Cybersecurity Act 2: A New Architecture for EU Cyber Resilience

On 20 January 2026, the European Commission presented the draft updated Cybersecurity Regulation — Cybersecurity Act 2 (CSA2). The proposal fundamentally revises ENISA’s mandate, reboots the European cybersecurity certification system and introduces an EU‑wide framework for managing risks in ICT supply chains.​

1. Rationale and Overall Logic of CSA2

Since the first Cybersecurity Act was adopted in 2019, both the cyber threat landscape and the regulatory context have changed significantly. Key drivers include:​

• a sharp increase in the volume and sophistication of attacks, including against critical infrastructure and supply chains, with ransomware remaining a core threat vector;​

• the impact of AI and quantum technologies on both defensive capabilities and attack models;​

• accumulation of EU cybersecurity instruments (NIS2, CRA, DORA, Cyber Solidarity Act, etc.), which has amplified overlaps and fragmentation of requirements;​

• slow and limited practical uptake of the European Cybersecurity Certification Framework (ECCF);​

• growing geopolitical and “non‑technical” risks in ICT supply chains.​

Against this background, CSA2 formulates two overarching objectives:​

1. To enhance the EU’s cyber resilience and incident preparedness.

2. To reduce single market fragmentation through common instruments (certification, supply‑chain risk frameworks, etc.).​

2. ENISA’s New Mandate

Under CSA2, ENISA evolves from a predominantly analytical agency into a comprehensive competence and operational support centre for Member States and EU institutions.​

2.1. Main Areas of Activity

The regulation consolidates four core workstreams for ENISA:​

1. Support for Policy and Legislation Implementation

   • development of technical guidance, recommendations and best practices for NIS2, CRA, Cyber Solidarity Act and other instruments;​

   • assessment of the state of cybersecurity in the Union and support to national competent authorities.​

2. Operational Cooperation and Situational Awareness

   • secretariat functions for the CSIRTs Network and EU‑CyCLONe;​

   • development of repositories of verified cyber threat intelligence and regular technical situation reports on threat trends;​

   • early warnings on significant and cross‑border incidents, particularly in sectors listed in NIS2 Annexes I and II.​

3. Cybersecurity Certification and Standardisation

   • preparation, maintenance and review of European cybersecurity certification schemes;​

   • drafting of technical specifications and participation in European and international standardisation, including in post‑quantum cryptography.​

4. Skills and Competences

   • support and regular updating of the European Cybersecurity Skills Framework (ECSF);​

   • development and maintenance of schemes for individual cybersecurity skills attestations and authorisation of attestation providers.​

2.2. Resources and Funding

To deliver on its extended mandate, ENISA will be significantly reinforced:​

• an indicative budget of about EUR 341 million for 2028–2034 (average c. EUR 49 million per year, an increase of 81.5% compared with 2025);​

• an additional 118 FTEs for the agency;​

• introduction of fee mechanisms for: authorisation of skills attestation providers, participation of conformity assessment bodies in certification schemes, and use of ENISA testing tools.​

3. Reform of the European Cybersecurity Certification Framework (ECCF)

Under CSA2, ECCF is intended to become a practical tool for the market and regulators rather than a purely formal framework.​

3.1. Processes and Governance

The reform provides for:​

• an annual European Cybersecurity Certification Assembly to define priorities for new schemes;​

• a public roadmap and status updates for schemes on a dedicated Commission website;​

• strict timelines for ENISA to develop candidate schemes (as a rule, 12 months from the Commission’s request);​

• a mandatory maintenance strategy for each scheme, including mechanisms to reflect new threats, standards and stakeholder feedback;​

• regular effectiveness assessments of schemes (at least every four years) and the possibility of their revision or repeal.​

3.2. Certification of Organisations’ Cyber Posture

A noteworthy innovation is that ECCF can now cover not only products, services and processes, but also organisational cyber posture.​

• Such schemes may be aligned with requirements in other legal acts (e.g. NIS2, GDPR), providing a presumption of conformity.​

• This creates a basis for using certification as a unified proof of compliance with several regulatory regimes simultaneously.​

4. Trusted ICT Supply Chain Framework and High‑Risk Suppliers

CSA2 introduces a horizontal mechanism for managing non‑technical risks in ICT supply chains for the types of entities listed in NIS2 Annexes I and II.​

4.1. Coordinated Risk Assessments and Key Assets

The framework envisages:​

• EU‑level coordinated risk assessments of specific ICT supply chains, initiated by the Commission or by a group of Member States;​

• development of risk scenarios and mitigation measures within the NIS Cooperation Group;​

• identification via Commission implementing acts of key ICT assets critical for service provision.​

4.2. Countries Posing Cybersecurity Concerns and High‑Risk Suppliers

The Commission is empowered to:​

• assess third‑country jurisdictions for systemic non‑technical risks (data‑access legislation, interference practices, history of cyber operations, etc.);​

• formally designate certain countries as “posing cybersecurity concerns”;​

• classify suppliers established in, or controlled from, such countries as high‑risk suppliers and apply specific restrictions to them.​

Among other limitations, these suppliers will not be allowed to:​

• participate in the development of EU cybersecurity standards and specifications;

• act as conformity assessment bodies or holders of European cybersecurity certificates;

• become authorised providers of individual cybersecurity skills attestations;

• participate in certain EU‑funded projects and public procurement procedures for key ICT assets.​

At the same time, an individual exemption mechanism is foreseen for entities that can demonstrate robust risk mitigation and protection from undue interference by the third country.​

4.3. Specific Regime for Telecommunications Networks

The framework explicitly covers mobile, fixed and satellite electronic communications networks:​

• key assets (core network, RAN, transport, management systems) are listed in an annex to the regulation;​

• components from high‑risk suppliers in these assets must be phased out within defined deadlines, for mobile networks within a maximum of 36 months from entry into force.​

In practice, this transforms the previously voluntary 5G Toolbox into a binding and harmonised legal regime for all Member States.​

5. Practical Implications of CSA2

For organisations subject to NIS2 and related instruments, CSA2 implies:​

• stricter requirements for supply‑chain risk management, including inventory of key ICT assets and alignment with EU‑level decisions on high‑risk suppliers;

• the opportunity to use European cybersecurity certification (including cyber‑posture schemes) as a primary tool for demonstrating compliance and reducing the aggregate regulatory burden;​

• an expanded role for ENISA as a source of methodologies, practical guidance and technical services (single incident‑reporting entry point, common information‑sharing platforms, etc.).​

For ICT vendors and service providers, CSA2 consolidates cybersecurity certification as a key trust and market‑access factor in the EU, while at the same time increasing the importance of analysing corporate structures and ownership chains to avoid falling into the high‑risk supplier category.