Rules Navigator

Sign in
Register

Strengthening EU cyber resilience

Shadows walking past a world map.
Photo: Heimo Huspek/Getty Images

Katalin Horváth | CMS

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

This overview of the new cybersecurity package includes a proposal for a revised Cybersecurity Act and targeted NIS2 amendments.

The European Commission has unveiled a new digital cybersecurity package to strengthen EU cyber resilience and coordination. The package includes the proposed Cybersecurity Act 2 and targeted NIS2 amendments, marking a further step toward a more robust EU cybersecurity framework.

Cybersecurity Act 2

In light of renewed threats from cyber and hybrid attacks, the Commission’s cybersecurity package includes a proposal for a revised Cybersecurity Act, (the Cybersecurity Act 2 or CSA2). These measures aim to reduce fragmentation, support faster, clearer compliance, and raise resilience against evolving cyber threats across critical sectors. The key proposed changes are as follows:

Improving security and reducing risk in ICT supply chains in the EU

  • The CSA2 sets out a trusted and harmonized EU-level ICT supply chain security framework for the EU’s critical sectors as referred to in Directive (EU) 2022/2555 (NIS2) with a strong risk-based approach. (Articles 98-99, 101).
  • The CSA2 empowers the Commission to flag third countries posing systemic non‑technical risks and to identify “key ICT assets” following Union risk assessments. (Articles 100, 102).
  • EU wide mitigation measures are also enabled, such as prohibiting high‑risk suppliers in key assets, data‑transfer limits, third‑party‑audited controls and vetting of personnel. (Article 103).
  • Article 104 also requires the Commission to establish a list of high-risk suppliers.

Simplifying and enhancing European Cybersecurity Certification Framework (ECCF)

  • The CSA2 aims to streamline and harmonize product and service testing through a renewed ECCF, helping businesses build trust across complex ICT supply chains.
  • The ECCF scope is expanded beyond ICT products, services, processes, and managed services to allow organizations themselves to have their cybersecurity posture certified (Article 71), helping reduce compliance burdens and costs.
  • ENISA will manage cybersecurity certification schemes, described as a “practical, voluntary tool” for businesses; certification under a scheme provides a presumption of conformity with relevant cybersecurity obligations (Article 78).

Empowering ENISA to strengthen Europe’s cyber resilience

  • The CSA2 aims to strengthen the powers of ENISA, and outlines its obligations, organizational provisions and purpose in relation to enforcing EU laws on cybersecurity. (Articles 3-5).
  • The CSA2 empowers ENISA to assist Member States in preparing for and responding to cyber threats and incidents.
  • ENISA manages the EU Cybersecurity Reserve and a helpdesk to support companies in preventing, responding to, and recovering from ransomware, in cooperation with Europol and CSIRTs. (Article 13).
  • To enhance situational awareness, ENISA maintains verified threat intelligence repositories, issues early alerts, and provides technical analyzes and regular reports to Union actors. (Articles 11–12).

Facilitating compliance with cybersecurity

  • The CSA2 obliges ENISA to provide tools and technical guidance which will help companies in the EU comply with EU cybersecurity rules and risk-management requirements. (Article 15, 18).
  • Having a “single entry point” for incident reporting also eases the compliance burden on EU companies. (Article 15).

Targeted amendments to the NIS2 Directive

The EU’s latest cybersecurity package also includes a proposal with amendments to the NIS2 Directive (NIS2 Amendments) to simplify compliance and provide clearer, more coherent cross‑border supervision in response to evolving cyber threats. The targeted amendments are as follows:

Changes to scope

  • Providers of European Digital Identity Wallets and European Business Wallets are brought into scope, and listed expressly among entities covered by NIS2. (Article 1(1)).
  • A new definition of a “small mid-cap enterprise” is introduced as defined in the Annex to Commission Recommendation (EU) 2025/1099. (Article 1(4)).
  • Small mid-caps will be classified as important entities, which means they will be subject to simpler compliance requirements and lighter supervisory oversight. (Article 1(2)).

Simplification and easing compliance burdens

  • Any Commission implementing acts specifying cybersecurity risk-management measures under Article 21(5) are fully harmonized, preventing Member States from imposing additional technical or methodological requirements. (Article 1(7)).

Strengthening of ENISA’s role

  • The scope of entities of whom ENISA must create and maintain a registry is to be extended and streamlined to key sectors and service types. (Article 1(11)).
  • The amendments formalize ENISA’s role in mutual assistance in a new Article 37a. ENISA must analyze cross‑border risks, recommend joint examination teams, issue joint‑supervision guidelines, and, upon request, assist or participate in joint supervisory actions. (Article 1(12)).
  • ENISA is confirmed as part of the CSIRTs network to support operational cooperation. (Article 1(7)).

Other amendments

  • The CSA2 introduces a harmonized ransomware data collection: implementing acts require reporting of detections, attack vectors, mitigations, and – if requested – ransom demands and payments to CSIRTs or competent authorities. (Article 1(8)).
  • Member States must include policies for the transition to post‑quantum cryptography within national cybersecurity strategies, aligned with EU timelines and requirements. (Article 1(5)).

Katalin Horváth is a partner in the commercial team at CMS Budapest, where she specializes in software, IT and IP law, BankTech/FinTech law, outsourcing, data protection and cybersecurity matters, as well as the legal regulation of artificial intelligence.

This article is co-authored by Thomas Samuel, Trainee Solicitor.

, , , , , , , , ,