New Cybersecurity Act: Strengthening Digital Safety, Certification, and Supply Chains

The European Cybersecurity Act 2 (COM 2026 11 final) is a single, comprehensive regulation that:

• Re‑establishes ENISA as the EU’s central agency for cybersecurity, giving it a new legal status, budget, governance and operational powers.
• Creates a European Cybersecurity Certification Framework that allows the Commission to develop, adopt, maintain and review voluntary certification schemes for ICT products, services, processes, managed security services and the cyber‑posture of entities.
• Introduces a European Cybersecurity Skills Framework and individual attestation schemes to standardise and promote cybersecurity skills across the Union.
• Sets out a trusted ICT‑supply‑chain security framework that identifies key ICT assets, high‑risk suppliers and third‑country risks, and prescribes mitigation measures and prohibitions.
• Repeals the previous Cybersecurity Act (Regulation (EU) 2019/881) and replaces it with a single, harmonised legal instrument that covers all of the above.

In short, the Act’s main purpose is to give the EU a unified, modern legal basis for strengthening cybersecurity across the Union – through a re‑structured ENISA, a harmonised certification and skills‑attestation system, and a robust supply‑chain security regime.