EU Cybersecurity Act

A new mandate for ENISA

ENISA, the EU Agency for Cybersecurity, is now stronger. The EU Cybersecurity Act grants a permanent mandate to the agency, and gives it more resources and new tasks.

ENISA has got a key role in setting up and maintaining the European Cybersecurity Certification Framework by preparing the technical ground for specific certification schemes. It is in charge of informing the public on the certification schemes and the issued certificates through a dedicated website. 

ENISA is mandated to increase operational cooperation at EU level, helping EU Member States who wish to request it to handle their cybersecurity incidents, and supporting the coordination of the EU in case of large-scale cross-border cyberattacks and crises.

This task builds on ENISA’s role as secretariat of the national Computer Security Incidents Response Teams (CSIRTs) Network, established by the Directive on security of network and information systems (NIS Directive).

In January 2026, the Commission proposed a new Cybersecurity Act to further strengthen the EU's cybersecurity resilience and capabilities. Under the proposal, ENISA will further support companies and stakeholders operating in the EU by issuing early alerts of cyber threats and incidents. 

In cooperation with Europol and Computer Security Incident Response Teams (CSIRTs), it will support companies in responding to and recovering from ransomware attacks.

ENISA will also develop a common Union vulnerability management service capacity and provide vulnerability management services to stakeholders. It will operate the single-entry point for incident reporting proposed in the Digital Omnibus.

The revised Cybersecurity Act also aims to reduce risks in the EU’s ICT supply chain from third-country suppliers with cybersecurity concerns. It sets a trusted ICT supply chain security framework using a harmonised, proportionate and risk-based approach. Recent cybersecurity incidents have highlighted the major risks of vulnerabilities in the ICT supply chains, which are essential for critical services and infrastructure.

A European Cybersecurity Certification Framework

The EU Cybersecurity Act introduces an EU-wide Cybersecurity Certification Framework for ICT products, services and processes. Companies doing business in the EU will benefit from having to certify their ICT products, processes and services only once and see their certificates recognised across the European Union.

With the proposal on the revised Cybersecurity Act, the renewed European Cybersecurity Certification Framework will bring more clarity and simpler procedures for developing schemes within 12 months by default. 

Targeted amendments

On 18 April 2023, the Commission proposed a targeted amendment to the EU Cybersecurity Act. This targeted amendment was adopted on 15 January 2025 and aims to enable the future adoption of European certification schemes for ‘managed security services’ covering areas such as incident response, penetration testing, security audits and consultancy. Certification is key to ensure high level of quality and reliability of these highly critical and sensitive cybersecurity services which assist companies and organisations to prevent, detect, respond to or recover from incidents.

On 20 January 2026, the Commission also proposed targeted amendments to the NIS2 Directive to increase legal clarity. The amendments will simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU. They will ease compliance for 28,700 companies, including 6,200 micro and small-sized enterprises.