New European cybersecurity law

The Strategic Context

Europe today faces a threat landscape that exceeds traditional defense schemes. Recent global vulnerabilities, such as the growing use of malicious AI or attacks on critical infrastructure, have forced the EU to recognize that cybersecurity is no longer an isolated technological issue, but a strategic component of its digital sovereignty.

The proposals put forward on cybersecurity are part of a broader political push within the European Commission’s Digital Package. Their aim is to simplify the European regulatory environment, boost innovation and, at the same time, strengthen resilience to systemic technological risks.

The New Cybersecurity Act

The proposal presented in January 2026 updates and expands the framework previously governed by the Cybersecurity Act of 2019, consolidating stronger legislation that integrates new obligations and approaches that reflect contemporary digital risk.

The new Cybersecurity Act seeks to:

• strengthen the resilience of critical networks and systems,
• improve cooperation between national authorities,
• and place the EU at the global forefront of cyber defense.

In this regard, the European Union Agency for Cybersecurity (ENISA) will see its powers as a central player in digital protection strengthened. New functions include:

• early warning of emerging threats,
• managing vulnerabilities at Union level,
• and enhanced support for computer security incident response teams (CSIRTs).

This approach seeks to address not only technical attacks, but also disruptive incidents that could affect critical infrastructure and essential services.

Simplification of compliance and complementary NIS2

The package includes amendments to NIS2 (Directive on the security of network and information systems), making it easier for companies to comply with their obligations. The aim is to reduce the complexity of supervision and risk management requirements. The new revisions introduce a framework to further secure the supply chain in critical infrastructures, with a special focus on third-country suppliers considered to be high risk.

Supply Chain Security: A Strategic Pillar

As indicated in the previous section, one of the most significant changes in the new package is the emphasis on the security of supply chain, a direct response to the risks posed by dependence on technologies and components from third countries considered to be “high risk”. The new proposal introduces a risk-based framework to mitigate threats throughout the supply chain, from hardware components to software and associated services.

The initiative contemplates the possibility of restricting or phasing out the use of technology considered high risk in critical infrastructure, including the telecommunications sector and essential services. This measure underscores Europe’s need to achieve greater technological independence.

The proposal aims to standardize criteria among Member States for assessing risks in the supply chain, replacing fragmented approaches that hinder cooperation and interoperability. This will enable a unified view of risks and coordinated responses, which ENISA and supervisory authorities will be able to manage more efficiently.

European Cybersecurity Certification Framework (ECCF): More Agile and Efficient

The revision of the European Cybersecurity Certification Framework (ECCF) is another key pillar of the proposal, designed to transform certification into an effective tool for security and competitiveness.

Faster, clearer and more adaptable certification

One of the challenges of the previous framework was the slowness in creating and adopting certification schemes, which undermined their practical usefulness. The current proposal establishes simplified procedures that will allow new schemes to be developed in approximately 12 months by default.

In addition, companies will have a clearer path to identifying which standards to comply with and how to document their compliance.

Certification as a compliance tool

Certification is emerging as a means of facilitating interoperability between regulatory frameworks, reducing implementation burdens for companies.

Consumer confidence and the internal market

A strengthened ECCF will enable citizens, authorities and businesses to trust European-certified products and services, providing guaranteed security throughout the technology supply chain.

Reduction of costs and barriers for SMEs

Regulatory adjustments include mechanisms to reduce burdens on micro and small enterprises, which are often excluded from large compliance schemes due to their complexity and cost. This not only promotes competitiveness but also strengthens the overall security of the European ecosystem by raising the minimum level of protection.

Integration with other frameworks and regulations

The review that has been carried out is designed to coexist with other major initiatives, such as the Cyber Resilience Act, the Digital Operational Resilience Directive, and existing data protection legislation. Although each has different objectives, the coherence of the whole facilitates risk management and comprehensive compliance.

Towards European Strategic Cybersecurity

The cybersecurity package presented in January 2026 marks a turning point in EU digital policy. Europe aspires to be not only a protective digital market, but also a global player capable of defending itself against technical and geopolitical threats.

With a focus on supply chain security, useful and adaptable certification, and real measures to simplify and harmonize compliance, the EU is preparing to face the next digital decade with a more robust and resilient foundation.

At JakinCode, we offer specialized cybersecurity services that, in complete harmony with the issues outlined here, help and enable our clients to respond effectively to the cybersecurity requirements demanded by the relevant authorities in this regard.