Cybersecurity turning point in the EU: a new legislative “shield” against digital attacks

The European Commission, in a press release issued on 20 January 2026, announced a new cybersecurity legislative package aimed at enhancing the EU’s resilience in the face of continuously intensifying cyberattacks.

The primary objective of the proposed legislative package is to strengthen EU-level cybersecurity law in the area of ICT (information and communication technology) supply chains, ensuring that products and services placed on the European market are designed and certified in accordance with the “cyber-secure by design” principle. From a legal perspective, this also means that Member States will be required to incorporate binding cybersecurity requirements into their national legal systems. These requirements will not merely constitute recommendations, but enforceable legal standards applicable to operators of critical infrastructure and service providers.

The new legal measures aim to establish a uniform, risk-based regulatory framework at the international level, enabling the EU to address cyberattacks in a coordinated manner at the national level and to respond more rapidly in the event of cyber crises. A cornerstone of the legal reforms is the simplification and strengthening of the EU-level certification framework, which is intended to reduce compliance burdens while ensuring that ICT products meet the highest cybersecurity standards.

EU legislators also seek to ensure that Member States share information on cyber threats more effectively and coordinate their response efforts. In part, this entails a closer cooperation framework for existing national cybersecurity authorities, including the faster reporting and handling of incidents vis-à-vis EU-level bodies. The Commission’s main objective with the legislative package is to make cybersecurity an integral part of the European legal order, establishing obligations and standards for Member States and economic operators.