backOn 20 January 2026, the European Commission published another comprehensive proposal (The Cybersecurity Act 2) to revise the European Union’s cybersecurity legal framework. Main areas of focus are (again) significant reforms to the European Union Agency for Cybersecurity (ENISA), the European Cybersecurity Certification Framework (ECCF), and the establishment of a horizontal framework for ICT supply chain security. The initiative aims to address evolving cyber threats, enhance operational cooperation, and promote strategic autonomy and resilience across the EU’s digital ecosystem. But it is primarily a spicing up, rather than a new recipe.
Key Drivers and Objectives
The proposal responds to four perceived challenges: (i) the misalignment between the EU’s cybersecurity policy framework and stakeholders’ needs; (ii) stalled implementation and limited uptake of the ECCF; (iii) the complexity and fragmentation of cybersecurity-related policies; and (iv) increasing ICT supply chain security risks. The overarching objectives are to strengthen cybersecurity capabilities and resilience, and to prevent fragmentation within the single market by supporting harmonized instruments and frameworks.
Specific objectives as put forward by the European Commission include:
- Enhancing ENISA’s capacity for policy implementation and operational cooperation.
- Broadening and streamlining the ECCF to accelerate scheme development and uptake.
- Facilitating compliance through coherent mechanisms across horizontal and sectoral frameworks.
- De-risking critical ICT supply chains from high-risk suppliers and reducing dependencies.
Each are briefly described below.
Another ENISA’ Reform, A Giant With Clay’ Feet?
The proposal envisages a further reform of ENISA’s mandate, expanding its financial and human resources to reflect its enhanced role. ENISA’s mission is redefined to support Member States and Union entities in achieving high levels of cybersecurity, resilience, and trust. Key areas of focus include:
- Supporting consistent implementation of Union policy and legislation.
- Facilitating operational cooperation and shared situational awareness.
- Leading cybersecurity certification and standardization efforts.
- Implementing the Cybersecurity Skills Academy to address workforce gaps.
Even if this sounds very much like what ENISA is already doing, there are some new elements that are worth pointing out such as the increased role in international cooperation, and further emphasis on technical guidance and best practices. The Agency’s governance structure is revised to include a Deputy Executive Director, an Advisory Group, and a Board of Appeal, with clear procedures for appeals and judicial remedies. Improved governance can only be beneficial for the agency.
European Cybersecurity Certification Framework (ECCF)
The ECCF is allegedly going through a reform with the proposal seeking to provide a more harmonized approach to the certification of ICT products, services, processes, managed security services, and the cyber posture of entities. Key features include:
- Streamlined procedures for scheme development, adoption, and maintenance.
- Clear security objectives and assurance levels (“basic”, “substantial”, “high”) tailored to risk profiles.
- Mechanisms for conformity self-assessment and third-party certification.
- Automatic recognition of certificates and statements of conformity across Member States.
- Alignment with existing Union legislation, including the NIS2 Directive and the Cyber Resilience Act, to facilitate compliance and reduce administrative burdens.
With the exception of the NIS2 and CRA elements, nothing is really changing fundamentally here, except a crucial element, again on governance. The ECCF governance model is strengthened through the establishment of the European Cybersecurity Certification Group (ECCG), annual stakeholder assemblies, and peer review mechanisms to ensure consistency and quality. One should hope that if achieved, those mechanisms will increase the trust and confidence level in the agency.
ICT Supply Chain Security Framework
A new horizontal framework is introduced to address non-technical risks in ICT supply chains, particularly those posed by high-risk suppliers from third countries. The framework provides for:
- Union-level coordinated risk assessments to identify key ICT assets and appropriate mitigation measures.
- Prohibitions on the use of ICT components from designated high-risk suppliers in critical sectors, with transition periods for phasing out such components.
- Procedures for exemptions, rights of defense, and public registers of decisions.
- Exclusion of high-risk suppliers from Union funding programs and public procurement related to key ICT assets.
The framework aims to harmonize approaches across Member States, reduce vulnerabilities, and ensure the integrity and resilience of critical infrastructure.
Cybersecurity Skills and Workforce Development
The proposal reinforces the mandate of ENISA in developing and maintaining the European Cybersecurity Skills Framework (ECSF) and European individual cybersecurity skills attestation schemes. These initiatives are designed to:
- Standardize cybersecurity role profiles and skills across the Union.
- Support employers, including SMEs, in recruiting qualified professionals.
- Promote skills portability and address the cybersecurity talent gap.
Authorized attestation providers must meet stringent criteria to ensure trustworthiness and independence from high-risk third countries.
Governance, Evaluation, and Implementation
The regulation establishes robust governance, monitoring, and evaluation mechanisms, including regular independent assessments of ENISA’s performance and the effectiveness of the ECCF and ICT supply chain framework. The proposal repeals Regulation (EU) 2019/881, ensuring continuity of ENISA’s operations and legal obligations.
What’s Next?
With the proposal now launched, the next stage is the EU’s legislative co-op mode: the European Parliament and the Council will review, debate, and level up the text before it becomes law. Expect rounds of discussions, amendments, and input from all corners of the EU’s cyber community. Once adopted, Member States and stakeholders will get a detailed roadmap for rolling out the new rules, with ENISA leading the charge on implementation, training, and support.
Regular “boss checks” (independent evaluations) will keep everyone honest, with progress reports every five years to make sure the Act is delivering on its promises. Stakeholders should keep an eye out for updates on the adoption process, new guidance from ENISA, and opportunities to get involved in shaping the future of EU cybersecurity.
The journey doesn’t end here – and spicing up a known recipe is likely very necessary when cybersecurity tastes are getting more sophisticated.