Five key takeaways for businesses on the EU’s new Cyber Security Package

The original 2019 Cybersecurity Act (CSA) established a voluntary framework for an expanding digital market. By 2026, increased geopolitical complexity will reshape compliance. Cyber attacks now target critical infrastructure and democratic institutions, often through state-sponsored means. The EU’s new Cyber Security Package consists of a Cybersecurity Act 2 (CSA 2) and targeted NIS2 Directive amendments. These are the EU’s definitive upgrade to its digital defences. For executives and legal counsel, these five pillars introduce mandatory resilience and embed geopolitics in technical decision-making.

Geopolitics in law: mandatory de-risking of high-risk suppliers

CSA 2 establishes a three-step process for identifying and mitigating ICT supply chain risks. Security assessment now includes "non-technical risk factors". Article 100 covers the "laws of a third country" that may force a supplier to disclose sensitive data or create backdoors. The de-risking process operates as follows:   

• Identification of high-risk third countries:  assess foreign interference and structural risks.
• Designation of high-risk suppliers:  target specific entities from those countries.
• Sectoral analysis of key ICT assets:  identify the components - such as core network functions and radio access networks - that require protection. The impact is most significant for telecommunications.

High-risk suppliers face prohibitions in critical supply chains:

• Provision of core network functions:  exclude high-risk suppliers from all mobile, fixed, and satellite core infrastructures.
• Public procurement:  bar high-risk suppliers from bidding on contracts involving key ICT assets.
• Conformity assessment:  designated high-risk suppliers may not act as Conformity Assessment Bodies; they cannot audit or certify the security of others.

Small mid-caps: regulatory relief for 28,700 entities

The package eases compliance for  28,700 companies, building on exemptions for SMEs under NIS2. The key change is the creation of a "small mid-cap" category, bridging SMEs and large enterprises. Around 22,500 entities are now classified as "important" instead of "essential", reducing supervision and compliance complexity. It remains to be seen if this eases the burden in practice.

Additionally, the amendment exempts 6,200 micro and small enterprises  previously subject to regulation, including small DNS providers. This relief ensures the largest critical operators bear the main compliance responsibility, supporting a competitive environment for growing European businesses.

Certification

The original European Cybersecurity Certification Framework (ECCF) suffered delays -  the EU Common Criteria (EUCC) scheme, for example, took 57 months  to progress from initiation to adoption. CSA 2 addresses this by requiring a 12-month default deadline for ENISA to develop candidate certification schemes. Article 24 of the NIS2 amendment introduces the ‘cyber posture’ certification, which acts as a legal shield. Competent authorities must not impose additional measures such as audits or supervision on entities for requirements covered by a valid certificate. One certificate can demonstrate compliance to regulators and business partners across the Union, reducing the cost of compliance.

Ransomware: mandatory payment reporting

Ransomware remains central to cyber crime. The CSA 2 package requires harmonised data collection to reduce financial incentives for attackers. The Union mandates transparency when incidents occur.  If a payment is made and subject to a request for information being made, reporting requirements are detailed and mandatory.

The ‘harvest now, decrypt later’ risk: post-quantum cryptography (PQC)

Legal counsel must now address the strategic risk posed by quantum computing. Adversaries are already stealing encrypted data to decrypt when quantum technology matures. Article 7 of the NIS2 amendment makes  PQC migration policies  a required element of National cyber security strategies. Counsel should treat this as a new standard for due diligence to prevent future liability. The legislation sets clear milestones for this transition:

• By 2030:  migration to PQC for all  critical use cases.
• By 2035:  migration for  medium and low-level  use cases.

Failing to meet these national deadlines may lead to significant negligence claims as current encryption standards become obsolete.

The price of sovereignty

CSA 2 transforms ENISA from a specialised advisory agency into an  operational powerhouse. The agency will coordinate joint examination teams and provide mutual assistance under Article 37a. It receives an 80% budget increase and adds 100 staff members, bringing total personnel to  230 FTEs. This expansion underpins European digital sovereignty. The Union expects streamlined rules to yield  €15.3 billion in long-term compliance savings , but the €3–4 billion de-risking cost annually for mobile network operators over a five-year period poses a significant challenge for infrastructure providers. In this environment, business leaders must assess whether these changes represent opportunity or risk.