shall establish a helpdesk for this purpose, making use of the enhanced information sharing to achieve synergies in its work against ransomware. In addition, the Explanatory Memorandum highlights the importance of correct and timely information about vulnerabilities, noting that robust vulnerability management is imperative for ensuring a high level of cybersecurity in the EU. To this end, the revised Cybersecurity Act empowers ENISA to develop a common EU vulnerability management service capacity and vulnerability management services to stakeholders through the following measures:
- maintenance of the European vulnerability database;
- provision of vulnerability management services to stakeholders, building on the database;
- structured cooperation with organisations providing programmes, registries or databases similar to the European vulnerability database;
- active support of the CSIRTs with regard to management of the coordinated disclosure of vulnerabilities;
- the development and maintenance of methodologies and governance; and
- mechanisms for vulnerability identification and coordinated disclosure.
The extension of ENISA’s mandate will also support education and training on cybersecurity as the Revised Cybersecurity Act clarifies ENISA’s role in the development of skills for the cybersecurity workforce. In this respect ENISA will play a key role in bolstering the skilled cybersecurity workforce in Europe, through the development of a publicly available European Cybersecurity Skills Framework and the establishment of cybersecurity skills attestation schemes.
The European Cybersecurity Certification Framework
At present, there are a number of different security certification schemes for ICT products across the EU. The revised European Cybersecurity Certification Framework (“ECCF”) aims to replace this fragmented approach with a more harmonised approach through the creation of a common framework of EU-wide cybersecurity certification schemes.
Certification is a means of technical cybersecurity assurance. Entities will be able to certify their cyber posture, next to ICT products, services, processes and managed security services. This means that entities will be able to use such certificates to demonstrate compliance and get presumption of conformity with NIS2 and other Union legislations.
In terms of implementation, ENISA, as scheme manager, will be responsible for maintaining the schemes. Schemes should serve as compliance tools for businesses. Any scheme must be aligned with existing cybersecurity legislation. Consistency and greater harmonisation across schemes will mean less compliance burden for businesses. The European Commission may request ENISA to develop a candidate scheme within 12 months of the request.
In addition, a European Cybersecurity Certification Group shall be established to advise and assist the European Commission in ensuring the consistent implementation of cybersecurity certification rules; the preparation of requests for certification schemes; assist ENISA in the preparation of candidate schemes and technical specifications, and assist in maintenance activities.
This revised ECCF will harmonise EU-wide cybersecurity certificates, reduce market and compliance barriers for cross-border trading, serve as a compliance tool for businesses, and help purchasers understand the security features of a product or service.
ICT supply chain framework
In addition to the revised ECCF mentioned above, the revised Cybersecurity Act establishes a harmonised, proportionate and risk-based ICT supply chain framework to increase the security of the EU’s supply chain. This binding framework enables Member States to jointly identify and mitigate risks across the EU’s 18 critical sectors. Third countries which pose cybersecurity risks, and key assets in ICT supply chains, will be identified, taking into account economic impacts and market supplies.
In terms of mitigation measures, where the risk assessments indicate significant cybersecurity risks in relation to an ICT supply chain, the European Commission may determine that specific types of entities shall be prohibited from using, installing or integrating ICT components from high risk suppliers in key ICT assets, on the basis of market analysis and economic impact assessments. Additional mitigation measures include the following:
- transparency requirements;
- prohibition of related data transfers;
- third party audits;
- restrictions related to operation control and contractual relations;
- vetting requirements; and
- diversification of the supply chain.
The revised Cybersecurity Act also provides for the mandatory de-risking of European mobile telecommunications networks from high-risk third-country suppliers. In this respect, measures previously introduced by the EU’s “5G Toolbox” (which refers to the measures adopted in 2020 to reduce reliance on high risk vendors and increase the cybersecurity of 5G networks across the EU) will become binding under the revised Cybersecurity Act, as mobile operators will be obliged to replace certain components of their infrastructure within three years of the European Commission publishing a list of high-risk suppliers.
Supervision and enforcement
The revised Cybersecurity Act requires Member States to designate the competent authorities referred to in the NIS2 Directive as being responsible for taking supervisory and enforcement measures. Member states are also required to lay down rules on penalties applicable to infringements of the revised Cybersecurity Act.
The revised Cybersecurity Act provides for fines which vary depending on the nature of the infringement. For example, infringements of the transparency requirements may lead to fines of up to 1% of worldwide annual turnover; infringements of the other mitigation measures may lead to fines of up to 2% of worldwide annual turnover; and infringements of the prohibition on using high-risk suppliers may lead to fines of up to 7% of worldwide annual turnover.
Targeted amendments to the NIS2 Directive
The NIS2 Directive replaced the original NIS (Network and Information Systems) Directive with the aim of strengthening the rules on cybersecurity and incident reporting for organisations operating in critical sectors, including energy, digital infrastructure and ICT service management. It has yet to be implemented into national legislation in Ireland.
The European Commission has stated that the cybersecurity package will complement the EU Digital Omnibus Package published last November 2025. The EU Digital Omnibus Package proposes an amendment to NIS2 to introduce a single-entry reporting point to be operated by ENISA for security breaches under NIS2, the GDPR, the Digital Operational Resilience Act (“DORA”) and the Critical Entities Resilience Directive.
The new cybersecurity package aims to further simplify and reduce unnecessary administrative burdens relating to the implementation of the NIS2 Directive. It includes a proposal for a Directive amending NIS2 in an effort to clarify and simplify compliance for regulated entities. The European Commission has stated that the targeted amendments are informed by the experience gained during the transposition and implementation of the NIS2 Directive, as well as emerging security threats and EU policy developments.
The amendments to the NIS2 Directive, for example, extend the scope of the Directive to cover digital and business wallet providers, submarine data transmission infrastructure operators, dual use-infrastructure (regardless of their size), while removing micro and small domain name system entities from scope of the NIS2 Directive.
In addition, the amendments propose a requirement for essential or important entities that are not established in the EU but offer services in the EU to designate an EU-based representative; as well as requirements regarding harmonised data collection in relation to ransomware attacks that could be imposed upon request of the CSIRT or competent authority and/or through implementing acts by the European Commission.
Overall, the changes outlined above aim to streamline company compliance with cybersecurity regulations, provide assurance to customers using products and services in the EU, and bolster the stability and efficacy of cybersecurity protection in the EU.
Contact Us
For more information, please contact any member of our Technology and Innovation Group or your usual Matheson contact.