On 20 January 2026, the European Commission tabled COM(2026) 11 — a proposal to repeal Regulation (EU) 2019/881 and replace it with what officials and law firms have already started calling the Cybersecurity Act 2.0 (CSA2). It arrived alongside COM(2026) 13, a directive amending NIS2, and together they represent the most consequential rewrite of EU cybersecurity law since the original Cybersecurity Act took effect in 2019. The headline number for ENISA — an 81.5% budget increase to roughly €341 million for the 2028–2034 period — only hints at what the proposal actually does. The agency is being repositioned from a coordination and certification body into the EU’s operational cybersecurity centre.
This article breaks down what CSA2 contains, what concretely changes for ENISA’s mandate, staffing, and powers, and where the proposal is likely to encounter friction as it moves through the Parliament and Council.
Why the 2019 Cybersecurity Act Needed Replacing
The original Cybersecurity Act gave ENISA a permanent mandate and built the European Cybersecurity Certification Framework (ECCF) on top of it. Seven years on, both pillars have visibly strained. A Commission-funded evaluation published in January 2026 found that ENISA’s mandate had grown faster than its powers or headcount, leaving the agency stuck in advisory mode while Member States expected operational delivery. ENISA still operates with fewer than 200 staff, despite picking up duties under the Cyber Resilience Act, the Cyber Solidarity Act, the Digital Operational Resilience Act, and the Cybersecurity Skills Academy.
The certification side has stalled even more visibly. The first scheme — EUCC, based on Common Criteria — was only adopted in 2024. The cloud scheme EUCS has been deadlocked since 2020 over sovereignty and data-localisation requirements, and the 5G scheme EU5G has not formally resumed. The European Digital Identity Wallet scheme (EUID) and the managed security services scheme (EUMSS) remain in development. CSA2 is the Commission’s attempt to unblock all of this at once, while bolting on something the 2019 Act never contained: a horizontal framework for ICT supply chain security with explicit power to exclude high-risk suppliers.
The Three Pillars of CSA2
The proposed regulation restructures EU cybersecurity law around three pillars, each addressing a distinct gap the 2019 framework left open.
The first pillar rewrites ENISA’s institutional role. The second modernises a certification process that everyone agrees is too slow. The third — the supply chain framework — is the genuinely new addition, and the politically loudest one.
What Changes for ENISA: Mandate, Money, and Headcount
ENISA gains a dense list of new operational tasks. Article 11 and Article 12 of the proposal task the agency with maintaining EU-level threat and incident repositories and issuing EU-wide early warnings — both functions that previously sat awkwardly across the CSIRTs Network, EU-CyCLONe, and national agencies. Article 13 gives ENISA formal responsibility for operating the EU Cybersecurity Reserve, the pool of incident-response providers established under the Cyber Solidarity Act, plus a new ransomware helpdesk run jointly with Europol and CSIRTs. Article 15 hands the agency the single cybersecurity reporting platform introduced by the Digital Omnibus — a one-window endpoint that consolidates reporting obligations under NIS2, the Cyber Resilience Act, DORA, and other instruments.
The agency also takes on a much more assertive role in standardisation. CSA2 explicitly authorises ENISA to draft technical specifications where harmonised European standards are absent, and to support the Commission in assessing standards under the European Standardisation Regulation. This matters because the Cyber Resilience Act and the European Digital Identity framework both depend on harmonised standards that don’t yet exist.
The resourcing follows the mandate. The Commission proposes increasing ENISA’s budget by more than 75%, with a GLOBSEC analysis of the impact assessment putting the figure at roughly €341 million over 2028–2034 — an 81.5% rise on the 2025 baseline of €26.9 million annually. Headcount rises to approximately 118 full-time equivalents from the current sub-200 footprint. Each Member State must designate two liaison officers to ENISA, formalising what was previously the National Liaison Officers Network as a structurally embedded coordination layer.
The increase is substantial in percentage terms but modest against the scale of the new tasks. ENISA’s existing portfolio under the Cyber Resilience Act alone — operating the single reporting platform, maintaining the European Vulnerability Database, supporting conformity assessment — already pushes against current capacity. The €36 million three-year contribution agreement signed in 2025 to operate the EU Cybersecurity Reserve was a stopgap. CSA2 is supposed to make these arrangements permanent.
ENISA’s New Operational Functions: A Reference
Because the proposal scatters ENISA’s new responsibilities across a dozen articles, it helps to consolidate them in one place. The following maps the principal new or upgraded functions to their article references in COM(2026) 11.
The Article 37a addition under the NIS2 amendments is worth flagging separately. It formalises ENISA’s role in mutual assistance between national competent authorities — the agency must analyse cross-border risks, recommend joint examination teams, and participate in joint supervisory actions on request. This addresses a recurring complaint that supervision of pan-European entities has been inconsistent and dependent on bilateral goodwill between national regulators.
Certification: The 12-Month Clock and a Wider Net
The certification reforms are aimed at the EUCS pile-up. CSA2 sets a default 12-month deadline for ENISA to deliver a candidate scheme after a Commission request. Schemes must be reviewed at least every four years, with mandatory maintenance strategies. The Commission gains explicit power to revise or withdraw outdated schemes.
The scope of certification expands as well. Beyond ICT products, services, and processes, CSA2 permits certification of managed security services and — newly — the cyber posture of entities themselves. An entity-level certificate would carry a presumption of conformity with NIS2 risk-management obligations, turning certification into a practical compliance instrument rather than a pure marketing signal. Member States lose the ability to add national certification requirements where an EU scheme already covers the topic, which is intended to prevent the kind of fragmented national rule-making that has historically undermined the single market.
Whether this unblocks EUCS is a different question. The cloud scheme deadlock is fundamentally about sovereignty — whether non-EU cloud providers should face stricter data-localisation and ownership-control requirements at higher assurance levels. CSA2 introduces clearer procedure but does not pre-empt that political question. The Commission’s Q&A confirms that work on EUCS and EU5G is “expected to resume” without committing to a substantive resolution.
The Supply Chain Pillar: High-Risk Suppliers and Third Countries
The most legally novel piece of CSA2 is the trusted ICT supply chain framework — Articles 100 and following. The Commission gains power to identify “key ICT assets” used by essential and important entities under NIS2, then designate high-risk suppliers of those assets and concerning third countries. The criteria mix technical and non-technical factors: the place of establishment, ownership and control structure, and potential influence by third-country governments.
For telecoms, the proposal is sharper: Article 111(1) authorises mandatory phase-out of high-risk suppliers from mobile, fixed, and satellite electronic communications networks. This codifies and expands what the 5G Toolbox tried to achieve through soft coordination since 2020. For other critical sectors, Article 103 allows the Commission to impose mitigation measures — transparency requirements, prohibition on data transfers to third countries, audits, contractual restrictions, or supplier diversification — rather than outright bans, but with the option to escalate.
Designation as a high-risk supplier carries downstream consequences. Listed suppliers can be excluded from EU public procurement and from EU funding programmes, which materially shifts the economic risk profile for any non-EU vendor with significant exposure to public-sector contracts. The framework is explicit that economic security and systemic dependency, not just technical risk, are now in scope of EU cybersecurity law.
NIS2 Amendments: Smaller Scope Tweaks, Bigger Procedural Shifts
COM(2026) 13 accompanies the regulation with targeted amendments to NIS2. The scope is clarified for several sectors that have caused implementation headaches: electricity producers above 1MW, hydrogen, healthcare, and chemicals. Digital and business wallet providers, submarine cable operators, and dual-use infrastructure are added regardless of size. Small mid-cap enterprises become “important entities,” while micro and small DNS providers are excluded.
Procedurally, the amendments tighten cross-border supervision via the new Article 37a, mandate harmonised ransomware data collection (detection, attack vector, mitigation, and on request the ransom demand and any payment), and require Member States to include policies for migration to post-quantum cryptography in their national cybersecurity strategies. The post-quantum requirement is the first time PQC migration appears as a mandatory element of national strategy in EU law.
Where the Friction Lies
Three areas are likely to generate the heaviest negotiation in Parliament and Council.
The supply chain framework is the obvious one. Member States with significant trade exposure to specific third countries — Germany on telecoms, the Nordics on cloud — will scrutinise the criteria for high-risk designation closely. Industry groups have signalled support for harmonised criteria but are wary of how rapidly designations could shift. Acquis Legal puts adoption at “late 2026 or in 2027,” suggesting the file will not move quickly.
The EUCS unblocking depends on whether procedural reform translates into political resolution. CSA2’s clearer timelines may simply produce a faster impasse rather than agreement.
The ENISA budget envelope of €341 million over seven years is substantial against the agency’s history but modest against its workload. National cyber agencies in larger Member States already operate at comparable or higher funding levels for narrower mandates. Whether 118 FTE can deliver the operational coordination centre the proposal envisages is an open question, particularly given the EU-wide reach implied by the early-warning and incident-platform functions.
FAQ
When will CSA2 actually apply? The proposal entered the ordinary legislative procedure in early 2026. Adoption is expected in late 2026 or in 2027, with application following a transition period. Until adoption, the 2019 Cybersecurity Act remains in force.
Does CSA2 make certification mandatory? No. Certification remains voluntary at the EU level. It may become de facto mandatory through procurement rules, sector-specific national requirements, or market expectations — particularly where an entity-level certificate offers a presumption of conformity with NIS2.
Does the supply chain framework apply only to telecoms? No. Telecoms face the strictest regime under Article 111, including mandatory phase-out of high-risk suppliers. The broader framework under Article 103 applies across all NIS2 sectors of high criticality and other critical sectors, with mitigation measures rather than outright bans as the default.
What happens to the existing EUCC scheme? EUCC, adopted in 2024 as the first scheme under the 2019 Act, continues to operate. CSA2 introduces mandatory maintenance and four-year review obligations that will apply prospectively to existing and future schemes alike.
What to Watch Next
CSA2 is not a marginal update. It moves ENISA from coordination to operations, gives the Commission explicit power to exclude high-risk suppliers from critical infrastructure, and folds entity-level cybersecurity certification into the EU’s compliance toolkit. Whether the proposal survives the legislative process intact will depend mainly on how Member States balance the supply chain framework’s geopolitical sharpness against trade and industrial sensitivities. For organisations in scope of NIS2, the practical question is shorter: start mapping which ICT assets in your stack would qualify as “key” under Article 100, and which suppliers would carry concentration risk if a high-risk designation landed mid-contract. That assessment is worth doing now, regardless of when adoption arrives.
