European Union: European Commission submitted Proposal for a Regulation on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security (The Cybersecurity Act 2)

On 20 January 2026, the European Commission introduced the Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security and repealing Regulation (EU) 2019/881 (The Cybersecurity Act 2). The proposed Act would make a number of basic changes to the cybersecurity framework. Notably, it would establish a trusted ICT supply chain security framework to enable the EU and member states to jointly identify and mitigate risks across key sectors. Further, the proposed Act would make changes to the European Cybersecurity Certification Framework by clarifying and simplifying procedures and allowing certification schemes to be developed within 12 months by default. Further, the proposed Act would reform the mandate, tasks, governance structure, and resources of the European Union Agency for Cybersecurity (ENISA). Under the proposed Act, ENISA would act as the single entry point for incident report, issue early cyber threat alerts, cooperate further with Europol and CSIRTs, and develop a common Union vulnerability service management capacity.