Digital Infrastructure

NEW CYBERSECURITY PACKAGE

The European Commission is seeking feedback until 12 May 2026 on the proposal for a Cybersecurity Act 2 and a Directive to amend Directive (EU) 2022/2555 (“NIS 2”).

Cybersecurity Act 2

The proposed Cybersecurity Act 2 would, if adopted, repeal Regulation (EU) 2019/881 (the “Cybersecurity Act”) while expanding the existing EU cybersecurity framework. It seeks to clarify and strengthen the mandate of the EU Agency for Cybersecurity (“ENISA”), including by reinforcing its operational coordination role and its responsibilities in relation to the European Cybersecurity Certification Framework (the “ECCF”). It sets out a trusted ICT supply chain security framework to enable the EU and Member States to jointly identify and mitigate risks across the EU’s 18 critical sectors.

NIS 2 amendments

The proposed Directive amending the NIS 2 would introduce amendments aimed at simplifying compliance, enhancing legal certainty while aligning with the revised Cybersecurity Act. It is intended to facilitate the use of European cybersecurity certification schemes developed within the ECCF framework as a recognised means of supporting compliance with certain NIS 2 risk-management and security obligations.

The proposed amendments also refine the scope of NIS2, to include classifying providers of European Business Wallets and European Digital Identity Wallets as essential entities, regardless of their size, and removing micro- and small-sized Domain Name System service providers from scope. A new category of “small midcap enterprises” is proposed to be introduced, which would be classified as important rather than essential entities in order to reduce supervisory and compliance burdens. Notably, the proposal would require the Commission to adopt guidance on the application of NIS 2 supply-chain security risk-management requirements, with a view to ensuring consistent and proportionate expectations for suppliers across the internal market.