--- title: "EU Cybersecurity Act Revision 2026 | Aegister" description: "EU Cybersecurity Act revision 2026 (COM 2026/11): new rules on certification, ENISA powers, and supply chain security. Learn what changes and how to prepare." canonical: https://www.aegister.com/en/cms/insights/eu-cybersecurity-act-revision-2026/ url: /en/cms/insights/eu-cybersecurity-act-revision-2026/ lang: en --- ![](/static/images/header-contact.webp) # EU Cybersecurity Act Revision – COM(2026) 11: What Changes and Why It Matters --- ![EU Cybersecurity Act Revision – COM(2026) 11: What Changes and Why It Matters](/static/images/cms/eu-cybersecurity-act-revision-2026.webp) ## EU Cybersecurity Act Revision – COM(2026) 11: What Changes and Why It Matters February 05, 2026 [NIS2](/en/cms/keyword/nis2/) [compliance](/en/cms/keyword/compliance/) [EU](/en/cms/keyword/eu/) [supply chain](/en/cms/keyword/supply-chain/) +8 On **20 January 2026**, the European Commission published a proposal to revise the EU Cybersecurity Act: **COM(2026) 11 – Proposal for a Regulation for the EU Cybersecurity Act**. The proposal is part of a broader EU "cybersecurity package" aimed at strengthening Europe's resilience and capabilities, reducing fragmentation in the digital single market, and addressing **ICT supply-chain security** as a strategic risk. ## What the proposal aims to achieve According to the Commission's description of the initiative, the revised Cybersecurity Act is intended to: (1) improve the security of EU ICT supply chains, (2) ensure that products and services reaching EU citizens are "cyber-secure by design" through a **simpler certification process**, (3) facilitate compliance with existing EU cybersecurity rules, and (4) reinforce **ENISA** in supporting Member States and the EU in managing cybersecurity threats. See the Commission's library entry and the cybersecurity package press page for the official framing. - Proposal page (Commission library): [Proposal for a Regulation for the EU Cybersecurity Act](https://digital-strategy.ec.europa.eu/en/library/proposal-regulation-eu-cybersecurity-act) - Package press page: [Commission strengthens EU cybersecurity resilience and capabilities](https://digital-strategy.ec.europa.eu/en/news/commission-strengthens-eu-cybersecurity-resilience-and-capabilities) ## Key policy pillars (high-level) The Commission's Q&A on the cybersecurity package outlines four core building blocks associated with the proposal: a horizontal framework to address **ICT supply-chain security challenges** (including strategic dependency and foreign interference risks), a simplified and enhanced **European Cybersecurity Certification Framework (ECCF)**, simplification measures linked to the implementation of **NIS2**, and a strengthened mandate/capacity for **ENISA**. - Cybersecurity Package Q&A: [Cybersecurity Package – Questions & Answers](https://digital-strategy.ec.europa.eu/en/faqs/cybersecurity-package-questions-answers) - ECCF overview: [EU Cybersecurity Certification Framework (ECCF)](https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-certification-framework) ## What changes could matter most for organizations While the legislative text should be used as the definitive reference, the Commission's published materials emphasize several practical implications for organizations operating in the EU: - **Supply-chain risk governance becomes more explicit:** the proposal frames ICT supply-chain security as a cross-cutting requirement, enabling coordinated EU/Member State approaches to manage strategic risks in critical ICT supply chains. (See the Q&A for the Commission's explanation.) - **Certification as a compliance accelerator:** the Commission indicates that certification under the enhanced ECCF is intended to help demonstrate compliance across EU cybersecurity obligations (e.g., providing "compliance tools" and reducing administrative burden). (See the ECCF page and Q&A.) - **Faster, clearer scheme development:** the Commission materials state that, as a rule, ENISA would develop a candidate scheme within **one year** following a Commission request, aiming to make certification more predictable and timely. (See the Q&A.) - **ENISA capacity and resources:** the Q&A describes an intent to reinforce ENISA's role in operational cooperation, situational awareness, standards/certification support, and ransomware mitigation support. (See the Q&A.) For organizations already managing [NIS2 compliance](/en/solutions/compliance/nis2/) or [DORA compliance](/en/solutions/compliance/dora/), the certification simplification could reduce evidence duplication. A [Virtual CISO](/en/solutions/virtual-ciso/) engagement can help map existing controls to the emerging certification framework. ## How this interacts with other EU initiatives The Commission explicitly positions the proposal within a wider policy context, including initiatives intended to simplify cybersecurity implementation and reporting. For example, the Q&A references the **Digital Omnibus** and the "single-entry point" approach for incident reporting. - Digital Omnibus (Commission library): [Digital Omnibus Regulation Proposal](https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal) - NIS2 targeted amendments proposal page (same package): [Proposal for a Directive – simplification measures and alignment (NIS2 targeted amendments)](https://digital-strategy.ec.europa.eu/en/library/proposal-directive-regards-simplification-measures-and-alignment-cybersecurity-act) ## Downloads and annexes (Commission-published package) The Commission's proposal page provides direct links to the main proposal, annexes, and impact assessment documents: - **COM(2026) 11 – Proposal for a Regulation for the EU Cybersecurity Act**: [Download](https://ec.europa.eu/newsroom/dae/redirection/document/123727) - **COM(2026) 11 – Annexes to the proposal**: [Download](https://ec.europa.eu/newsroom/dae/redirection/document/123726) - **Impact Assessment – Proposal for a Regulation for the EU Cybersecurity Act**: [Download](https://ec.europa.eu/newsroom/dae/redirection/document/123748) - **Summary of the Impact Assessment**: [Download](https://ec.europa.eu/newsroom/dae/redirection/document/123754) ## Additional Commission attachments related to the same initiative (ENISA & ECCF evaluation) Alongside the legislative proposal, the Commission published an evaluation of **ENISA** and the **ECCF**, accompanied by a staff working document and a supporting study (with summary and annexes). These materials are useful to understand the policy rationale, evidence base, and areas identified for improvement. - Evaluation package page: [Evaluation of ENISA and the ECCF](https://digital-strategy.ec.europa.eu/en/library/evaluation-european-union-agency-cybersecurity-enisa-and-european-cybersecurity-certification) - Supporting study (full / summary / annexes) on data.europa.eu: [See links on the evaluation page (full study, summary, annexes)](https://digital-strategy.ec.europa.eu/en/library/evaluation-european-union-agency-cybersecurity-enisa-and-european-cybersecurity-certification) **Note:** this is a *proposal* and will follow the EU legislative process (European Parliament + Council). For implementation planning, focus on gap assessments, supply-chain risk governance, certification readiness, and ENISA/ECCF developments. ## Official sources - [Official reference 1](https://www.gisec.ae/) - [Official reference 2](https://www.dwtc.com/en/events) - [Official reference 3](https://www.dwtc.com/en/) - [Official reference 3](https://digital-strategy.ec.europa.eu/en/library/proposal-regulation-eu-cybersecurity-act) - [Official reference 3](https://digital-strategy.ec.europa.eu/en/news/commission-strengthens-eu-cybersecurity-resilience-and-capabilities) Share this post ## Related News [![Cybersecurity Monthly Report – January 2026 (Italy, EU, Global)](/static/images/cms/cyber-monthly-report-jan-2026.webp)](/en/cms/insights/cybersecurity-monthly-report-january-2026/) [Cybersecurity Monthly Report – January 2026 (Italy, EU, Global)](/en/cms/insights/cybersecurity-monthly-report-january-2026/) [Aegister’s January 2026 monthly cybersecurity report: EU cybersecurity package with Cybersecurity Act revision and NIS2 simplification amendments, DORA supervisory maturity, edge/perimeter threats, and governance priorities for boards and security teams.](/en/cms/insights/cybersecurity-monthly-report-january-2026/) [NIS2](/en/cms/keyword/nis2/) [EU](/en/cms/keyword/eu/) +15 [![NIS2 Supply-Chain Security: Managing Critical Suppliers and High-Impact Procurements](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/) [NIS2 Supply-Chain Security: Managing Critical Suppliers and High-Impact Procurements](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/) [NIS2 supply-chain security is a governance obligation covering supplier identification, risk assessment, contractual integration, and lifecycle monitoring. Practical guide to GV.SC controls and evidence readiness.](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +9 [![NIS2 Governance Controls (GV): Policies, Roles, and Accountability Model](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-governance-gv-policies-roles-accountability/) [NIS2 Governance Controls (GV): Policies, Roles, and Accountability Model](/en/cms/insights/nis2-governance-gv-policies-roles-accountability/) [The NIS2 Governance (GV) domain defines cybersecurity direction, accountability, and oversight. Practical guide to implementing GV controls: context, risk strategy, roles, policy lifecycle, and supply-chain governance.](/en/cms/insights/nis2-governance-gv-policies-roles-accountability/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +9 ### NIS 2 Compliance with Aegister Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support. [Discover](/en/solutions/compliance/nis2/)