The European Commission has presented a new EU cybersecurity package aimed at strengthening the resilience of digital systems and improving how cyber risks are managed across the European Union. The proposal focuses on improving the security of information and communication technologies supply chains, simplifying compliance for businesses, and reinforcing the role of the EU Agency for Cybersecurity in responding to cyber threats.
The package includes a proposal to revise the Cybersecurity Act, with the goal of ensuring that digital products and services used across the EU meet stronger security expectations from the design stage onward. The Commission said the initiative responds to growing risks linked to cyber incidents, supply chain weaknesses, and increased reliance on complex digital infrastructure.
Revised Cybersecurity Act Targets Supply Chain Risks
A central element of the EU cybersecurity package is the revision of the Cybersecurity Act, which introduces a shared framework for managing security risks in critical ICT supply chains. The framework is designed to help the EU and its Member States identify and address vulnerabilities that could affect essential services and infrastructure.
Under the proposal, products and services reaching EU users would be subject to a clearer and more efficient certification process. This process aims to confirm that security requirements are met before products are widely deployed. The revised framework also seeks to reduce fragmentation by aligning certification with existing EU cybersecurity rules, allowing companies to demonstrate compliance more easily.
The proposal introduces coordinated risk assessments at the Union level to identify vulnerabilities within specific ICT supply chains. These assessments would examine key assets, dependencies, and potential points of exposure. Where risks are identified, targeted mitigation measures could be applied, including limits on the use of certain suppliers for critical components when justified by risk analysis and economic impact reviews.
The revised Act also strengthens the operational role of ENISA. The agency would support Member States by issuing early alerts on cyber threats, coordinating responses to major incidents, and helping organizations recover from attacks such as ransomware. ENISA would also manage a single reporting entry point for cyber incidents, simplifying how companies share information with authorities.
Simplified Compliance and Expanded Certification Framework
The EU cybersecurity package also proposes targeted amendments to the NIS2 Directive to improve legal clarity and reduce compliance burdens for companies operating in the EU. The Commission estimates that the changes would affect more than twenty-eight thousand organizations, including several thousand small enterprises.
The amendments introduce a new category of small mid-cap enterprises, designed to lower reporting and compliance costs while maintaining baseline security expectations. The proposal also aims to simplify jurisdiction rules for companies operating across borders and improve the collection of data related to ransomware incidents.
A key component of the revised approach is an updated European Cybersecurity Certification Framework. The framework would clarify its scope and allow certification not only for products and services, but also for organizational cyber posture. Certified entities could use these certificates to demonstrate conformity with EU cybersecurity rules.
The framework sets clearer timelines for developing certification schemes, with ENISA expected to deliver new schemes within one year following a request from the Commission. The goal is to make certification a practical tool that supports compliance rather than adding complexity.
The Commission noted that recent cyber incidents have shown how weaknesses in ICT supply chains can disrupt essential services. The proposal emphasizes that supply chain security involves both technical safeguards and an understanding of dependencies that may increase exposure to cyber threats. This focus is central to the EU cybersecurity package.
Once approved by the European Parliament and the Council, the revised Cybersecurity Act would apply directly across the EU. Member States would then have one year to implement the related amendments to the NIS2 Directive into national frameworks.
The EU cybersecurity package aims to improve coordination, reduce risk, and ensure that digital systems supporting critical services remain secure as cyber threats continue to evolve.
