European Union: European Commission submitted Proposal for a Regulation on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security (The Cybersecurity Act 2) including cybersecurity regulation

On 20 January 2026, the European Commission submitted the Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security and repealing Regulation (EU) 2019/881 (The Cybersecurity Act 2). The Proposal would revise the legal framework under the current Cybersecurity Act (Regulation (EU) 2019/881) by reforming ENISA's mandate, updating the European cybersecurity certification framework, and introducing a trusted ICT supply chain framework. The Proposal would expand the existing cybersecurity certification framework to include managed security services and the evaluation of entities' cyber posture and update the security objectives and basic elements of those schemes. Regarding supply chain security, the trust ICT supply chain framework would introduce a Union-level security mechanism to address non-technical cybersecurity risks linked to suppliers in sectors of high criticality and other critical sectors, as defined by the NIS 2 Directive. The mechanism would include a security risk assessment and the possibility to designate third countries as posing cybersecurity concerns to ICT supply chains. The Commission would be empowered to take a number of measures, such as identifying key ICT assets, establish lists of high-risk suppliers, and mitigation measures, such as transparency requirements, data transfer prohibitions, and technical audits for critical entities.