The European Commission proposed a sweeping package of cybersecurity measures on February 23, 2026, aiming to bolster the EU’s cyber resilience and secure information and communication technology (ICT) supply chains. The proposals, which include a revised Cybersecurity Act, come amid growing concerns about the escalating frequency and sophistication of cyberattacks targeting European infrastructure and institutions.
The proposed revisions to the Cybersecurity Act seek to address vulnerabilities across the digital ecosystem, from software and hardware to services and supply chains. A key component focuses on establishing common cybersecurity standards for all digital products sold within the EU, effectively creating a baseline level of security for consumers and businesses. This includes requirements for manufacturers to proactively address security risks throughout the product lifecycle, and to provide timely security updates.
The move reflects a growing acknowledgement within the EU that traditional cybersecurity approaches are insufficient to counter the evolving threat landscape. “We’re losing massively,” Margrethe Vestager, the EU’s commissioner for digital and industry, stated in a recent interview, highlighting the significant gap between the EU’s defensive capabilities and the offensive capabilities of state-sponsored and criminal actors. The Commission’s proposals aim to close this gap by fostering greater collaboration between member states, promoting the development of advanced cybersecurity technologies, and strengthening the EU’s ability to respond to and recover from cyber incidents.
The package also addresses the critical issue of ICT supply chain security. Recognizing the potential for malicious actors to compromise digital products and services through vulnerabilities in the supply chain, the Commission proposes measures to assess and mitigate these risks. This includes enhanced scrutiny of suppliers, requirements for greater transparency, and the development of mechanisms to ensure the integrity of critical components.
However, experts caution that technical measures alone are not enough to deter cyberattacks. A recent analysis published by The National Interest argues that Europe faces an “escalation dilemma” in the cyber domain, where the threat of retaliation may not be sufficient to deter aggressive actors. The report suggests that a more comprehensive approach is needed, one that combines robust defenses with credible offensive capabilities and a clear articulation of red lines.
The ENISA, the EU Agency for Cybersecurity, recently updated its international strategy to empower the EU cybersecurity ecosystem. This strategy emphasizes the importance of international cooperation in addressing cyber threats, and calls for closer collaboration with partner countries to share information, develop common standards, and coordinate responses to cyber incidents. The strategy also aims to strengthen the EU’s role as a global leader in cybersecurity.
Despite the Commission’s efforts, significant challenges remain. The implementation of the new regulations will require substantial investment from both the public and private sectors. The effectiveness of the measures will depend on the willingness of member states to cooperate and enforce the rules consistently. The proposals are now subject to review by the European Parliament and the Council of the European Union, a process that is expected to take several months. No timeline for a final vote has been announced.
