{"id":185182,"date":"2026-02-06T15:52:00","date_gmt":"2026-02-06T20:52:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/06\/eu-commission-looks-to-strengthen-eu-cybersecurity-resilience-and-capabilities-dla-piper\/"},"modified":"2026-02-06T15:55:09","modified_gmt":"2026-02-06T20:55:09","slug":"eu-commission-looks-to-strengthen-eu-cybersecurity-resilience-and-capabilities-dla-piper","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/06\/eu-commission-looks-to-strengthen-eu-cybersecurity-resilience-and-capabilities-dla-piper\/","title":{"rendered":"EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities | DLA Piper"},"content":{"rendered":"<p><a href=\"https:\/\/www.jdsupra.com\/legalnews\/eu-commission-looks-to-strengthen-eu-2789827\/\">EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities | DLA Piper<\/a><\/p>\n<p><a href=\"https:\/\/www.jdsupra.com\/legalnews\/eu-commission-looks-to-strengthen-eu-2789827\/\">https:\/\/www.jdsupra.com\/legalnews\/eu-commission-looks-to-strengthen-eu-2789827\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-06 15:52:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.jdsupra.com\">www.jdsupra.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>[co-author: Rachel de Souza]<\/p>\n<p>On 20 January 2026, the European Commission proposed a new cybersecurity package, aimed at strengthening the EU\u2019s cybersecurity resilience and capabilities. The package includes a revised Cybersecurity Act (\u201cCSA\u201c) and targeted amendments to the NIS2 Directive (see our blog post for further information on the amendments to the NIS2 Directive). The revised CSA aims to enhance coherence across the EU\u2019s cybersecurity legal framework, reflecting both the evolving threat landscape since the adoption of the Cybersecurity Act in 2019 and an increasingly complex geopolitical environment.<\/p>\n<p>Summary of key changes:<\/p>\n<p>\tICT supply chain security challenges \u2013 the revised CSA introduces a new horizontal framework for assessing ICT supply chain risks across NIS2 \u2018critical\u2019 and \u2018highly critical\u2019 sectors. Under the proposal, the European Commission would identify \u201ckey ICT assets\u201d used by essential and important entities under NIS2.The framework sets out EU\u2011level risk\u2011assessment mechanisms and minimum protection standards to address ICT supply chain risks. There is an emphasis on \u201cnon\u2011technical risks\u201d, referring to the likelihood of the supplier being subject to negative \u201cinfluence by a third country\u201d which could cause loss or disruptionof the service provided or compromise a product. Where a third country is assessed as posing non\u2011technical risks to the ICT supply chain, the revised CSA allows the European Commission to designate that country and any entities it controls as \u2018high\u2011risk suppliers\u2019. When designating a supplier as \u2018high risk\u2019, the Commission will take into account factors such as: requirements in the third country to report information on software or hardware vulnerabilities to authorities prior to those vulnerabilities being known to have been exploited; the absence of effective judicial remedies and independent and democratic control mechanisms that can correct the identified security concerns; and incidents of threat actors controlled and operating out of that third country. High\u2011risk suppliers will be subject to restrictions, including exclusion from participating in procurement procedures for the provision of ICT components in key ICT assets and preventing high-risk suppliers from obtaining EU cybersecurity certification and conformity\u2011assessments.The revised CSA also includes targeted mitigation measures, such as prohibiting the use of ICT components from such suppliers in key ICT assets. Other potential measures include restrictions on data transfers or remote processing from third countries; additional transparency obligations; third\u2011party audits of technical measures, including the disabling of any remote or physical access to key ICT assets; restrictions related to operational control, including outsourcing of organisational functions to managed service providers; requirements relating to personnel vetting by the relevant national competent authorities; and diversification of supply of ICT components.<br \/>\n\tStricter requirements for telecommunications \u2013 the revised CSA contains stricter, more onerous, requirements for key ICT assets for mobile, fixed and satellite electronic communications networks. ICT components provided by high-risk suppliers must be phased out within 36 months from the publication of the list of high-risk suppliers. Providers must also stop using, installing or integrating ICT components from high-risk suppliers in the operation of key ICT assets.<\/p>\n<p>\tA more agile certification process \u2013 through a renewed European Cybersecurity Certification Framework (ECCF), the revised CSA will implement a more streamlined certification process, aimed at simplifying procedures and shortening timelines\u2014responding to longstanding criticisms that certification is too slow and burdensome. The certification will no longer just cover ICT products, services, processes, and managed security services but will also allow organisations to certify their broader \u2018cybersecurity posture\u2019. This will allow organisations to use certification to demonstrate compliance and get presumption of conformity with other EU legislation, such as NIS2.<\/p>\n<p>\tA stronger Role for ENISA \u2013 the revised CSA will enhance ENISA\u2019s role, particularly in operational cooperation and the exchange of information on cyber threats and incidents. ENISA will oversee European repositories of threats and incidents and issue EU\u2011wide early alerts of emerging cyber threats. It will also support organisations with ransomware mitigation efforts and support the implementation of the Cybersecurity Skills Academy. In addition, ENISA\u2019s involvement in the development of cybersecurity standards at both European and international level will be strengthened, including work on technical specifications for European cybersecurity schemes. ENISA will also serve as the single-entry point for incident reporting proposed under the Digital Omnibus.<\/p>\n<p>Next steps<\/p>\n<p>The proposals will now move through trilogue negotiations with the European Parliament and the EU Council. Progress will take time with amendments and changes expected as the CSA moves through the legislative process. The proposal is expected to be adopted in late 2026 or, more likely, in 2027. After that, there will be a 12-month period for Member States to implement the Directive into national law and communicate the relevant texts to the Commission.<\/p>\n<p>For organisations both within and outside the EU likely to be caught by the proposals, there are some practical steps that can be taken: including reviewing ICT supply chains; assessing the risk of suppliers being designated as \u2018high risk\u2019; strengthening internal cybersecurity policies and procedures; and continuing to monitor developments across the EU. Organisations should continue to follow current national rules, while also preparing for the introduction of new certification-based systems, more coordinated oversight and more onerous requirements in relation to risk management.<\/p>\n<p>[View source.]<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities | DLA Piper https:\/\/www.jdsupra.com\/legalnews\/eu-commission-looks-to-strengthen-eu-2789827\/ Publish&#8230;<\/p>\n","protected":false},"author":1,"featured_media":185183,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/jdsupra-static.s3.amazonaws.com\/profile-images\/og.16336_0535.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-185182","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/185182"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=185182"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/185182\/revisions"}],"predecessor-version":[{"id":185184,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/185182\/revisions\/185184"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/185183"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=185182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=185182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=185182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}