Europe’s digital backbone is under increasing strain as cyber-sabotage, ransomware and foreign interference become everyday realities.
In response, the European Commission announced a wide-ranging review of cybersecurity law and set out a new strategy to secure technology supply chains, reduce exposure to high-risk vendors, and strengthen the EU’s collective capacity to prevent and respond to cyber crises.
The proposal marks a shift from piecemeal defenses to a more coordinated security-by-design approach aimed at protecting critical services, businesses and citizens across the bloc.
The proposed reforms aim to future-proof the EU’s digital ecosystem by strengthening supply chain security, simplifying business rules and significantly expanding the role of the EU Cyber Security Agency (ENISA).
This new cybersecurity package is designed to strengthen Europe’s resilience at a time when cyber risks are no longer purely technical but strategic.
Strategic response to the changing threat landscape
Recent cyber incidents have revealed how deeply Europe’s economies and societies depend on secure information and communication technologies (ICT).
Vulnerabilities in software, hardware, and managed services can ripple across borders and disrupt critical infrastructure, from energy and transportation to healthcare and finance.
The revised Cybersecurity Act recognizes that supply chain security extends beyond product defects to supplier dependencies, foreign interference, and geopolitical risks.
In response, the European Commission is proposing a trusted ICT supply chain security framework built on a harmonized, risk-based approach that can be applied consistently across the EU’s 18 key sectors.
This framework will enable the EU and Member States to jointly identify and mitigate risks, balancing security needs with economic impact and market supply considerations.
De-risk high-risk suppliers from critical networks
One of the most important elements of the Cybersecurity Act is its focus on reducing contact with high-risk third-country suppliers, particularly in mobile communications.
Building on existing initiatives under the EU’s 5G security toolbox, the proposed amendments will enable mandatory risk-aversion measures if suppliers have significant cybersecurity concerns.
This reflects a growing recognition that strategic dependencies in ICT infrastructures can lead to system-wide security vulnerabilities and marks a shift from voluntary coordination to enforced action.
Cybersecurity certification for Europe made faster and easier
To ensure that products and services provided to EU citizens are secure by design, the amended Cybersecurity Act will overhaul the European Cybersecurity Certification Framework (ECCF).
Authentication schemes are developed within 12 months by default, replacing longer and more complex processes.
With increased stakeholder engagement and public consultation, the framework’s governance will become more transparent and inclusive.
Managed by ENISA, this certification is voluntary but practical and allows companies to demonstrate compliance with EU cybersecurity law while reducing administrative costs.
Importantly, certification goes beyond traditional ICT products and services. It also enables organizations to certify their overall cyber posture, helping them meet market expectations and build trust across complex supply chains.
For EU companies, ECCF is positioned as a competitive advantage. Security and reliability are guaranteed for consumers and public authorities.
Eliminate complicated procedures and clarify compliance
In parallel with the Cybersecurity Act, the European Commission has proposed targeted amendments to the NIS2 Directive to reduce the compliance burden. These changes are expected to benefit approximately 28,700 companies, including more than 6,000 small and medium-sized enterprises.
A new category called small and medium-sized businesses will reduce compliance costs for an additional 22,500 businesses. The proposed amendments also aim to clarify jurisdictional rules, streamline ransomware data collection, and improve oversight of cross-border organizations by giving ENISA a stronger coordinating role.
Together, these measures complement the proposed single entry point for incident reporting under the Digital Omnibus.
ENISA’s expanding role as the center of EU cyber defense
Since the enactment of the first cybersecurity law in 2019, ENISA has become the cornerstone of Europe’s cyber defense architecture.
The revised law significantly expands powers, allowing authorities to issue early warnings of emerging threats, support responses to ransomware attacks, and improve vulnerability management across the Union.
ENISA works with Europol and national computer security incident response teams to help organizations recover from major incidents.
As well as responding to the crisis, the agency will invest in long-term resilience by piloting a cybersecurity skills academy and rolling out an EU-wide skills certification scheme to address growing talent shortages.
Strengthening EU cybersecurity
Once approved by the European Parliament and the European Council, cybersecurity laws will apply immediately. Member States will then have one year to transpose the accompanying NIS2 amendments into national law.
As cyber threats continue to evolve every day, the amended Cybersecurity Act represents the EU’s most ambitious effort to date to secure our digital future, turning resilience, trust and collaboration into Europe’s strategic assets.
Source link
