Cybersecurity Monthly Report – January 2026 (Italy, EU, Global)

January 2026 was a pivotal month for European cybersecurity, marked by a major EU cybersecurity package (Cybersecurity Act "revision" often referred to as Cybersecurity Act 2 in commentary) and targeted amendments to NIS2. At the same time, regulators and supervisors continued to operationalize DORA (already applicable since January 2025) through practical supervisory expectations and reporting/measurement guidance. This report highlights what matters most for organizations operating in Italy and across the EU: regulatory direction, compliance simplification, supply-chain risk controls, and actionable priorities for security and governance teams.

1) EU cybersecurity package (20 January 2026): Cybersecurity Act revision + targeted NIS2 amendments

On 20 January 2026, the European Commission published a new cybersecurity package built around two legislative proposals:

A proposal to revise the EU Cybersecurity Act (the 2019 framework that underpins EU-wide cybersecurity certification).
A proposal to amend NIS2 through targeted "simplification and alignment" measures, aiming to reduce complexity and improve cross-border supervision.

From a governance and compliance standpoint, the package is best understood as an attempt to:

Increase legal clarity (especially for cross-border entities) and reduce fragmentation in enforcement.
Use certification more effectively as a compliance tool, lowering the burden for organizations subject to multiple EU cyber obligations.
Strengthen supply-chain and "high-risk supplier" risk management, including the ability to de-risk telecom networks in alignment with the EU 5G security toolbox approach.

Official references:

2) What the NIS2 "simplification" direction signals for 2026 programs

The Commission's NIS2 amendment proposal explicitly frames its intent as increasing legal clarity, streamlining data collection (including ransomware-related data), and facilitating supervision of cross-border entities, with a reinforced coordinating role for ENISA. In practice, this pushes organizations toward "audit-ready" evidence that can be reused across obligations, rather than parallel compliance tracks.

Practical implications for organizations (Italy and EU-wide):

Cross-border governance: ensure you can clearly demonstrate jurisdiction, competent authority mapping, and accountability for group-wide controls.
Reusable evidence: align control catalogs (policies, logs, testing artifacts) so the same evidence supports NIS2, sectoral rules, and procurement requirements.
Supply-chain controls: enhance vendor/ICT service governance and be prepared for deeper scrutiny on "high-risk supplier" exposure.

3) DORA in 2026: supervision deepens, metrics and reporting maturity become differentiators

While DORA became applicable in January 2025, January 2026 is characterized by a shift from "readiness projects" to supervisory maturity: financial entities are expected to show operationalized processes (not just documentation) for ICT risk management, incident handling, resilience testing, and ICT third-party oversight.

Key supervisory signals and references:

What this means for financial organizations in 2026:

Incident economics (cost/loss measurement) becomes part of the compliance conversation—improving the quality of impact estimation and reporting readiness.
Third-party oversight must be demonstrable: inventory completeness, criticality tiers, contractual controls, monitoring, and exit strategies should be routinely tested.
Resilience testing should be credible and risk-based (covering critical services, realistic threat models, and remediation verification).

4) Threat & vulnerability priorities: edge/perimeter remains the strategic battleground

January 2026 continues the pattern seen across recent years: edge systems (VPN gateways, remote access, security appliances) remain high-value targets because they sit at the boundary of trust and are often exposed to the internet. Active exploitation alerts affecting widely deployed products repeatedly drive urgent patch/mitigation cycles.

Representative reference (active exploitation alert):

Operational actions to prioritize:

Internet-facing inventory: continuously track exposed services (VPN, portals, DNS, remote management), including shadow IT.
Risk-based patching: accelerate remediation for vulnerabilities with exploitation signals; validate compensating controls where patching is constrained.
Post-patch verification: confirm effective mitigation and hunt for indicators of compromise around edge systems.

5) Sector signal: healthcare remains a top ransomware pressure point

Healthcare-focused intelligence sharing communities continue to emphasize ransomware, supply-chain exposure, and AI-driven techniques as major drivers of risk. While every organization's threat model differs, the sector's experience remains a strong proxy for "high-impact" disruption scenarios—useful for resilience and crisis planning across critical services.

Health-ISAC – Annual Threat Report (Health Sector) 2026

6) Governance takeaways for January 2026: what boards and executives should ask for

January 2026 reinforces a simple message: the EU is converging toward a cybersecurity model where compliance is operational and supply-chain risk is treated as a strategic vulnerability—not an afterthought. For boards and senior executives, the focus should be on the few "proof points" that regulators and incident reality will test:

Evidence of operational resilience: tested incident response, recovery objectives, and credible exercises.
Vendor and cloud control: demonstrable third-party governance, including exit strategies and monitoring.
Exposure reduction: measurable improvements in internet-facing attack surface management and edge patch velocity.
Metrics that matter: MTTD/MTTR, time-to-patch for exploited vulnerabilities, and incident cost/loss estimation maturity (DORA).

Contacts

Follow us