EU Unveils New Cybersecurity Act to Bolster Digital Resilience

On January 20, 2026 the European Commission announced a comprehensive cybersecurity package that introduces stricter controls over critical infrastructure, mandatory risk‑management frameworks for all EU companies and new certification standards for cyber products. The legislation aims to protect citizens, businesses and public services from escalating cyber threats.

On the morning of January 20, 2026, Brussels hosted a high‑profile press briefing as the European Commission rolled out its most ambitious cybersecurity package to date. The proposal—dubbed the EU Cybersecurity Act 2.0—introduces a new legal framework designed to strengthen digital resilience across the Union.

Key Provisions

The act establishes mandatory risk‑management standards for all organisations operating in the EU, irrespective of size. It also expands the scope of critical infrastructure protection to include emerging technologies such as 5G networks, AI systems and quantum computing facilities.

“The new framework will compel every business to adopt a cyber‑risk culture that protects our citizens and economies,” said Commissioner for Digital Affairs, Lena Schmidt.

Certification and Compliance

Under the law, vendors of software and hardware products that impact critical services must obtain EU Cybersecurity Certification (EUCS). The certification process will be overseen by a newly created European Cybersecurity Authority, which will also issue penalties for non‑compliance.

“We are setting the bar higher to ensure that every product entering the market has been rigorously tested against cyber threats,” explained Dr. Anil Gupta, head of the Commission’s Digital Security Unit.

Implications for Businesses

Small and medium enterprises (SMEs) will face new obligations, including regular vulnerability assessments and incident‑reporting protocols. However, the Commission has pledged a €3 billion fund to support SMEs in upgrading their cyber defenses.

International Context

The act follows similar moves by the United States and Japan, positioning the EU as a global leader in digital security standards. Analysts predict that companies operating across borders will need to align with these regulations or face costly sanctions.