Skip to content
Article

EU Cybersecurity Act 2 – Proposal for a revised legal framework for IT security in Europe

Data Protection Law IT Law Artificial Intelligence Data Compliance IT Security

With a new cybersecurity package (Cybersecurity Act 2), Brussels wants to take cybersecurity in the EU to a new level: mandatory certifications, stricter supervision and a stronger ENISA are intended to make the digital single market resilient to current and future threats. The requirements for companies under the NIS 2 Directive are also under review.

On 20 January 2026, the EU Commission presented a proposal for a comprehensive reform of the existing Cybersecurity Act. The aim is to further significantly increase the level of security in the European digital single market and to overcome the fragmentation of existing requirements. Against the backdrop of increasing threats – from state attacks and cybercrime to risks posed by artificial intelligence and cloud services – the legal requirements are to be updated and harmonised.

The core objectives of the proposal are:

  • Mandatory cybersecurity certification: Mandatory certification of products, services and processes intended for the European market.
  • Strengthening the European Cybersecurity Agency (ENISA): Expanded tasks for coordination, monitoring and technical support.
  • Effective enforcement and market surveillance: improved traceability, uniform controls and stricter supervision by central authorities.
  • Technological adaptability: Flexible regulation that addresses forward-looking technologies such as AI, quantum computing and highly critical cloud offerings.

Key regulatory content

The proposal provides for far-reaching changes to the current legal situation:

  • Mandatory certification: Cybersecurity certificates will become mandatory for selected IT products and services. The European Commission will determine the areas in which the requirements will apply.
  • Expanded powers for ENISA: The agency will be expanded to become the central coordination point for certification, supervision and support for Member States.
  • Harmonisation of processes: Introduction of a “one-stop shop” principle for the recognition and monitoring of certificates throughout the EU.
  • Consideration of new technologies: Protection measures and certification requirements will be dynamically developed to reflect progress in areas such as AI, IoT and cloud computing.

Impact on the NIS 2 Directive

A key element of the Commission’s proposal is the direct adaptation and further development of the NIS 2 Directive. Specific features:

  • Closer integration with certification processes: The previously separate requirements for risk management and technical protective measures will be integrated into uniform procedures in future.
  • New compliance obligations: Operators of essential and important services will not only have to implement the requirements of NIS 2 in future, but also provide evidence of binding cybersecurity certifications.
  • Uniform testing and reporting system: The harmonisation of certification and NIS 2 obligations will make the verification and monitoring system more transparent for companies, but also significantly stricter.

Conclusion

With the Cybersecurity Act 2, Europe is facing a paradigm shift in IT security law. For companies, this means more regulations, higher certification requirements and stricter supervision.