Europe faces daily cyber and hybrid attacks targeting essential services and democratic institutions, driven by increasingly sophisticated state and criminal actors. In response, the European Commission has proposed a new cybersecurity package aimed at strengthening the EU’s resilience and capacity to prevent, detect and respond to cyber threats.
At the core of the package is a revised Cybersecurity Act, designed to enhance the security of Information and Communication Technologies (ICT) supply chains. The proposal introduces a trusted, risk-based framework to reduce dependencies on high-risk third-country suppliers, including mandatory derisking of mobile telecommunications networks. It also streamlines the European Cybersecurity Certification Framework, making certification faster, clearer and more accessible for businesses.
The package further simplifies compliance with EU cybersecurity rules through targeted amendments to the NIS2 Directive, easing regulatory burdens for thousands of companies, including small and mid-sized enterprises. In parallel, the role of the EU Agency for Cybersecurity (ENISA) is strengthened, enabling it to issue early warnings, support responses to ransomware attacks, manage vulnerabilities, and help develop a skilled cybersecurity workforce across Europe.
The proposed Cybersecurity Act will apply immediately once approved by the European Parliament and the Council, while Member States will have one year to implement the accompanying NIS2 amendments into national law.
