Last January 20th, 2026, the European Commission proposed a new cybersecurity package with the objective of simplifying compliance with the EU Cybesecurity rules and risk management requirements for companies operating in the EU. This major regulatory change comes after the consultations that took place along 2025 to which contributed 184 individuals.
The package intends to face three main challenges, the ENISA mandate and function, the European Certification Scheme, EUCC, based on the international framework Common Criteria, and the control and management of the ICT Supply Change.
This new cybersecurity regulation intends not only simplifying the cybersecurity criteria to offer a more resilience European Union space but it actually pretends important savings. The application of the new EUCC principles intends to save around 15.3 billion euros for the next five years. The legislative piece is also consistent with the current cybersecurity requirements, making specific reference to the actual cybersecurity framework coming from NIS 2, Critical Entities Resilience Directive (CER), Cyber Resilience Act, EU Cyber Blueprint addressed to manage EU level crisis management, 5G Toolbox, DORA, cross border electricity flows and information security rules for air transport.
