EU cybersecurity reboot: Practical impacts of the proposed NIS2 and CSA2 reforms

The speed with which the cybersecurity threat landscape is evolving all but necessitates that regulations strive to keep up. Indeed, just as companies are gearing up for full NIS2 transposition and implementation, EU cybersecurity rules are expected to change again. On 20 Jan. 2026, the European Commission presented a new EU cybersecurity package that combines a proposed overhaul of the Cybersecurity Act with targeted amendments to the NIS2 Directive. 

The goals are straightforward: strengthen the EU's cyber resilience, cut regulatory fragmentation and more effectively address growing ICT supply chain risks. While the NIS2 changes focus on legal certainty and smoother compliance, the CSA2 overhaul signals a bigger shift by turning cybersecurity certification from a voluntary quality label into a core compliance and risk-management tool.

Both proposals now move into trilogue negotiations with political agreement targeted for early 2027. Once adopted, CSA2 will apply directly across the EU while member states will have one year to transpose the NIS2 changes. Notably, these proposals come on the heels of the Digital Omnibus, which provides its own package of cybersecurity reform aimed at regulatory simplification and the reduction of administrative burdens.

Proposed NIS2 amendments

At first glance, the NIS2 changes are about simplification. In practice, they sharpen legal certainty and convergence while NIS2 remains a minimum-harmonization framework.

Where the scope shifts

Much of the change lies in the details. Scope-related clarifications and thresholds — such as a generation-capacity threshold for electricity producers — aim to make the scope of NIS2 easier to assess. At the same time, coverage expands to new actors, including providers of the proposed European Business Wallets and operators of strategic dual-use infrastructures. A new "small mid-cap enterprise" category fine-tunes classification with most entities falling under the lighter "important" tier, easing supervisory pressure. Cross-border operators may welcome the push for greater consistency across member states while companies near today's thresholds could see their classification shift.

The EU representative requirement also widens under the proposed NIS2 amendments. All essential and important non-EU entities offering services in the EU would need to appoint an EU-based representative. As a rule, supervision would sit with the member state where the representative is established, although communications providers would remain tied to their operational member state(s). In practice, this would broaden compliance obligations for cross-border businesses, especially for those in the telecommunications and electronics communication sectors, which were not previously subject to the EU representative requirement.

Pushing EU-wide convergence

The amendments strengthen the role of EU-level implementing acts. Once the Commission sets technical, methodological or sectoral risk-management measures under Article 21(5) through an implementing act, member states can no longer add national layers. In practice, this pulls core cybersecurity controls up to EU level, making compliance more predictable for cross-border organizations.

At the EU level, ransomware reporting is set to become more standardized with expanded data collection on incidents, attack vectors and mitigation measures. For companies, this is likely to translate into more extensive reporting obligations with incident-response playbooks increasingly shaped by EU-level processes.

Post-quantum cryptography will also become part of national cybersecurity planning. Member states will need to plan the transition in line with EU timelines — 2030 for critical use cases and 2035 for lower-risk ones — turning post-quantum cryptography into a near-term planning issue for organizations with long-lived systems or encrypted data. 

Smoothing the compliance path

Cybersecurity certification is set to become a compliance tool. Under the NIS2-CSA2 alignment, EU certifications — including future entity-level schemes — can be used to show compliance with NIS2 risk-management duties. Where certification applies, additional security audits fall away, helping multinational organizations avoid duplicative oversight.

Supply-chain security will also get a more practical reset. The Commission acknowledges that NIS2 has triggered inconsistent and burdensome supplier questionnaires cascading through supply chains. New EU-level guidance on what can be asked and how is meant to standardize expectations, easing supplier due diligence and reducing pressure on out-of-scope vendors.

Proposed CSA2 revision

By boosting the uptake of EU certification and giving the EU stronger tools to manage strategic information and communication technology risks, CSA2 makes the Cybersecurity Act more effectual.

ENISA's revised mandate

The European Union Agency for Cybersecurity moves from a largely advisory role into an operational one. Its guidance, tools and certification work will increasingly shape how national authorities act in practice, bringing more predictability and higher expectations to governance maturity and operational readiness.

Certification as compliance currency

Certification moves from a nice-to-have to a genuine compliance and market-access tool. CSA2 strengthens the European Cybersecurity Certification Framework and expands it to cover an entity's overall "cyber posture." While certification remains voluntary, unless otherwise specified in EU or national law, presumption-of-conformity mechanisms mean it will increasingly matter in regulated sectors and public procurement.

The EU's new grip on ICT supply chains 

CSA2 marks a clear shift in how the EU approaches ICT supply-chain security. The focus moves beyond technical vulnerabilities to non-technical risks such as jurisdictional exposure of the supplier in sectors of high criticality and other critical sectors covered by NIS2.

At the center of CSA2 sits a new EU-level "trusted ICT supply chain framework." It allows coordinated security risk assessments to be triggered either by the Commission or by at least three member states with the NIS Cooperation Group playing a key role. These assessments are meant to identify key ICT assets, analyze threat actors and risk scenarios, and propose mitigation measures — typically within six months or more promptly in urgent cases.

Based on these assessments, the Commission may formally identify key ICT assets, designate third countries as posing cybersecurity concerns and flag high-risk suppliers. This is where CSA2 moves from mapping to action. To mitigate risks identified in the security assessments, the Commission can impose binding mitigation measures through implementing acts — from transparency requirements to prohibitions related to data transfers and restrictions related to operational control. In more severe cases, this may extend to prohibiting the use of ICT components from high-risk suppliers in key ICT assets combined with phase-out periods.

This marks a real shift for businesses. Supply-chain security becomes a matter of regulatory control, not just contractual due diligence. Certain suppliers or components may become restricted or unavailable, directly affecting IT architecture and sourcing strategies while making robust asset mapping, exit planning and diversification of a baseline requirement. Limited exemptions are possible, but they are tightly conditioned, time-bound and publicly recorded, making them a last resort rather than a safety net.

For electronic communications networks, CSA2 would deliver the clearest and fastest impact. It mandates the phase-out of components from high-risk suppliers within fixed timelines with significant knock-on effects for procurement and service continuity.

Further convergence under the Digital Omnibus

The proposed changes of the EU’s Digital Omnibus are likely to drive further EU-wide convergence in cybersecurity obligations. To ease administrative burdens on data controllers and supervisory authorities, the Digital Omnibus aligns the EU General Data Protection Regulation's definition of "high-risk" data breaches and creates a single EU-level entry point for compliance with incident-reporting obligations spread across numerous pieces of EU legislation. 

Collectively under Articles 33 and 34 of the GDPR, different standards exist for reporting personal data breaches to the competent supervisory authority and the data subject, respectively. The Digital Omnibus would eliminate this discrepancy by creating a single high-risk threshold for reporting breaches of personal data to both the competent supervisory authority and to data subjects and extend the reporting deadline to 96 hours via a single-entry point after becoming aware of the breach.

Indeed, the single-entry point for reporting data breaches and significant incidents proposed by the Omnibus seeks to streamline obligations under various laws, including the GDPR, NIS2 Directive, Digital Operational Resilience Act and the Critical Entities Resilience Directive. 

Furthermore, under the Omnibus, the European Data Protection Board would prepare guidance on this EU-wide portal, including the provision of a template for notifying data breaches to the competent supervisory authority. The EDPB would also publish a list of common circumstances in which a data breach is likely to pose a risk to the fundamental rights and freedoms of a natural person and thus meet the reporting threshold. Again, the goal of this would be twofold: to reduce administrative burdens on controllers for not having to report breaches that are low risk to data subjects and to free up supervisory authorities to focus more resources on high-risk data breaches.

Recommended next steps for companies

Taken together, the proposed NIS2 amendments and CSA2 signal a clear shift in EU cybersecurity law away from fragmented national implementation and towards greater coordination and more harmonized supervision. Cybersecurity is no longer treated as a purely technical compliance exercise, but increasingly as a matter of enterprise risk management and corporate governance.

For now, the key is to keep a close eye on the legislative process. Core elements, like scope, EU-level measures and certification, are still evolving. Companies that engage early will be best placed to adapt once the final framework is set.