The EU’s 2026 Cybersecurity Package in Strategic and Legislative Context

Strengthening Europe’s Digital Defence

by Richard Knowlton

Reading Time: 10 minutes

Cybersecurity as Economic and Strategic Policy

The European Commission has unveiled a substantial new cybersecurity package intended to reinforce the European Union’s collective resilience against cyber threats and systemic digital risk.

Announced via press release IP/26/105, the package brings forward a revision of the EU Cybersecurity Act, targeted amendments to the NIS2 Directive, and an expanded operational role for ENISA. Taken together, these measures mark another decisive step in the EU’s evolution from fragmented cyber regulation towards a more integrated, security-driven model of digital governance.

What is striking is not merely the volume of legislative activity, but the coherence that is beginning to emerge across the EU’s cyber rulebook. Cybersecurity is no longer treated as a narrow technical discipline or a sector-specific compliance exercise. It is being positioned explicitly as an element of economic security, industrial policy, and geopolitical resilience.

Revisiting the Cybersecurity Act: From Products to Systems

At the core of the package lies the proposed revision of the EU Cybersecurity Act. Originally adopted in 2019, the Act focused primarily on ENISA’s mandate and the establishment of a European cybersecurity certification framework.

The Commission now argues, with some justification, that the threat environment has outpaced the original legislative assumptions. Supply-chain dependency, state-aligned cyber operations, and concentration risk in digital infrastructure are now central concerns.

The revised Act introduces a more explicit and risk-based approach to ICT supply-chain security. Rather than limiting oversight to individual products or services, the new framework encourages a systemic assessment of suppliers, including non-technical factors such as ownership structures, jurisdictional exposure, and strategic dependencies. This represents a clear evolution from vulnerability-centric cybersecurity towards resilience-oriented risk governance.

Certification as a Market-Shaping Instrument

Closely linked to this is the proposed strengthening of the European cybersecurity certification framework.

Certification is positioned not as a bureaucratic add-on, but as a market-shaping instrument designed to embed “security by design” across the digital single market. The Commission’s intention is to simplify certification pathways, clarify governance, and accelerate the development of schemes that are usable in practice.

For industry, this signals a future in which demonstrable conformity to recognised EU frameworks becomes an increasingly important condition for market access. Cybersecurity assurance is no longer optional differentiation; it is becoming a baseline expectation.

Derisking High-Risk Suppliers and Digital Sovereignty

One of the most politically sensitive aspects of the proposal concerns the treatment of high-risk suppliers in critical digital infrastructure.

While the legislation avoids naming specific countries or companies, the direction of travel is unambiguous. Building on earlier instruments such as the 5G security toolbox, the revised Act enables coordinated EU-level approaches to derisking suppliers deemed to pose unacceptable strategic or security risk.

This reflects a broader European shift towards integrating cybersecurity policy with considerations of digital sovereignty and geopolitical exposure. The message is clear: market openness is no longer unconditional where systemic digital risk is concerned.

Refining NIS2: Clarification, Proportionality, and Usability

Alongside the Cybersecurity Act revision, the Commission proposes targeted amendments to the NIS2 Directive. NIS2 already represents a significant expansion of the EU’s cyber governance perimeter, extending mandatory risk-management and incident-reporting obligations across a wide range of essential and important entities.

However, early implementation has exposed inconsistencies in interpretation, enforcement, and scope across Member States.

The proposed amendments aim to clarify jurisdictional rules, streamline reporting obligations, and introduce greater proportionality for smaller entities through a new “small mid-cap” category. Importantly, the Commission also seeks to improve the quality and usability of incident data, particularly in relation to ransomware, recognising that poorly structured reporting delivers limited operational or strategic value.

ENISA and the Gradual Centralisation of Cyber Coordination

A further pillar of the package is the reinforcement of ENISA’s operational role. The agency is increasingly positioned as the EU’s cyber anchor: supporting coordinated preparedness, aggregating threat intelligence, assisting national authorities with supervision, and enabling cross-border response mechanisms.

This reflects a gradual but deliberate centralisation of cyber coordination at EU level, even as operational responsibility remains with Member States. The balance between national sovereignty and collective defence is being recalibrated in practice rather than rhetoric.

EU and UK Approaches: Diverging Regulatory Philosophies

At this point, the EU approach warrants direct comparison with developments in the United Kingdom, where cybersecurity legislation is evolving along a parallel but distinct path.

In the UK, the proposed Cyber Security and Resilience Bill builds on the existing NIS framework by expanding regulatory powers, widening scope, and tightening incident-reporting requirements. In parallel, the Online Safety Act addresses systemic digital risk from a societal and platform-governance perspective rather than an infrastructure-centric one.

The contrast lies less in ambition than in regulatory philosophy.

The EU is constructing a dense, rules-based cyber governance architecture centred on harmonisation, certification, and supply-chain derisking at internal-market level, explicitly incorporating strategic autonomy considerations. The UK, by contrast, is pursuing a more principles-based, regulator-led model that prioritises supervisory discretion, outcomes, and adaptive enforcement over prescriptive certification regimes.

For organisations operating across both jurisdictions, this divergence is non-trivial. EU compliance will increasingly depend on formal conformity with defined frameworks, while UK compliance will hinge more on demonstrable governance maturity, risk ownership, and the quality of engagement with regulators.

An Interlocking EU Cyber Rulebook

Viewed in its broader legislative context, the 2026 cybersecurity package does not stand alone. It complements and reinforces other major EU instruments, including the Cyber Resilience Act, which establishes baseline security obligations for products with digital elements; DORA, which imposes rigorous ICT risk-management requirements across the financial sector; and the Cyber Solidarity Act, which strengthens collective detection and response capabilities at Union level.

Together, these measures form an increasingly interlocking regulatory ecosystem, reducing ambiguity but raising expectations for organisational maturity.

Implications for Boards and Senior Leadership

Strategically, the direction is clear. The EU is moving away from reactive, incident-driven cyber regulation towards anticipatory governance focused on systemic resilience.

Cybersecurity is being treated as an enabler of trust in the digital economy and as a prerequisite for strategic autonomy, not merely as a technical control function.

For boards and senior executives, the implications are significant. Compliance will demand more than technical controls or isolated policies. It will require integrated risk governance, visibility across supply chains, and an ability to evidence assurance against recognised EU frameworks. For non-EU firms, the package reinforces the need to understand European regulatory expectations not only as legal obligations, but as expressions of a wider strategic worldview.

Conclusion: Consolidation, Not Closure

The Commission’s package is not the final word. Its effectiveness will depend on legislative negotiation, implementation guidance, and enforcement consistency across Member States. Nonetheless, it represents a decisive consolidation of the EU’s cybersecurity posture — and a clear signal that digital resilience is now firmly embedded in the Union’s conception of economic and security policy.

Richard Knowlton Associates and its partner company the Cambridge Cyber Centre were founded to contribute to an informed, rigorous, and decision-oriented debate, helping public and private leaders understand digital risk not as an isolated technical problem, but as a structural component of European resilience.

Only by recognizing the systemic nature of the threat will it be possible to develop responses worthy of the complexity of our time.

Please check our services and see how we can support you!