New proposals for a Cybersecurity Act 2 and an amended NIS2 Directive: what changes and impacts for your company?

Context of the proposals

According to the explanatory memorandum of the CSA2 proposal, it aims to tackle:

1. The misalignment between the EU cybersecurity policy framework and stakeholders’ needs in an increasingly hostile threat landscape;
2. The stalled implementation of the European cybersecurity certification framework (ECCF);
3. The complexity and diversity of the cybersecurity-related policies impacting the Union’s cyber posture;
4. Increasing ICT supply chains security risks.

Besides the existing chapters on the role of the European Union Agency for Cybersecurity ENISA (Title II) and the functioning of the European cybersecurity certification framework (Title III), it now contains a new and unexpected chapter on the security of the ICT supply chains (Title IV), including prohibitions and removals of ICT components of high risk suppliers from the key ICT assets of NIS2 entities. It also requests the development of cyber posture certification schemes for NIS2 presumption of conformity.

Alongside with the awaited CSA2, the publication of an amendment of the NIS2 Directive came as a surprise, likely the result of the calls to reduce the NIS2 administrative burden made by European associations like DigitalEurope and Orgalim, where Agoria is (very) active.

According to the to its explanatory memorandum, the targeted amendments to the NIS2 Directive aim to simplify compliance with and ensure streamlined and coherent implementation of specific aspects of the cybersecurity framework.

Among others, the amended NIS2 proposal modifies the scope and the size cap for essential entities, prevents Member States from imposing national cybersecurity measures beyond an implementing act, allows them to require mandatory cyber posture certification schemes, and adds ransomware data collection in case of significant incidents.

Please find following documents (in English) with a more detailed overview of the new aspects of each proposal and Agoria's opinion:

• CSA2 proposal: overview and opinion of Agoria
• NIS2 amendments proposal: : overview and opinion of Agoria

You can also consult the full text of the CSA2 proposal and the NIS2 amendments proposal. 

Next Steps

The proposals are open for public feedbacks until 22 April 2026. The proposals are going to the European Parliament and Council for intra-institutional negotiations, before the trilogues, expected throughout 2026. There may still be significant changes to details, timing and implementation, so it is important to express your improvement suggestions at this very moment.

It is also important to note that the negotiations on the CSA2 and the targeted amendments to the NIS2 Directive will run in parallel with the negotiations on the Digital Omnibuses.

Request for feedback and more information in dedicated webinars

To support future discussion on the topic of the cybersecurity package proposal, your comments, positions, opinions will be valuable. Members are invited to send their comments or ask questions on the proposals by contacting Arnaud Martin, and/or by attending one of the two dedicated webinars, as follows:

• On 4 March AM, as part of the meeting of the Agoria working group cybersecurity regulations (which can be attended fully or partially). The presentation on the CSA2 and amended NIS2 proposals is expected to start at 11:20 and close at 12:00-12:15. Full program and registration link.
• A webinar fully dedicated on this topic will be organised on Tuesday 10 March at 10:00, with the aim of learning about the proposals in detail, gathering more feedback and considering the next steps. Participants of the working group cybersecurity regulations already received the online invitation. Full program and registration link.

Any questions on these proposals or on any other cybersecurity regulations or standards can be directed to Arnaud Martin.