January 2026 was a pivotal month for European cybersecurity, marked by a major EU cybersecurity package (Cybersecurity Act "revision" often referred to as Cybersecurity Act 2 in commentary) and targeted amendments to NIS2. At the same time, regulators and supervisors continued to operationalize DORA (already applicable since January 2025) through practical supervisory expectations and reporting/measurement guidance. This report highlights what matters most for organizations operating in Italy and across the EU: regulatory direction, compliance simplification, supply-chain risk controls, and actionable priorities for security and governance teams.
1) EU cybersecurity package (20 January 2026): Cybersecurity Act revision + targeted NIS2 amendments
On 20 January 2026, the European Commission published a new cybersecurity package built around two legislative proposals:
- A proposal to revise the EU Cybersecurity Act (the 2019 framework that underpins EU-wide cybersecurity certification).
- A proposal to amend NIS2 through targeted "simplification and alignment" measures, aiming to reduce complexity and improve cross-border supervision.
From a governance and compliance standpoint, the package is best understood as an attempt to:
- Increase legal clarity (especially for cross-border entities) and reduce fragmentation in enforcement.
- Use certification more effectively as a compliance tool, lowering the burden for organizations subject to multiple EU cyber obligations.
- Strengthen supply-chain and "high-risk supplier" risk management, including the ability to de-risk telecom networks in alignment with the EU 5G security toolbox approach.
Official references:
- European Commission – Proposal (NIS2 targeted amendments: simplification & alignment)
- Council of the EU – Package documentation (ST 5627/26)
- ECSO – Statement on the Cybersecurity Act revision proposal
- HADEA – EU cybersecurity projects & reference to the January 2026 package
2) What the NIS2 "simplification" direction signals for 2026 programs
The Commission's NIS2 amendment proposal explicitly frames its intent as increasing legal clarity, streamlining data collection (including ransomware-related data), and facilitating supervision of cross-border entities, with a reinforced coordinating role for ENISA. In practice, this pushes organizations toward "audit-ready" evidence that can be reused across obligations, rather than parallel compliance tracks.
Practical implications for organizations (Italy and EU-wide):
- Cross-border governance: ensure you can clearly demonstrate jurisdiction, competent authority mapping, and accountability for group-wide controls.
- Reusable evidence: align control catalogs (policies, logs, testing artifacts) so the same evidence supports NIS2, sectoral rules, and procurement requirements.
- Supply-chain controls: enhance vendor/ICT service governance and be prepared for deeper scrutiny on "high-risk supplier" exposure.
3) DORA in 2026: supervision deepens, metrics and reporting maturity become differentiators
While DORA became applicable in January 2025, January 2026 is characterized by a shift from "readiness projects" to supervisory maturity: financial entities are expected to show operationalized processes (not just documentation) for ICT risk management, incident handling, resilience testing, and ICT third-party oversight.
Key supervisory signals and references:
- EIOPA – DORA overview (scope and expectations)
- De Nederlandsche Bank – DORA supervision page (updated 29 Jan 2026)
- EBA/ESA Joint Guidelines – Estimation of aggregated annual costs and losses from major ICT incidents
What this means for financial organizations in 2026:
- Incident economics (cost/loss measurement) becomes part of the compliance conversation—improving the quality of impact estimation and reporting readiness.
- Third-party oversight must be demonstrable: inventory completeness, criticality tiers, contractual controls, monitoring, and exit strategies should be routinely tested.
- Resilience testing should be credible and risk-based (covering critical services, realistic threat models, and remediation verification).
4) Threat & vulnerability priorities: edge/perimeter remains the strategic battleground
January 2026 continues the pattern seen across recent years: edge systems (VPN gateways, remote access, security appliances) remain high-value targets because they sit at the boundary of trust and are often exposed to the internet. Active exploitation alerts affecting widely deployed products repeatedly drive urgent patch/mitigation cycles.
Representative reference (active exploitation alert):
- UK NCSC – Active exploitation alert (Ivanti vulnerability)
- Ivanti – Security update and remediation guidance
Operational actions to prioritize:
- Internet-facing inventory: continuously track exposed services (VPN, portals, DNS, remote management), including shadow IT.
- Risk-based patching: accelerate remediation for vulnerabilities with exploitation signals; validate compensating controls where patching is constrained.
- Post-patch verification: confirm effective mitigation and hunt for indicators of compromise around edge systems.
5) Sector signal: healthcare remains a top ransomware pressure point
Healthcare-focused intelligence sharing communities continue to emphasize ransomware, supply-chain exposure, and AI-driven techniques as major drivers of risk. While every organization's threat model differs, the sector's experience remains a strong proxy for "high-impact" disruption scenarios—useful for resilience and crisis planning across critical services.
6) Governance takeaways for January 2026: what boards and executives should ask for
January 2026 reinforces a simple message: the EU is converging toward a cybersecurity model where compliance is operational and supply-chain risk is treated as a strategic vulnerability—not an afterthought. For boards and senior executives, the focus should be on the few "proof points" that regulators and incident reality will test:
- Evidence of operational resilience: tested incident response, recovery objectives, and credible exercises.
- Vendor and cloud control: demonstrable third-party governance, including exit strategies and monitoring.
- Exposure reduction: measurable improvements in internet-facing attack surface management and edge patch velocity.
- Metrics that matter: MTTD/MTTR, time-to-patch for exploited vulnerabilities, and incident cost/loss estimation maturity (DORA).
Selected sources (external)
- European Commission – NIS2 targeted amendments proposal (20 Jan 2026)
- Council of the EU – Cybersecurity package documentation (January 2026)
- ECSO – Statement on Cybersecurity Act revision proposal
- HADEA – Reference to the January 2026 EU cybersecurity package
- EIOPA – DORA overview
- DNB – DORA supervision page (updated 29 Jan 2026)
- EBA/ESAs – Guidelines on aggregated annual costs and losses from major ICT incidents
- UK NCSC – Active exploitation alert (Ivanti)
- Ivanti – Security update
- Health-ISAC – Annual Threat Report (Health Sector) 2026
FAQ
What is the main objective of this project?
The project focuses on developing and operationalizing cybersecurity capabilities for target organizations in scope.
Which funding framework supports the initiative?
The article references PR FESR/Campania Startup funding context and related decree identifiers for the initiative.
What timeline is stated for implementation?
The timeline is defined in the project timeline section of this article.