The European Commission published a Cybersecurity Act Review package on 20 January 2026, including two specific proposals: a Regulation revising the Cybersecurity Act, and a Directive with targeted amendments to the NIS2 Directive (EU) 2022/2555.
Key elements of the proposals
1. Trusted EU ICT supply chain framework
The proposal introduces a new Union-level trusted ICT supply chain security framework designed to reduce cybersecurity risks in ICT supply chains, particularly those linked to non-technical risks and dependencies involving third-country suppliers. The framework aims to identify key ICT assets in the EU, suppliers presenting elevated risks, and third countries posing serious cybersecurity concerns. Where such risks are identified, the framework would enable the adoption of mitigation measures applicable to the entities concerned.
2. Strengthened role for the European Union Agency for Cybersecurity (ENISA)
The proposal aims to strengthen ENISA's role in supporting the effective implementation of EU cybersecurity policy and in enhancing operational cooperation between Member States. To this end, ENISA's mandate is reinforced with a range of new and expanded tasks. In parallel, the proposal revises ENISA's governance and resources to ensure they align with these expanded responsibilities.
3. European cybersecurity certification
Through a renewed European Cybersecurity Certification Framework, the revised Cybersecurity Act aims to ensure a high level of cybersecurity for products, services, processes, managed security services and the cyber posture of entities. The proposed changes aim to make certification more efficient and accessible, notably by streamlining the development of certification schemes and clarifying roles within the governance structure, whilst preserving the voluntary nature of certification. The renewed framework is intended to provide businesses with practical tools to demonstrate compliance with EU cybersecurity requirements in a timely manner, thereby reducing administrative burden and costs.
4. Targeted simplifications to NIS2
The accompanying Directive introduces targeted amendments to the NIS2 Directive designed to simplify compliance with EU cybersecurity requirements and increase legal clarity. The proposed changes are designed to ease the application of NIS2 obligations for entities concerned, notably by clarifying scope and reducing unnecessary regulatory complexity, whilst complementing the Single-Entry Point for incident reporting as proposed in the Digital Omnibus.
Next steps
The CSA Review package will now enter the EU legislative process and be considered by the European Parliament and the Council. This process is expected to take time given the sensitive nature of the proposed elements.
The Centre for Cybersecurity Belgium will continue to follow developments and contribute to Belgium's position in the Council discussions, ensuring that the outcome reflects Belgium's cybersecurity priorities.
The CCB wants to hear your opinion on the simplification process with regard to cybersecurity!
All Belgian entities and citizens are welcome and invited to provide their opinion on the single entry point proposal on the CCB website, other cybersecurity relevant provisions in the digital package and the Cybersecurity Act Review package, and of course all other possible simplification solutions. By sharing your views, you will actively contribute to shaping Belgium's position in these European discussions.