Commission presents proposals for new EU cybersecurity rules and Digital Networks Act

Commission presents proposals for new EU cybersecurity rules and Digital Networks Act

The European Commission presented proposals on 20 and 21 January 2026 for new cybersecurity regulation and the Digital Networks Act (DNA). The cybersecurity package includes a proposal to revise the Cybersecurity Act and to amend the cybersecurity regulation known as the Network and Information Systems Directive (NIS2 Directive).

Revision of cybersecurity rules aims to improve EU's cybersecurity

The EU Cybersecurity Act currently sets out the mandate of the European Union Agency for Cybersecurity (ENISA) and establishes the European Cybersecurity Certification Framework (ECCF). The Act entered into force in 2019. The Commission proposes to revise the Act to respond to Europe's increasing exposure to cyber and hybrid threats and to reinforce cybersecurity across the EU.

The revised Act would improve the cybersecurity of products at the design stage, simplify certification and make it easier to comply with cybersecurity rules. The Commission proposes reforms to the EU Cybersecurity Certification Framework (ECCF) to clarify and simplify certification procedures.

Another objective of the Cybersecurity Act is to strenghten the security of the EU's ICT supply chains by setting out a trusted ICT supply chain security framework. Under the proposal, Member States could carry out risk assessments of ICT supply chains and identify key components, risks, vulnerabilities and mitigation measures. High-risk suppliers would face several operational restrictions. For example, their equipment could no longer be used in European mobile networks after a transitional period.

The proposal would also significantly strengthen ENISA's role by expanding its tasks to include operative detection and mitigation of cyber threats. ENISA's enhanced functions would help raise cybersecurity expertise across the EU.

The Commission also proposes targeted amendments to the NIS2 Directive, expanding its scope to include providers of submarine communication cable infrastructure and European digital identity and European Business Wallet services.

Additional clarifications to the NIS2 Directive are proposed for operators in the energy and chemical sectors. In future, European cybersecurity certifications could be used to demonstrate compliance with NIS2 requirements. ENISA would also receive new tasks related to cross-border cooperation between supervisory authorities and to cross-border cybersecurity risks in Member States.

Digital Networks Act would harmonise EU rules on connectivity

With the proposed Digital Networks Act (DNA), the Commission seeks to modernise, simplify and harmonise EU rules on connectivity networks. The Commission aims at creating an effective single market by facilitating cross-border business and reducing the administrative burden on companies.

The proposal would introduce a Single Passport authorisation, allowing telecom operators to notify once in a single Member State in order to provide services across the EU. Providers of satellite communication services would receive an EU-level authorisation, supporting the development of EU-wide satellite services and strengthening Europe's strategic autonomy.

Under the proposal, spectrum licences would be longer in duration and, as a rule, renewable by default, without a new licensing procedure. The use of all available spectrum would also be improved, for example by increasing spectrum sharing.

The proposal includes administrative reforms concerning the Body of European Regulators for Electronic Communications (BEREC), the Radio Spectrum Policy Group (RSPG) and the BEREC secretariat. The authorities would receive new tasks, including drawing up a Union Preparedness Plan for Digital Infrastructures.

The DNA would also encourage the transition to fibre networks by regulating the phase-out of copper networks and further developing market regulation. The proposal includes new resilience measures for European electronic communications networks, as well as provisions on universal service, net neutrality and users' rights.

What's next?

Finland will formulate its national positions on the Commission's proposals for the new cybersecurity rules and the Digital Networks Act. Stakeholders will be consulted as part of this process.

At EU level, Member States and the European Parliament will now develop their own positions on the Commission's proposals.

Inquiries:

Eevi Vuorinen, Senior Officer, tel. +358 295 342 080, [email protected] (cybersecurity regulation)

Mirka Meres-Wuori, Senior Ministerial Adviser, tel. +358 295 342 061, [email protected] (Digital Networks Act)