Strengthening EU Cybersecurity: Harmonisation, Resilience and ICT Supply Chain Security

The European Commission has presented a new cybersecurity package aimed at strengthening the EU’s cyber resilience and capabilities in response to growing cyber and hybrid threats targeting critical services, infrastructure, and democratic institutions.

The package consists primarily of:

➡️ a revised CybersecurityAct,

➡️ targeted amendments to the NIS2 Directive,

➡️ and an expanded role for ENISA as a central coordinating body.

Obraz autorstwa DC Studio na Freepik

Supply Chain Security

One of the most important elements of the revised Cybersecurity Act is its focus on ICT supply chain security.

The Commission proposes:

➡️ a harmonised, risk-based EU framework for securing ICT supply chains,

➡️ joint identification and mitigation of risks across 18 critical sectors,

➡️ explicit consideration of supplier-related risks, including:

☑️ dependencies,

☑️ foreign interference,

☑️ geopolitical exposure.

European Cybersecurity Certification Framework

The revised Act also strengthens and simplifies the European Cybersecurity Certification Framework:

➡️ faster development of certification schemes,

➡️ clearer and more transparent governance,

➡️ stronger stakeholder involvement,

➡️ broader scope — including services, processes, and managed security services.

Certification remains voluntary, but is clearly positioned as:

➡️ a practical tool to demonstrate compliance,

➡️ a way to reduce regulatory burden,

➡️ a competitive advantage for EU businesses.

Facilitating Compliance with NIS2

The package also introduces targeted NIS2 amendments to:

➡️ simplify jurisdictional rules,

➡️ streamline reporting obligations,

➡️ reduce compliance burden for:

☑️ micro and small enterprises,

☑️ and a new category of small mid-cap enterprises.

ENISA

Under the revised framework, ENISA will:

➡️ issue early warnings on cyber threats and incidents,

➡️ support incident response and recovery,

➡️ develop a Union-level approach to vulnerability management,

➡️ operate the single-entry point for incident reporting,

➡️ support cybersecurity skills development.

I strongly welcome this approach to strengthening cybersecurity across the EU and harmonising how it is addressed.

In particular, the focus on ICT supply chain security is long overdue.

This is an area where some Member States — including Poland — have struggled for years to implement consistent, enforceable approaches. Fragmentation, unclear responsibilities, and national-only solutions have proven insufficient in a highly interconnected digital market.

Link

Author: Sebastian Burgemejster