[DRAFT] New Cybersecurity Package strengthens EU cyber resilience and capabilities, addresses security risks

An black image of a man working with digital technologies, with the logos of the European Commission and the Digital Skills & Jobs Platform, with text. Text reads: "New Cybersecurity Package"

Cyber or hybrid attacks on essential services like hospitals or transport; and democratic institutions are blending more and more with the current landscape. The 2024 ENISA "Public Administration Threat Landscape" notes a surge in data-related incidents in the second half of 2024 and acknowledges the growing rate of ransomware directed against public administration bodies.

In the 2025 Threat Landscape of ENISA, phishing remains the main method used for intrusion and an effective technique to steal credentials or bank details. Large Language Models (LLMs) are put to work to craft more convincing phishing emails; with reportedly over 80% of all phishing emails identified between September 2024 and February using AI to some extent.

On 19 January 2026, the European Commission put forward a new cybersecurity package to further strengthen EU's cybersecurity resilience and capabilities against the backdrop of these growing threats. The new package brings the ambition to revise the Cybersecurity Act and make it fit for purpose, so that it reflects the numerous changes in the threat landscape since its adoption back in 2019.

Some figures on today's cyber threat landscape

The figure below illustrates some key figures and trends around cybersecurity according to the new Cybersecurity Package Factsheet.

The figure below shows the incident reports submitted per sector, comparing 2021, 2022, 2023
and 2024, as part of the annual summaries about the national incident reporting sent by the Member States to the NIS Cooperation Group (NIS CG), described in the Annual report NIS Directive incidents 2024.

Incident reports submitted by Member States by sector, year by year (2020 to 2024).

The new Cybersecurity Package: wrapping up loose ends

The package includes a proposal for a revised Cybersecurity Act, which enhances the security of the EU's Information and Communication Technologies (ICT) supply chains. It ensures that products reaching EU citizens are cyber-secure by design, simplifying the cumbersome certification process. It also makes compliance with existing EU cybersecurity rules easier, and reinforces the EU Agency for Cybersecurity (ENISA) in supporting Member States and the EU in managing cybersecurity threats.

The revised Cybersecurity Act will ensure that products and services reaching EU consumers are tested for security in a more efficient way. This will be done through a renewed European Cybersecurity Certification Framework (ECCF), and amendments to the NIS2 Directive (the EU legal framework that reinforces cybersecurity rules to better protect essential services and digital infrastructure across Europe from cyber threats).

"A win-win scenario": stronger security, less bureaucracy

The proposed changes to the NIS2 Directive are meant to make the rules clearer and easier to follow. They would reduce compliance obligations for around 28,700 companies, including 6,200 micro and small businesses. The changes also create a new category for small mid-cap companies, which would lower compliance costs for another 22,500 firms.

There is more. Proposed updates to the the ECCF aim to ensure products and services from all over the world are tested for security before reaching European consumers. This means more clarity, harmonised rules, and facilitated procedures to develop schemes - by default, within 12 months. Proposed amendments will also work to introduce a more agile and transparent overall governance to improve stakeholder involvement through public information and consultation.

Boosting the security of ICT supply chains throughout Europe: the task ahead

Recent cybersecurity incidents have highlighted the large-scale implications, which vulnerabilities in ICT supply chains pose. The result? An increasingly accepted realisation that without strong and secure ICT supply chains, critical services, infrastructure and even sectors incur costly damages, or are grinded to a halt. In today's geopolitical landscape, supply chain security is no longer just about technical product or service security, but also about risks related to a supplier, particularly dependencies and foreign interference.

The new Cybersecurity Act aims to reduce risks in the EU's ICT supply chain from third-country suppliers with cybersecurity concerns. It sets out a trusted ICT supply chain security framework based on a harmonised, proportionate and risk-based approach. This will enable the EU and Member States to jointly identify and mitigate risks across critical sectors for European economy, taking into account also also economic impact and market supply.