EU revamps Cybersecurity Act to protect critical infrastructure
Europe faces rising cyber threats, from ransomware and sabotage to foreign interference. In response, the European Commission has unveiled a major overhaul of the Cybersecurity Act. The plan focuses on securing technology supply chains, reducing risks from high-risk vendors, and improving the EU’s ability to prevent and respond to cyber crises.
The reforms move Europe from fragmented cyber defenses to a coordinated, security-by-design approach aimed at protecting critical services, businesses, and citizens.
Strengthening the digital backbone
Recent cyber attacks show how much Europe depends on secure information and communication technologies (ICT). Weaknesses in software, hardware, and managed services can disrupt energy, transport, healthcare, and finance sectors across borders.
The new Cybersecurity Act recognises that supply chain security extends beyond product flaws. It now includes supplier dependencies, foreign interference, and geopolitical risk. The Commission proposes a trusted ICT supply chain framework that applies across 18 critical sectors. This framework helps the EU and Member States identify and mitigate risks while balancing security with economic impact.
Tackling high-risk suppliers
The revised Act puts special focus on reducing exposure to high-risk third-country suppliers, particularly in mobile telecoms. Building on the 5G security toolbox, the EU will now enforce mandatory measures against risky vendors, shifting from voluntary guidance to enforceable action.
Faster, simpler cybersecurity certification
The overhaul also updates the European Cybersecurity Certification Framework (ECCF). Certification schemes will now be developed within 12 months, replacing slower, complex processes.
ENISA will manage the framework, ensuring transparency and stakeholder involvement. Certification will remain voluntary but practical, allowing businesses to show compliance while reducing administrative costs. Beyond products, organisations can certify their overall cyber posture, boosting trust in complex supply chains.
For businesses, ECCF provides a competitive edge. For consumers and public authorities, it ensures security and reliability.
Reducing red tape and clarifying compliance
Alongside the Act, the Commission proposes changes to the NIS2 Directive. These aim to ease compliance for roughly 28,700 companies, including over 6,000 micro and small firms. A new category for small mid-cap enterprises will cut costs for another 22,500 companies.
Amendments clarify jurisdiction, streamline ransomware reporting, and improve oversight of cross-border entities. ENISA will take a stronger coordinating role. Together, these measures work with a single-entry point for incident reporting under the Digital Omnibus.
ENISA takes a central role
Since 2019, ENISA has been central to Europe’s cyber defense. The revised Act expands its mandate, letting the agency issue early warnings, support ransomware responses, and improve vulnerability management.
ENISA will also work with Europol and national response teams to help organisations recover from major incidents. Beyond immediate crises, the agency plans a Cybersecurity Skills Academy and EU-wide skills attestation schemes to address the talent gap.
A more resilient Europe
Once approved by the European Parliament and Council, the revised Cybersecurity Act will take effect immediately. Member States will have one year to adopt the NIS2 amendments into national law.
The overhaul represents Europe’s most ambitious effort yet to secure its digital future. By turning resilience, trust, and coordination into strategic assets, the EU aims to strengthen cybersecurity for citizens, businesses, and critical infrastructure.
