Five years after it entered into force, the European Union plans to update its landmark Cybersecurity Act. In January 2026, the EU will start reviewing the Cybersecurity Act. The review will help to face up to new challenges in digital security and enhance Europe’s resilience to rising cyber threats.
The key areas the review will focus on
To address new digital security challenges and improve the effectiveness of Europe’s cyber resilience, the review is going to concentrate on three key areas:
- Improving the certification scheme for digital products and services.
- Strengthening the role of the EU Agency for Cybersecurity (ENISA).
- Updating the Cybersecurity Act in line with recent technological developments.
The Cybersecurity Act was approved in 2019 and sets the legal basis for EU-wide certification of digital products and services, and also permanently established the ENISA.
The main purpose of the Cybersecurity Act is to increase confidence in digital products and services through the use of common security criteria to establish a common level of assurance regarding their security. But since then, the speed of technological development has accelerated significantly – for example, the use of artificial intelligence, cloud computing, and IoT – which has resulted in additional potential risks for the digital products and services being placed on the market, which the original Cybersecurity Act did not sufficiently anticipate.
The relevance of the Cybersecurity Act in 2026
Moreover, cyber-attacks are becoming more complex and widespread, affecting many types of targets, including critical infrastructures, private companies, and public bodies. The review of the Cybersecurity Act, therefore, aims to guarantee that the Act continues to remain relevant in this context.
Main aspects of the Review
The next review of the Cybersecurity Act is likely to include several of the following main elements:
- Broadening of certification schemes: The EU intends to extend the scope of certification to new technologies like AI systems and connected devices, to enable them to be put on the market after having met rigorous security requirements.
- More power for ENISA: It is planned that ENISA shall have additional resources and authority to lead EU Member States’ cybersecurity activities to support the incident response of Member States, and to provide threat information to the same.
- Compatibility with other regulations: After the review, the Cybersecurity Act must be compatible with recently adopted EU regulations on digital services and on artificial intelligence, so as to create a harmonized framework of regulation for digital security in Europe.
- Help for SMEs: Many small and medium-sized enterprises find it difficult to fulfill the requirements for cybersecurity. Therefore, the review can also consider ways of making compliance easier and cheaper for those companies.
How to achieve a balance between innovation and security
As outlined in the EPRS Brief, an important question in the review process will be how to achieve a balance between innovation and security. On the one hand, overly restrictive rules could hamper innovation, while too lax security standards would open up systems to potential vulnerabilities. To this end, the EU plans to develop flexible certification schemes that adapt to different risk levels.
The European Commission will submit its proposals to the European Parliament and Council in mid-January, and there will follow a period of negotiation in the European Parliament and Council, lasting possibly a few months, after which the new regulations should enter into force at the latest in the second half of 2026.
Businesses can expect clearer regulations and greater encouragement to invest in cybersecurity when the Act is revised. Companies whose products have been certified will benefit from increased competitiveness, as customers become increasingly demanding of safe solutions. Consumers can expect higher trust in digital services and greater protection against data breaches and cybercrime.
