The European Commission’s proposed cybersecurity package marks another step toward a more integrated EU cybersecurity framework. While the reforms do not introduce entirely new regulatory regimes, they aim to strengthen EU Agency for Cybersecurity's (ENISA) operational role, expand the European Cybersecurity Certification Framework (ECCF), and simplify how organisations navigate overlapping cybersecurity laws such as NIS2.

For CISOs and security leaders, the direction of travel is clear: certification is likely to play a greater role in technology procurement, supply chain security will remain a regulatory priority, and the EU is continuing to align multiple cyber regulations into a more coordinated system.

In practice, the package focuses on improving how existing tools work together, addressing regulatory complexity, strengthening EU-level coordination, and supporting organisations facing increasingly complex cyber threats.

The proposal in practice addresses four interconnected intervention areas

• the mandate of the EU Agency for Cybersecurity‍
• the European Cybersecurity Certification Framework
• targeted amendments to the NIS2 Directive
• broader measures aimed at simplifying compliance with EU cybersecurity rules

This article explains what the proposed cybersecurity package includes, why the EU is updating its framework, and how the reforms fit into the broader landscape of EU cybersecurity regulation.

‍

Why the EU is Updating its Cyber Framework

The European Commission believes the EU’s cybersecurity framework needs updating to better reflect today’s threat landscape. Cyber incidents affecting critical services, supply chains, and digital infrastructure have become more frequent and complex in recent years.

In its impact assessment, the Commission also identified:

• Structural challenges within the current system
• Limited coordination between Member States
• Slow implementation of existing policy tools
• Regulatory complexity that can make cybersecurity compliance difficult for organisations

The proposed reforms aim to address these issues by strengthening the role of ENISA, improving the European Cybersecurity Certification Framework, and simplifying how organisations navigate existing EU cybersecurity rules.

‍

The Existing EU Cybersecurity Regulatory Landscape

The European Union’s cybersecurity framework is built around a combination of strategic policy, operational coordination mechanisms, and sector-specific regulation designed to strengthen cyber resilience across the Single Market.

The EU Cybersecurity Strategy, presented in 2020, sets the overall direction for Europe’s cybersecurity policy. It focuses on protecting essential services such as hospitals, energy networks, transport infrastructure, and other critical systems, as well as securing connected devices used in homes, offices, and industrial environments.

The Network and Information Systems Directive (NIS Directive) established cooperation mechanisms between Member States to manage cybersecurity risks affecting critical infrastructure. The framework was later updated through NIS2,which expanded the scope of sectors covered and strengthened incident reporting and risk management requirements.

A central role in the EU cybersecurity ecosystem is played by the ENISA. Strengthened by the Cybersecurity Act (2019), ENISA supports Member States, EU institutions, and businesses in areas such as threat coordination, cybersecurity certification, and the implementation of EU cyber legislation.

More recently, the Cyber Resilience Act introduced EU-wide cybersecurity requirements for products with digital elements, including hardware and software. The regulation establishes common security standards that manufacturers must follow throughout a product’s lifecycle and introduces a duty of care requiring products to be secure by design.

The Cyber Solidarity Act, which entered into force in 2025, further strengthens the EU’s ability to detect and respond to large-scale cyber incidents by improving cooperation and shared response capabilities across Member States.

The Digital Operational Resilience Act (DORA) is an EU regulation designed to strengthen the digital resilience of the financial sector. It began applying on 17 January 2025 and requires banks, insurers, investment firms and other financial entities to manage ICT risks and ensure they can withstand, respond to, and recover from cyber incidents or technology disruptions.

‍

The Objectives of the EU’s Cybersecurity Package

The Commission identifies five specific objectives in the impact assessment, focusing on stronger coordination, improved certification, simplified compliance, and more secure ICT supply chains:

• Strengthening  EU cybersecurity coordination: improving operational cooperation between Member States and ensuring EU cybersecurity policies can be implemented more effectively.‍
• Supporting governments and industry: developing mechanisms that better support Member States, businesses, and other stakeholders facing evolving cyber threats.
• Improving cybersecurity certification: expanding and modernising the ECCF to enable faster development and uptake of certification schemes.
• Simplifying regulatory compliance: reducing fragmentation across horizontal and sector-specific cybersecurity rules to make compliance clearer and more coherent.
• Securing ICT supply chains: addressing risks linked to high-risk suppliers and reducing strategic dependencies in critical digital infrastructure.

A key goal of the cybersecurity package is to reduce regulatory complexity for organisations operating under multiple EU cyber laws. The Commission’s assessment recognises that overlapping requirements across different frame works can make compliance difficult and costly for both businesses and public authorities.

Together, these objectives aim to create a more coordinated, resilient, and predictable cybersecurity framework across the EU.

‍

What This Means for Security Leaders

For security leaders, the EU’s cybersecurity package signals continued consolidation of the EU’s cyber regulatory framework rather than the introduction of entirely new obligations.

First, the proposed expansion of the ECCF may increase the role of certification when evaluating ICT products and services. Over time, certification schemes could become a more common benchmark in procurement decisions, particularly for organisations operating critical infrastructure or regulated services.

Second, the package reinforces the EU’s growing focus on ICT supply chain security. With certification and regulatory frameworks increasingly linked, CISOs may need to place greater emphasis on vendor risk management and supplier assurance.

Third, the reforms aim to simplify how organisations navigate overlapping EU cybersecurity rules, including NIS2 and other sector-specific legislation. If implemented as intended, this could reduce regulatory fragmentation and create clearer compliance pathways for organisations operating across multiple Member States.

Finally, the strengthening of ENISA’s operational role suggests the EU is continuing to build more coordinated responses to large-scale cyber incidents across the bloc.

Taken together, the package signals the EU’s continued shift toward a more integrated cybersecurity governance model, where certification, regulation, and operational coordination increasingly work as part of a single framework.