Background and Timeline: The European Commission unveiled a major cybersecurity package on Tuesday, January 20, 2026, aimed at bolstering the EU’s resilience against rising hybrid threats. This proposal marks a significant step in the EU’s strategic agenda for tech sovereignty and economic security. The revised Cybersecurity Act will enter into force alongside amendments to the NIS2 Directive once it receives final approval from the European Parliament.   

Modus Operandi: The proposed Act introduces a horizontal framework for “Trusted ICT Supply Chain Security” to address risks linked to third countries with cybersecurity concerns. It enables coordinated Union-level risk assessments to identify systemic weaknesses and allows for the prohibition of ICT components from high-risk suppliers in key assets. The Act also simplifies the European Cybersecurity Certification Framework (ECCF) to ensure that products are “cyber-secure by design” through more efficient testing procedures.   

Victims and Financial Impact: While designed as a preventative policy, the Act targets the billions of euros lost annually to supply chain disruptions and foreign interference in critical infrastructure. It specifically mandates the “de-risking” of mobile telecommunications networks from high-risk third-country suppliers to protect national grid integrity. The goal is to provide a higher level of technical assurance for the millions of citizens who rely on interconnected digital services in the Eurozone.   

Investigation and Agencies Involved: The EU Agency for Cybersecurity (ENISA) is being significantly reinforced to act as the primary scheme manager for the new certification frameworks. ENISA will also be responsible for issuing early alerts of cyber threats and incidents to support companies in responding to large-scale cross-border attacks. The proposal was introduced by Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security, and Democracy.   

Arrests and Suspects: N/A (This is a legislative and regulatory news item). However, the Act strengthens the role of law enforcement by enabling better access to data for judicial authorities during cybercrime investigations. The proposal aims to create a unified legal environment where cross-border criminal entities can no longer exploit fragmented national rules.   

Broader Implications and Trends: This shift indicates that the EU is moving away from purely technical standards toward geopolitical risk management in its digital infrastructure. It aligns with the new “Digital Networks Act” (DNA) to incentivize the transition to secure 5G and 6G networks across all member states. Experts suggest this will set a global precedent for how developed economies mitigate “non-technical” structural risks in their ICT supply chains.