On 20 January 2026, the European Commission proposed the most significant overhaul of the EU's cybersecurity framework since the original Cybersecurity Act of 2019. The package arrives amid escalating pressure: daily cyber and hybrid attacks on essential services and democratic institutions have exposed the limits of the existing architecture, and years of fragmented national implementation of NIS2 have produced compliance headaches without commensurate security gains.
The package has two components. The first is a fully revised Cybersecurity Act — internally called CSA2 — that would repeal and replace the 2019 regulation. The second is a targeted amendment to the NIS2 Directive, folded into the EU's broader Digital Omnibus simplification effort.
The most consequential change is what CSA2 does to ENISA, the EU Agency for Cybersecurity. Under the current framework, ENISA is largely a coordination and advisory body. Under CSA2, it becomes a genuine operational actor.
ENISA would gain the power to issue early alerts on cyber threats, coordinate responses to ransomware attacks alongside Europol and the EU CSIRTs network, and develop vulnerability management services across the bloc. It would also take on a larger role in vetting suppliers of critical technology — a function that goes well beyond anything it currently does.
Industry bodies that submitted positions during the consultation period welcomed the expanded mandate but urged that ENISA be positioned as a "trusted EU coordination hub" rather than a compliance enforcer. That distinction will matter as the legislation moves through Parliament and Council negotiations.
The most politically sensitive element is the new ICT supply chain security framework. It introduces a harmonised EU mechanism for identifying critical ICT assets, assessing supply chain risks, and — where necessary — restricting or phasing out equipment from suppliers linked to countries posing cybersecurity concerns.
In practice, this formalises and extends the approach already embedded in the 5G security toolbox, which several member states used to restrict Huawei and ZTE from their 5G networks. CSA2 extends that logic beyond 5G to ICT supply chains broadly, and makes the mechanism EU-wide rather than dependent on individual national decisions.
The Commission may, after coordinated risk assessments with member states, designate high-risk suppliers and impose mitigation measures — including limitations on their use in essential sectors or mandatory phase-out requirements with defined transition periods.
The NIS2 amendments address a separate but equally real problem: the regulation, while sound in principle, has produced a patchwork of national implementations — different scope thresholds, reporting timelines, and conflicting requirements. Companies operating across multiple member states have navigated genuinely contradictory rules.
The Commission targets three specific pain points. A single-entry point for incident reporting replaces the current system, in which companies file separately with each relevant national authority. Ransomware reporting requirements are streamlined. Jurisdictional rules that determine which member state's regime applies to a given entity are clarified.
The changes are estimated to reduce compliance costs for thousands of companies while maintaining — and in some areas strengthening — the underlying security requirements.
The CSA2 package is less a revolution than a long-overdue upgrade. The 2019 framework was built for a different threat environment and a less integrated digital single market. What Brussels is proposing now is a system with real operational weight: an agency that can act, a certification framework that works in practice, and a supply chain security mechanism with genuine enforcement teeth.
The foreign supplier rules will be watched closely in Beijing and Washington alike. The framework does not name countries or vendors, but its architecture — risk assessments, coordinated designations, phase-out requirements — is precisely the toolkit needed to extend the Huawei precedent to the rest of Europe's critical digital infrastructure. Whether Parliament and Council preserve that ambition through legislative negotiations is the open question.
