{"id":185868,"date":"2026-02-09T14:58:00","date_gmt":"2026-02-09T19:58:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/09\/new-eu-cybersecurity-package-what-the-proposed-reforms-mean-for-companies-in-the-eu-mcdermott-will-schulte\/"},"modified":"2026-02-09T15:05:08","modified_gmt":"2026-02-09T20:05:08","slug":"new-eu-cybersecurity-package-what-the-proposed-reforms-mean-for-companies-in-the-eu-mcdermott-will-schulte","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/09\/new-eu-cybersecurity-package-what-the-proposed-reforms-mean-for-companies-in-the-eu-mcdermott-will-schulte\/","title":{"rendered":"New EU cybersecurity package: What the proposed reforms mean for companies in the EU | McDermott Will & Schulte"},"content":{"rendered":"

New EU cybersecurity package: What the proposed reforms mean for companies in the EU | McDermott Will & Schulte<\/a><\/p>\n

https:\/\/www.jdsupra.com\/legalnews\/new-eu-cybersecurity-package-what-the-9294933\/<\/a><\/p>\n

Publish Date: 2026-02-09 14:58:00<\/a><\/p>\n

Source Domain: www.jdsupra.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

On 20 January 2026, the European Commission unveiled a new EU cybersecurity package comprising (i) a proposal to revise the Cybersecurity Act (CSA2) and (ii) targeted amendments to the Network and Information Systems 2 (NIS2) Directive.<\/p>\n

The package aims to strengthen the EU\u2019s cyber resilience, reduce regulatory fragmentation, and address escalating information and communications technology (ICT) supply-chain risks. Both proposals will now enter trialogue negotiations with the EU Parliament and the European Council and are expected to undergo further refinement, with the Commission targeting political agreement by early 2027.<\/p>\n

Once adopted, CSA2 will apply directly across the EU, while Member States will have one year to transpose the NIS2 amendments into national law.<\/p>\n

The direction of travel is clear: The targeted NIS2 amendments are intended to facilitate compliance for in-scope entities and to enhance legal certainty. In parallel, CSA2 marks a structural shift. Cybersecurity certification is elevated from a voluntary quality label to a compliance and risk-management instrument, the European Union Agency for Cybersecurity (ENISA) is repositioned as a more operational actor, and ICT supply-chain security moves beyond procedural due diligence towards EU-level risk assessment and enforceable mitigation measures and, where necessary, restrictions.<\/p>\n

In Depth<\/p>\n

Targeted NIS2 amendments: Greater legal certainty and convergence<\/p>\n

Although presented as a simplification exercise, the proposed NIS2 amendments would amount to a substantive recalibration. The emphasis is on legal certainty and convergence, while formally retaining NIS2 as a minimum-harmonisation directive.<\/p>\n

1. Clearer scope and more predictable entity classification<\/p>\n

To reduce the compliance burden, the proposal introduces more precise and proportionate scope rules, including:<\/p>\n

\tSector-specific clarifications and thresholds, notably:<\/p>\n

\t\tA 1 MW\u2013generation capacity threshold for electricity producers
\n\t\tTargeted refinements for the healthcare, hydrogen, and chemical sectors<\/p>\n

\tInclusion of European Business Wallets providers, as well as entities identified as owners, managers, and operators of strategic dual-use infrastructure within the scope of NIS2.
\n\tCreation of a new small midcap enterprise category. As a main rule, small midcap entities referred to in Annex I will be classified as important rather than essential, reducing supervisory intensity.<\/p>\n

Impact for business:<\/p>\n

\tCompanies operating close to NIS2 thresholds should reassess their classification and regulatory exposure once the legislative process is more advanced.
\n\tGlobally acting companies are likely to benefit from greater consistency across Member States, reducing conflicting supervisory outcomes.<\/p>\n

2. Risk-management measures: Minimum harmonisation with real convergence<\/p>\n

NIS2 remains a minimum-harmonisation instrument. However, where the Commission adopts implementing acts specifying technical, methodological, or sectoral risk-management measures under Article 21(5), Member States will no longer be permitted to impose further national requirements for those measures.<\/p>\n

This effectively shifts the definition of core cybersecurity controls to the EU level.<\/p>\n

Impact for business:<\/p>\n

\tThe exposure to national gold-plating of baseline cybersecurity controls will be reduced.
\n\tThere will be greater predictability for cross-border compliance programmes and internal control frameworks.
\n\tChief information security officers and legal teams should expect more uniform supervisory benchmarks over time.<\/p>\n

3. Cybersecurity certification as a compliance tool<\/p>\n

The revised NIS2 Directive is explicitly aligned with CSA2\u2019s reform of the European Cybersecurity Certification Framework (ECCF). Organisations will be able to rely on European cybersecurity certification schemes, including future entity-level cyber-posture certifications, to demonstrate compliance with NIS2 risk-management obligations.<\/p>\n

Where certification demonstrates compliance with the requirements, competent authorities will not be allowed to subject the entity to security audits.<\/p>\n

Impact for business:<\/p>\n

\tCertification will become a strategic compliance instrument, not merely a voluntary quality label.
\n\tMultinational organisations may be able to reduce duplicative audits and supervisory demands across jurisdictions.<\/p>\n

4. Supply-chain security: From questionnaire fatigue to standardisation<\/p>\n

The Commission explicitly recognises that NIS2 supply-chain obligations have generated burdensome and inconsistent supplier questionnaires, often cascading obligations down the supply chain.<\/p>\n

The amendments foresee EU-level guidance on supply-chain security, addressing an appropriate level of detail, structure, and format for such information requests.<\/p>\n

Impact for business:<\/p>\n

\tSupplier due-diligence processes may become standardised across the EU.
\n\tThe pressure to cascade extensive compliance questionnaires to out-of-scope suppliers will be reduced.
\n\tThere will be greater clarity during negotiations for contractual cybersecurity obligations.<\/p>\n

5. Ransomware reporting: Better data, built-in safeguards<\/p>\n

The amendments to NIS2 would introduce a basis for more harmonised EU-wide data collection on ransomware incidents, including attack vectors and mitigation measures. Sensitive information, such as ransom payments, will be disclosed only upon request of the Computer Security Incident Response Team or the competent authority.<\/p>\n

Impact for business:<\/p>\n

\tReporting expectations will increase.
\n\tIncident-response playbooks will need to reflect more structured EU-level reporting workflows.<\/p>\n

6. EU representative: Scope expansion<\/p>\n

The proposed replacement of Article 26(3) removes the express limitation to entities referred to in Article 26(1)(b), comprising digital infrastructure, digital providers, and managed (security) service providers. As a result, the obligation to designate an EU-based representative would apply to all essential and important entities not established in the EU but offering services within it, including providers of public electronic communications networks and publicly available electronic communications services.<\/p>\n

Jurisdiction would attach to the Member State where the representative is established, except for electronic communications providers, which would continue to fall under the jurisdiction of the Member State in which they provide their services. Where no representative is designated, any Member State in which services are offered may initiate enforcement action for infringements of NIS2.<\/p>\n

Impact for business:<\/p>\n

\tCompliance obligations for non-EU providers will expand, notably in the telecommunications and electronic communications sectors, which are not currently subject to a representative requirement.
\n\tNon-EU entities operating in multiple Member States without a designated representative will have increased enforcement exposure.
\n\tRepresentative designation will become more strategically important, because the location of the representative may determine the primary supervisory interface for most non-EU operators.<\/p>\n

7. Postquantum cryptography: A regulatory horizon signal<\/p>\n

As part of the national cybersecurity strategy, Member States will be required to adopt policies for the transition to postquantum cryptography (PQC), taking into account the transition timelines and relevant requirements set out in applicable EU legal acts and policies, with EU-level timelines targeting 2030 for critical use cases and 2035 for medium- and low-risk use cases.<\/p>\n

Impact for business:<\/p>\n

\tPQC moves from a theoretical issue to a medium-term regulatory expectation.
\n\tCompanies with long-lived systems or encrypted data should factor PQC into technology road maps and procurement decisions.<\/p>\n

CSA2: From dormant framework to operational instrument<\/p>\n

CSA2 seeks to address the limited uptake of EU cybersecurity certification and to reinforce the EU\u2019s capacity to manage strategic ICT risks.<\/p>\n

It introduces three core pillars:<\/p>\n

\tA significantly strengthened ENISA
\n\tA simplified and expanded ECCF
\n\tAn ICT supply-chain framework<\/p>\n

8. The operationalisation of ENISA\u2019s mandate<\/p>\n

CSA2 clarifies ENISA\u2019s role and assigns it concrete, delivery-oriented tasks across four clusters:<\/p>\n

\tSupport for implementation of EU cyber law and policy
\n\tOperational cooperation
\n\tCybersecurity certification and standardisation
\n\tImplementation of the Cybersecurity Skills Academy<\/p>\n

Impact for business:<\/p>\n

\tENISA tools and guidance are likely to function as de facto compliance standards for national authorities.
\n\tIncreased EU coordination should reduce inconsistent national supervision for cross-border operators.
\n\tCertification and skills frameworks will increasingly be used to evidence compliance, governance maturity, and operational readiness.<\/p>\n

9. Certification: From a nice-to-have label to a compliance and market-access tool<\/p>\n

CSA2 aims to make the ECCF more effective and more usable across the entire market, including certification for ICT products, services, and processes; managed security services; and the cyber posture of entities. European cybersecurity certification will continue to be voluntary, unless otherwise specified in EU or national law.<\/p>\n

What changes in substance:<\/p>\n

\tA broader scope, including an entity-level cyber-posture concept.
\n\tA stronger link between certification and compliance via presumption of conformity mechanisms where EU or national law recognises certification to demonstrate compliance.<\/p>\n

Impact for business:<\/p>\n

\tCertification can become a differentiator (and in some contexts, a quasi-requirement), especially in regulated sectors.
\n\tWhere EU or national law provides presumption of conformity, certification can reduce duplicative audits and lower friction with multiple supervisors.
\n\tExpect more request for proposals and vendor contracts to require \u2013 or reward \u2013 EU certification.<\/p>\n

10. Trusted ICT supply-chain framework: EU-level mechanism to address nontechnical risk<\/p>\n

A core CSA2 revision is the EU-level trusted ICT supply-chain framework to address nontechnical risks (e.g., jurisdiction to which a supplier of certain components is subject) in sectors of high criticality and other critical sectors covered by NIS2. It is designed to (i) identify key ICT assets in critical ICT supply chains and (ii) impose appropriate and proportionate mitigation measures on NIS2-covered entities.<\/p>\n

The framework sits alongside (and does not displace) obligations under the Cyber Resilience Act and national rules implementing Article 21 NIS2, and it explicitly allows Member States to have and maintain higher supply-chain requirements if consistent with EU law.<\/p>\n

11. Coordinated security risk assessments<\/p>\n

CSA2 enables the Commission \u2013 or at least three Member States \u2013 to trigger EU-level coordinated security risk assessments through the NIS Cooperation Group. These assessments must identify key ICT assets of the respective supply chains; assess threat actors, vulnerabilities, and risk scenarios; and propose mitigation measures. As a rule, they must be completed within six months, with shorter timelines possible in urgent cases. Where the Commission considers that a significant cyber threat endangering the functioning of the internal market, it may conduct its own assessment after consulting Member States.<\/p>\n

Based on these assessments, the Commission may identify key ICT assets by implementing act, taking into account their essential and sensitive functions, the potential for serious disruption or data exfiltration, supplier concentration risks, and the results of the risk assessments.<\/p>\n

In parallel, CSA2 establishes a mechanism to address nontechnical risks linked to third countries. Where a third country is found to pose a serious and structural nontechnical risk to ICT supply chains \u2013 based on factors such as vulnerability disclosure laws or practices, lack of effective oversight, or substantiated malicious cyber activity \u2013 the Commission may designate that country as posing cybersecurity concerns. Entities established in, or controlled by, such countries or otherwise designated following a specific risk assessment may be classified as high-risk suppliers.<\/p>\n

Impact for business:<\/p>\n

\tCompanies should expect deeper scrutiny of supplier dependencies, ownership structures, and concentration risks.
\n\tCertain suppliers or components may become legally constrained or unavailable, directly affecting sourcing strategies, cost structures, and deployment timelines.
\n\tRobust asset and supply-chain mapping will become a prerequisite for compliance and risk management.<\/p>\n

12. Binding mitigation measures and prohibitions<\/p>\n

Following risk assessments, the Commission may impose binding mitigation measures by implementing act. These include transparency obligations and restrictions on data transfers, remote data processing from a third country, outsourcing and contractual arrangements, audited technical controls, personnel vetting, and diversification of supply of ICT components.<\/p>\n

Where necessary, the Commission may go further and prohibit certain types of NIS2-covered entities from using, installing, or integrating ICT components from high-risk suppliers in key ICT assets, subject to transition and phase-out periods. Before adopting such measures, the Commission must assess potential risks and dependencies.<\/p>\n

Impact for business:<\/p>\n

\tCSA2 enables a shift from assessment to operationally intrusive and enforceable controls.
\n\tExpect concrete consequences in particular for IT architecture, outsourcing models, data flows, and supplier contracts.
\n\tExit strategies, diversification planning, and migration budgets will become essential compliance tools.<\/p>\n

13. Exemptions: Limited flexibility under strict conditions<\/p>\n

Entities established in or controlled by entities from a third country posing cybersecurity concerns may make a reasoned request to the Commission to be exempted. Exemptions require clear evidence of effective mitigation, may be time limited and conditional (e.g., audits and reporting), and are subject to fees. Decisions are recorded in a public register.<\/p>\n

Impact for business:<\/p>\n

\tExemptions may provide short-term relief where alternatives are unavailable but create delay, compliance overhead, and reputational exposure.
\n\tExemptions should be viewed as exceptional and temporary, not a long-term sourcing strategy.<\/p>\n

14. Mandatory phase-out of high-risk suppliers<\/p>\n

For mobile, fixed, and satellite electronic communications networks, CSA2 identifies key ICT assets and mandates the phase-out of components from high-risk suppliers. For mobile electronic communications networks, the phase-out period must not exceed 36 months from publication of the relevant high-risk supplier list; timelines for fixed and satellite networks will be set via implementing acts.<\/p>\n

Impact for business:<\/p>\n

\tTelecom operators will face the clearest, most immediate outcome: mandatory replacement programmes with fixed deadlines.
\n\tSignificant capital expenditure, procurement, and service-continuity risks are likely, with downstream effects for customers.<\/p>\n

Conclusion and recommended next steps for companies<\/p>\n

Taken together, the proposed NIS2 amendments and CSA2 point to a clear change in direction in EU cybersecurity law, moving away from fragmented national approaches towards greater coordination and more harmonised supervision.<\/p>\n

For businesses, cybersecurity is increasingly treated as a matter of enterprise risk management and corporate governance rather than a purely technical issue. At this stage, close monitoring of the legislative process is important. The proposal \u2013 including scope thresholds, the use of EU-level implementing acts, and the role of certification \u2013 remain subject to negotiation and may still evolve in ways that affect compliance planning and operational choices.<\/p>\n

Organisations that follow these developments early will be better placed to adjust once the framework is finalised.<\/p>\n

[View source.]<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

New EU cybersecurity package: What the proposed reforms mean for companies in the EU |…<\/p>\n","protected":false},"author":1,"featured_media":185869,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/jdsupra-static.s3.amazonaws.com\/profile-images\/og.5223_4824.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[33,24,27],"class_list":["post-185868","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-computer-security","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/185868"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=185868"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/185868\/revisions"}],"predecessor-version":[{"id":185870,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/185868\/revisions\/185870"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/185869"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=185868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=185868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=185868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}