EU Proposes Cybersecurity Act 2 and NIS2 Amendments to Strengthen Cyber Resilience
Introduction
In response to escalating cyber threats and the rapid evolution of technology, the European Commission unveiled a comprehensive cybersecurity reform package on January 20, 2026. This package includes the proposed Cybersecurity Act 2 (CSA2) and targeted amendments to the Network and Information Security Directive (NIS2). These initiatives aim to bolster the European Union's cyber resilience, streamline compliance processes, and enhance the security of the ICT supply chain.
Overview of the Cybersecurity Act 2 (CSA2)
The proposed CSA2 seeks to replace the original Cybersecurity Act of 2019 by expanding the mandate of the European Union Agency for Cybersecurity (ENISA). Key objectives include:
- Strengthening ENISA's Role: ENISA is set to assume a more operational role, coordinating EU-level security risk assessments, managing the European Vulnerability Database, and overseeing the EU Cybersecurity Reserve.
- Facilitating Cybersecurity Certification: The act aims to simplify the adoption of cybersecurity certification schemes, providing clarity on ENISA's advisory role and promoting the uptake of certifications across member states.
- Enhancing ICT Supply Chain Security: CSA2 introduces measures to address risks within the ICT supply chain, including non-technical threats, to ensure a more secure digital infrastructure.
These initiatives are designed to create a robust ecosystem where security and privacy are integrated seamlessly, fostering trust and resilience across the EU's digital landscape.
Targeted Amendments to the NIS2 Directive
The proposed amendments to the NIS2 Directive aim to refine its scope and introduce new in-scope entities to better address emerging cybersecurity challenges. Notable changes include:
- Refined Scope: Definitions across several sectors, such as healthcare service providers, electricity producers, chemical manufacturers, and DNS service providers, have been clarified to reduce compliance burdens and implementation fragmentation among member states.
- New In-Scope Entities: The amendments expand the directive's scope to include providers of European Digital Identity Wallets, European Business Wallets, operators of submarine data transmission infrastructure, and owners or operators of strategic dual-use infrastructure.
- Introduction of 'Small Mid-Cap Enterprises': A new category is introduced to classify certain entities as 'important' rather than 'essential,' thereby reducing supervisory intensity and compliance obligations for a significant number of companies.
These amendments aim to create a more effective and adaptable cybersecurity framework, facilitating compliance for NIS2 entities and enhancing legal certainty across the EU.
Harmonization of Technical Requirements
To ensure a uniform level of cybersecurity controls across member states, the amendments propose that when the European Commission adopts implementing acts specifying technical or methodological risk-management requirements, member states will be prohibited from imposing additional national requirements on those matters. This harmonization is intended to reduce administrative burdens and create a consistent cybersecurity landscape throughout the EU.
Enhanced Ransomware Reporting Requirements
Recognizing the growing threat of ransomware attacks, the amendments introduce more harmonized data collection at the EU level. Entities will be required to report on attack vectors used and mitigation measures implemented. Additionally, upon request from authorities, entities must disclose whether a ransom demand was received, whether a payment was made, the amount, and the payment method. ENISA will play a central role in coordinating these efforts, including operating as a central incident reporting platform and managing the EU Cybersecurity Reserve.
Implications for Organizations
Organizations operating within the EU should proactively assess the potential impact of these proposed changes. Key considerations include:
- Compliance Obligations: Entities must stay informed about the evolving regulatory landscape to ensure timely compliance with new requirements.
- Supply Chain Security: Organizations should evaluate their ICT supply chains to identify and mitigate potential risks in line with the proposed measures.
- Incident Reporting: Enhanced reporting requirements necessitate the development of robust incident response plans and procedures to meet new obligations.
By proactively addressing these areas, organizations can better navigate the changing regulatory environment and strengthen their cybersecurity posture.
Next Steps and Timeline
The cybersecurity package is currently at the early stage of the EU legislative process, and its content may still be refined during negotiations. The proposals address strategically sensitive issues relating to technology security and EU autonomy and are expected to be adopted no earlier than late 2026 or early 2027. The Cybersecurity Act 2, as a regulation, will be directly applicable in all member states, while the NIS2 amendments will need to be transposed into national law within one year.
Organizations should monitor ongoing discussions and legislative developments to implement necessary changes and compliance processes in a timely manner.
Conclusion
The European Commission's proposed Cybersecurity Act 2 and amendments to the NIS2 Directive represent significant steps toward enhancing the EU's cyber resilience. By strengthening ENISA's role, harmonizing technical requirements, and introducing new reporting obligations, these initiatives aim to create a more secure and unified digital environment. Organizations must stay vigilant and proactive in adapting to these changes to ensure compliance and protect against evolving cyber threats.
For more detailed information, refer to the official announcements and analyses: