EU Commission Proposed New Cybersecurity Act

The European Commission has proposed a comprehensive regulation that would repeal and replace the current EU Cybersecurity Act (Regulation (EU) 2019/881), expand the mandate of the European Union Agency for Cybersecurity ("ENISA"), overhaul the European Cybersecurity Certification Framework ("ECCF"), and introduce a new trusted ICT supply chain framework targeting non‑technical risks, including restrictions on "high‑risk suppliers." The proposal aims to increase cybersecurity capabilities and resilience while preventing market fragmentation, with clear interactions anticipated across the NIS2 ecosystem, the Cyber Resilience Act, and potentially the GDPR.

Though this proposal is still only in its early stages, the changes could have serious implications for GDPR compliance, the use of artificial intelligence in the EU, as well as industry standard cybersecurity practices for companies operating within the EU.

Summary

The proposal restructures the EU cybersecurity framework around three pillars: a reformed mandate for ENISA; a strengthened, more agile ECCF that extends to managed security services and the cyber posture of entities; and a new horizontal framework to de‑risk ICT supply chains at Union level, particularly in sectors covered by the EU's Network and Information Systems Directive 2 ("NIS2"). The legal basis for the proposal remains Article 114 of the Treaty on the Functioning of the European Union ("TFEU"), with the proposal explicitly repealing and succeeding Regulation (EU) 2019/881.

With respect to ENISA, the proposal elevates support for policy implementation, shared situational awareness, operational cooperation, and introduces responsibilities for a single reporting platform, vulnerability management services, and the Cybersecurity Skills Academy, alongside governance and resource updates.

The proposal would broaden ECCF to cover ICT products, services, processes, managed security services, and the cyber posture of entities, with explicit aims to enable presumption of conformity to EU law, reduce compliance burden, standardize assurance levels, and provide model scheme provisions to accelerate and harmonize adoption.

The new trusted ICT supply chain framework introduces coordinated EU‑level risk assessments, the identification of key ICT assets, and proportionate mitigation measures, including prohibitions on the use of high‑risk suppliers in certain electronic communications networks, harmonized supervisory powers, and penalties for infringement.

Applicability

The proposal applies across three layers of the EU economy. First, it sets institutional and governance rules for ENISA and Member States' competent authorities, including tasks, coordination duties, supervision, and enforcement powers that will bind public bodies at Union and national level. This layer primarily affects ENISA in its operational support role and Member States that must designate competent authorities and participate in cooperation networks.

Second, the ECCF applies to a wide community of economic operators in the EU market, covering certification of ICT products, ICT services, ICT processes, managed security services, and the cyber posture of entities. Manufacturers and providers that submit for certification, conformity assessment bodies, and certificate holders are directly subject to ECCF rules, including issuance, obligations to inform on vulnerabilities, and-where applicable-limitations on self-assessment and assurance level conditions.

Third, the trusted ICT supply chain framework applies to public and private entities of the types listed in Annexes I and II to NIS2 (including the energy, transport, banking/financial, health, and digital infrastructure sectors, among various other "critical" sectors) that provide services or carry out activities in the Union. Within that group, there are targeted rules for: (i) entities using identified "key ICT assets," which may be subject to EU-level mitigation measures and prohibitions; and (ii) providers of mobile, fixed, and satellite electronic communications networks, who face explicit, harmonized prohibitions on using, installing, or integrating ICT components from designated high-risk suppliers in key ICT assets, with phase-out timelines.

The supply chain framework also reaches Union entities insofar as they use key ICT assets, and it establishes jurisdiction rules for cross-border operators, including cloud, data center, DNS, TLD, managed service and managed security service providers, and major online platforms, generally tying jurisdiction to main establishment or service location. In addition, entities designated as high-risk suppliers face Union-wide exclusions from specified activities, including participation in public procurement for key ICT assets and involvement in certain standardization and certification roles.

Obligations and Compliance

The proposal would impose or enable several concrete obligations and supervisory structures, with immediate relevance to operators in NIS2‑covered sectors, electronic communications, and providers engaged in EU cybersecurity certification.

First, the trusted ICT supply chain framework would operationalize EU‑level coordinated risk assessments, define "key ICT assets" for sectors in Annexes I and II to NIS2, and mandate proportionate mitigating measures across Member States within defined timelines. These assets will be identified through a security mechanism within the ICT supply chain framework, as set forth in NIS2. This framework also includes explicit prohibitions on using, installing, or integrating ICT components from designated high‑risk suppliers in mobile, fixed, and satellite electronic communications networks, backed by supervision, enforcement, jurisdictional rules, and penalties.

Second, the ECCF's expanded scope would allow certification to serve as a presumption of conformity under specific EU legislation and promote harmonization with national schemes, aligning security objectives with product security obligations and vulnerability handling, and specifying common assurance levels ("basic," "substantial," "high") linked to risk and evaluation rigor. Entities may face new expectations to leverage certification to streamline multi‑law compliance.

Third, ENISA's enhanced role introduces operational and reporting‑related interfaces for entities, including ENISA's stewardship of a single reporting platform established under the Digital Omnibus initiative, and a Union vulnerability management capacity—both of which can translate into process changes for incident reporting, vulnerability disclosure, and cross‑framework coordination.

Finally, Member States must designate competent authorities for the supply chain framework, participate in a cooperation network to facilitate compliance, and apply supervisory and enforcement measures, including penalties, thereby tightening oversight for cross‑border entities and procurement practices.

Possible interaction with the GDPR

Though not expressly intended to supplement or modify the EU GDPR, the proposal expressly positions ECCF certification to facilitate compliance with other Union legal acts, referencing potential synergies with the GDPR without prejudice to GDPR‑specific certification regimes. This signals that cybersecurity certification under the reformed ECCF may help demonstrate organizational and technical measures consonant with GDPR security obligations, while not replacing GDPR Article 42–43 schemes. As such, compliance with the proposal, if implemented, might become the "standard" for cybersecurity measures, meaning possible GDPR violations could follow from a failure to comply with these obligations.

Within the ECCF's security objectives, the proposal embeds requirements to protect both personal and other data against unauthorized processing or disclosure, ensure integrity and availability, record and monitor relevant internal activity, and ensure the security of processing—objectives that align closely with GDPR's security and accountability principles. This alignment may support defensibility for controllers and processors regarding Article 32 technical and organizational measures, subject to scheme‑specific mappings.

Differences from Regulation (EU) 2019/881 (Cybersecurity Act)

The proposal would expressly repeal and replace the EU's current Cybersecurity Act. To replace that Act, the proposal instead proposes a number of organization, and institutional changes to the scope of the EU's current cybersecurity regime.

First, ENISA's mandate is expressly broadened: it becomes a central operational cooperation enabler, with explicit tasks for a single incident reporting entry point, an EU vulnerability management service, technical scheme development and maintenance leadership, and the implementation of the Cybersecurity Skills Academy and inpidual skills attestation schemes. These are beyond the baseline ENISA role under 2019/881.

Second, the ECCF is substantively reformed: scope expands to managed security services and certification of entities' cyber posture; timelines and governance for candidate schemes are clarified; model provisions can be adopted to standardize cross‑cutting elements; and certification can create a presumption of conformity with specified Union law, aiming to reduce administrative burdens and accelerate scheme uptake—addressing the slow, fragmented implementation experienced under 2019/881.

Third, the proposal introduces a new trusted ICT supply chain framework at Union level targeting non‑technical risks, designating high‑risk suppliers, identifying key ICT assets, and imposing harmonized prohibitions and mitigation measures—an area not covered by 2019/881. The framework includes explicit restrictions for electronic communications networks and a coordinated enforcement architecture.

Fourth, the proposal codifies stronger harmonization mechanisms, including alignment with the CRA and NIS2, use of certification to facilitate multi‑regime compliance, and provisions for peer review among national certification authorities, while clarifying ENISA's governance and resourcing, including the addition of a Deputy Executive Director and maintenance financing for schemes—overshooting the governance contours of 2019/881.

Finally, procedurally, the instrument remains an internal market regulation under Article 114 TFEU but expressly provides for the repeal and succession of 2019/881, continuity for pending candidate schemes, and transition of board members, signaling a full legislative refresh rather than a narrow amendment.

Next Steps

Though the proposal is still in its infancy, the significant obligations which the Commission has set forth could greatly affect companies' cybersecurity obligations, both directly with the proposal, but also for related laws that border on cybersecurity, such as the GDPR and the EU AI Act. So while compliance is not yet mandatory, companies may get a jump start on these obligations by understanding whether the proposal would even apply, what they would need to change, and what risks they might face if the proposal came into affect.

Organizations that may be within the scope of NIS2 (such as operators of electronic communications networks, cloud and managed security service providers, and multinational entities relying on ICT supply chains) may need to begin the process of evaluate exposure to the forthcoming supply chain designations and prohibitions, and anticipate certification strategy adjustments to leverage presumption of conformity and cross‑framework compliance efficiencies. Early mapping of existing controls to ECCF objectives—particularly those linked to data protection, vulnerability management, assurance levels, and logging—can position entities to capitalize on the streamlined certification and supervisory environment envisioned by the proposal.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.