The European Commission has unveiled a new cybersecurity package aimed at reinforcing the European Union’s (EU) resilience against growing digital threats. Central to the package is a revised Cybersecurity Act, which seeks to secure the EU’s Information and Communication Technology (ICT) supply chains and ensure products are cyber-secure by design.
According to a press release, the updated Act introduces a streamlined European Cybersecurity Certification Framework (ECCF) to simplify testing and certification of ICT products, services, and processes. Certification schemes will remain voluntary but provide businesses with a practical tool to demonstrate compliance with EU rules while reducing costs and administrative burdens which are managed by the EU Agency for Cybersecurity (ENISA). The framework is designed to allow new certification schemes to be developed within 12 months and improve transparency and stakeholder involvement.
Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, said, “With the new Cybersecurity Package, we will have the means in place to better protect our critical ICT supply chains but also to combat cyber attacks decisively. This is an important step in securing our European technological sovereignty and ensuring a greater safety for all.”
The legislation also addresses risks from high-risk third-country suppliers, extending measures already applied in the 5G security toolbox to wider European mobile networks. It establishes a harmonised, risk-based framework to identify and mitigate supply chain vulnerabilities across 18 critical sectors which consider economic and market impacts.
Complementing these measures, targeted amendments to the NIS2 Directive will simplify compliance for over 28,000 companies, including small and mid-sized enterprises, clarify jurisdictional rules, streamline ransomware reporting, and enhance ENISA’s oversight of cross-border entities.
ENISA will play an expanded role under the revised Act, providing early threat alerts, coordinating incident responses with Europol and national CERTs, managing vulnerabilities, and operating the single-entry point for incident reporting. It will also continue to develop cybersecurity skills across the EU through initiatives like the Cybersecurity Skills Academy and EU-wide attestation schemes.
Once approved by the European Parliament and the Council, the Cybersecurity Act will apply immediately. Member States will have one year to implement the NIS2 amendments into national law and report back to the Commission.