EU cybersecurity reboot: Practical impacts of the proposed NIS2 and CSA2 reforms

The speed with which the cybersecurity threat landscape is evolving all but necessitates that regulations strive to keep up. Indeed, just as companies are gearing up for full NIS2 transposition and implementation, EU cybersecurity rules are expected to change again. On 20 Jan. 2026, the European Commission presented a new EU cybersecurity package that combines a proposed overhaul of the Cybersecurity Act with targeted amendments to the NIS2 Directive. 

The goals are straightforward: strengthen the EU's cyber resilience, cut regulatory fragmentation and more effectively address growing ICT supply chain risks. While the NIS2 changes focus on legal certainty and smoother compliance, the CSA2 overhaul signals a bigger shift by turning cybersecurity certification from a voluntary quality label into a core compliance and risk-management tool.

Both proposals now move into trilogue negotiations with political agreement targeted for early 2027. Once adopted, CSA2 will apply directly across the EU while member states will have one year to transpose the NIS2 changes. Notably, these proposals come on the heels of the Digital Omnibus, which provides its own package of cybersecurity reform aimed at regulatory simplification and the reduction of administrative burdens.

Proposed NIS2 amendments

At first glance, the NIS2 changes are about simplification. In practice, they sharpen legal certainty and convergence while NIS2 remains a minimum-harmonization framework.

Where the scope shifts