The European Commission has proposed a revised EU Cybersecurity Act that it said is designed to strengthen the security of EU ICT supply chains, simplify EU-wide cybersecurity certification, introduce targeted amendments to NIS2 to simplify compliance and increase legal clarity, and reinforce the role of the EU cybersecurity agency ENISA.
Trusted ICT supply chain framework and high-risk suppliers
In its Q&A on the package, the Commission said the proposal would set up a “horizontal framework for trusted ICT supply chain security,” aimed at letting the EU and member states act together on “strategic risks of undue foreign interference and critical dependencies” in critical ICT supply chains using “targeted and proportionate measures.”
The Commission said the approach is intended to reduce risks in the EU’s ICT supply chain “from third-country suppliers with cybersecurity concerns,” and it framed supply chain security as including not only technical product security but also risks related to suppliers, including “dependencies and foreign interference.”
The Commission said the revised Act would introduce measures to phase out reliance on high-risk suppliers for critical network assets.
Separately, the Commission’s cybersecurity policy page describes the existing EU “5G Toolbox” work as setting out measures to strengthen security requirements for 5G networks, including applying “relevant restrictions for high-risk suppliers” and ensuring supplier diversification, based on an EU-wide coordinated risk assessment developed by member states with the Commission and ENISA.
Faster certification, broader scope, and an explicit phase-out link for 5G
On certification, the Commission said the revised European Cybersecurity Certification Framework would clarify and extend scope so that, alongside ICT products, services and processes, “managed security services” and “the cyber posture of entities” could be certified.
The Commission said certificates for an entity’s cyber posture could be used to “demonstrate compliance” and obtain a “presumption of conformity” with NIS2 and other EU legislation.
On timing, the Commission said the proposal would define legal timelines for developing schemes, adding that, following a Commission request, ENISA shall develop a candidate scheme within one year. ENISA will also be responsible for maintaining schemes as the scheme manager.
In its state-of-play section, the Commission said the EU adopted the EUCC (Common Criteria-based) scheme in 2024 as a first scheme; it said schemes for European Digital Identity Wallets and managed security services “could be adopted soon,” and that work on cloud services (EUCS) and 5G (EU5G) is expected to resume.
On 5G specifically, the Commission said the “new Cybersecurity Act provides for a phase-out of high-risk suppliers from mobile networks,” adding that conformity assessment bodies would not be able to certify products or services from those suppliers.
NIS2 simplification measures and ENISA’s expanded resourcing
The Commission said the Jan. 20 package also includes targeted amendments to NIS2 intended to increase legal clarity and reduce administrative burden, including simplifying jurisdictional rules, streamlining ransomware data collection, and facilitating supervision of cross-border entities with an expanded coordinating role for ENISA.
In its Q&A, the Commission said these NIS2 changes are expected to remove compliance burden for 28,700 companies (including 6,200 micro and small-sized enterprises) and, via a new “small mid-cap” category, reduce compliance costs for 22,500 companies.
The Commission also said the proposal would reinforce ENISA’s role across operational cooperation, situational awareness, standards and certification, and support for ransomware mitigation measures, and that the package aims to increase ENISA’s budget by “more than 75%,” with member states designating two liaison officers each to support operational cooperation and information exchange.
Industry reaction and risk-investment context
Industry groups and vendors said the package addresses sovereignty-related supply chain concerns and aims to streamline compliance and certification.
NCC Group said it welcomed the Commission’s push to align NIS2, the Cyber Resilience Act and EU certification schemes, arguing that “clearer, coherent rules” can help organizations manage threats “without duplicating compliance,” and that strengthening supply chain assurance on “transparent, technical, EU wide criteria,” alongside incident preparedness and intelligence sharing, would “lift resilience.”
Tim Pfaelzer, SVP and General Manager EMEA at Veeam, said the proposed revisions “come at a pivotal moment,” adding that measures to “restrict or even phase out” third-country “high-risk” vendors underscore how central “sovereignty” has become. He also pointed to efforts to “simplify security testing and certification processes and clarify jurisdictional rules,” saying complexity is often the biggest barrier for organisations.
Separately, PwC’s 2026 Global Digital Trust Insights findings say geopolitical risk is shaping strategy, with 60% of business and technology leaders ranking cyber risk investment among their top three strategic priorities in response to geopolitical uncertainty.