Cybersecurity Act 2
01020304050607
With the European Parliament, which is preparing its first-reading position.
Last active 09 Jun 2026
Track this billGet an email when the proposal moves: phase change, new document, or terminal outcome.
What this bill does
In plain terms: what it changes and who it affects.
This proposal overhauls EU cybersecurity rules, strengthens ENISA, expands cybersecurity certification, and creates EU-wide controls for risky ICT supply chains.
Who it affects
It affects critical-sector entities, ICT product and service providers, telecom network operators, cybersecurity certification users, cybersecurity workers, and suppliers linked to third countries posing cybersecurity concerns.
Core of the proposal
- Reforms ENISA’s mandate, resources and tasks for policy support, operational cooperation and cyber threat awareness.
- Expands EU cybersecurity certification to products, services, processes, managed security services and entity cyber posture.
- Creates European cybersecurity skills attestations and authorises providers to issue them.
- Allows EU measures restricting high-risk suppliers in key ICT assets and critical ICT supply chains.
Key provisions
- Transitional law
- Mobile network operators must phase out ICT components from high-risk suppliers in key ICT assets within 36 months of entry into force.
Articles changed · 2 across 2 laws
- Regulation (EU) 2019/881 (32019R0881)
- entire act: repeals and replaces the entire Cybersecurity Act
- Directive (EU) 2022/2555 (32022L2555)
- entire act: separate accompanying directive would introduce targeted amendments; no specific articles amended in this proposal text
Latest update
12 Jun 2026The most recent development in this bill's progress.
1st reading – European Parliament → 1st reading – European Parliament
1st reading – European Parliament → 1st reading – European Parliament
Documents
1 recentSourcesOEILEUR-LexEU Law Tracker