On 20 January 2026, the European Commission published a proposal to revise the EU Cybersecurity Act: COM(2026) 11 – Proposal for a Regulation for the EU Cybersecurity Act. The proposal is part of a broader EU "cybersecurity package" aimed at strengthening Europe's resilience and capabilities, reducing fragmentation in the digital single market, and addressing ICT supply-chain security as a strategic risk.

What the proposal aims to achieve

According to the Commission's description of the initiative, the revised Cybersecurity Act is intended to: (1) improve the security of EU ICT supply chains, (2) ensure that products and services reaching EU citizens are "cyber-secure by design" through a simpler certification process, (3) facilitate compliance with existing EU cybersecurity rules, and (4) reinforce ENISA in supporting Member States and the EU in managing cybersecurity threats. See the Commission's library entry and the cybersecurity package press page for the official framing.

• Proposal page (Commission library): Proposal for a Regulation for the EU Cybersecurity Act
• Package press page: Commission strengthens EU cybersecurity resilience and capabilities

Key policy pillars (high-level)

The Commission's Q&A on the cybersecurity package outlines four core building blocks associated with the proposal: a horizontal framework to address ICT supply-chain security challenges (including strategic dependency and foreign interference risks), a simplified and enhanced European Cybersecurity Certification Framework (ECCF), simplification measures linked to the implementation of NIS2, and a strengthened mandate/capacity for ENISA.

• Cybersecurity Package Q&A: Cybersecurity Package – Questions & Answers
• ECCF overview: EU Cybersecurity Certification Framework (ECCF)

What changes could matter most for organizations

While the legislative text should be used as the definitive reference, the Commission's published materials emphasize several practical implications for organizations operating in the EU:

• Supply-chain risk governance becomes more explicit: the proposal frames ICT supply-chain security as a cross-cutting requirement, enabling coordinated EU/Member State approaches to manage strategic risks in critical ICT supply chains. (See the Q&A for the Commission's explanation.)
• Certification as a compliance accelerator: the Commission indicates that certification under the enhanced ECCF is intended to help demonstrate compliance across EU cybersecurity obligations (e.g., providing "compliance tools" and reducing administrative burden). (See the ECCF page and Q&A.)
• Faster, clearer scheme development: the Commission materials state that, as a rule, ENISA would develop a candidate scheme within one year following a Commission request, aiming to make certification more predictable and timely. (See the Q&A.)
• ENISA capacity and resources: the Q&A describes an intent to reinforce ENISA's role in operational cooperation, situational awareness, standards/certification support, and ransomware mitigation support. (See the Q&A.)

For organizations already managing NIS2 compliance or DORA compliance, the certification simplification could reduce evidence duplication. A Virtual CISO engagement can help map existing controls to the emerging certification framework.

How this interacts with other EU initiatives

The Commission explicitly positions the proposal within a wider policy context, including initiatives intended to simplify cybersecurity implementation and reporting. For example, the Q&A references the Digital Omnibus and the "single-entry point" approach for incident reporting.

• Digital Omnibus (Commission library): Digital Omnibus Regulation Proposal
• NIS2 targeted amendments proposal page (same package): Proposal for a Directive – simplification measures and alignment (NIS2 targeted amendments)

Downloads and annexes (Commission-published package)

The Commission's proposal page provides direct links to the main proposal, annexes, and impact assessment documents:

• COM(2026) 11 – Proposal for a Regulation for the EU Cybersecurity Act: Download
• COM(2026) 11 – Annexes to the proposal: Download
• Impact Assessment – Proposal for a Regulation for the EU Cybersecurity Act: Download
• Summary of the Impact Assessment: Download

Additional Commission attachments related to the same initiative (ENISA & ECCF evaluation)

Alongside the legislative proposal, the Commission published an evaluation of ENISA and the ECCF, accompanied by a staff working document and a supporting study (with summary and annexes). These materials are useful to understand the policy rationale, evidence base, and areas identified for improvement.

• Evaluation package page: Evaluation of ENISA and the ECCF
• Supporting study (full / summary / annexes) on data.europa.eu: See links on the evaluation page (full study, summary, annexes)

Note: this is a proposal and will follow the EU legislative process (European Parliament + Council). For implementation planning, focus on gap assessments, supply-chain risk governance, certification readiness, and ENISA/ECCF developments.