- within Intellectual Property, Immigration and Real Estate and Construction topic(s)
- in India
- with readers working within the Banking & Credit, Retail & Leisure and Securities & Investment industries
On 20 January 2026, the Proposal for a Regulation for the EU Cybersecurity Act ('The Cybersecurity Act 2') was published by the European Commission to update and replace Regulation (EU) 2019/881 (the "2019 Cybersecurity Act"). The Proposal was introduced in response to major changes in cybersecurity threats as well as the weaknesses identified in the 2019 Cybersecurity Act. Since the adoption of the 2019 Cybersecurity Act, cyberattacks have become more frequent and sophisticated, increasingly targeting critical infrastructures, essential services and digital supply chains. At the same time, growing geopolitical tensions and the EU's reliance on technologies from third countries have exposed risks that go beyond technical vulnerabilities. These developments revealed that the existing legislative framework was no longer fully suited to address cybersecurity as a strategic risk to the internal market and to the EU's economic and societal resilience.
The limited effectiveness of the European Cybersecurity Certification Framework, established under the 2019 Cybersecurity Act to provide a unified system for certifying ICT products, ICT services and ICT processes across the EU, called for such reform. While they were intended to harmonise cybersecurity standards across the EU, certification schemes were slow to develop and had limited practical uptake. The revised Proposal seeks to make certification more efficient and relevant by simplifying procedures, accelerating timelines, and expanding its scope beyond ICT products and services to include organisational cybersecurity practices and risk management.
Formally, certification remains voluntary, however the Proposal recognises that market expectations, requirements for procurement and national measures are likely to increase the importance of certification in practice.
The Proposal also strengthens the role of the European Union Agency for Cybersecurity (ENISA). Under the revised framework, ENISA is given more central and operational roles such as managing EU-wide threat and incident information, issuing early warnings, coordinating cybersecurity exercises and having a unified incident reporting platform. This reflects the reality that ENISA's responsibilities have grown significantly since 2019, while its functions remained fragmented. The reform aims to ensure more effective coordination and a clearer allocation of tasks at the EU level.
Another significant development outlined in the Proposal is the introduction of a harmonised EU framework for ICT supply chain security. This allows for the identification and restriction of suppliers considered as high-risk, based on both technical and non-technical factors such as exposure to third country influence. In exceptional cases, this may even require the replacement of already deployed technologies in critical sectors, marking a clear departure from the 2019 Cybersecurity Act as the EU shows wider effort to rely less on external technologies and strengthen its own technological capacity.
While the Proposal is still subject to the ordinary legislative procedure before it comes into force, companies across the EU, including Malta, can use this period to review supply chains, strengthen internal cybersecurity governance and update risk assessments. Preparing for expanded EU certification schemes and revisiting contracts with ICT suppliers may help reduce future compliance and operational risks. In the longer term, aligning with certified technologies and EU reporting systems can support stronger incident response and overall digital resilience.
Mamo TCV Advocates will continue to monitor the situation and report on any relevant developments. Subscribe to our newsletter to remain updated.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
