On January 20th, the European Commission presented the new cybersecurity package. The package featured a proposal for a revision of the cybersecurity act (CSA 2) which regulates the functioning of the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework and ICT supply chain security.
The CSA 2 proposal aims at strengthening the resilience of ICT supply chains in the European Union through the establishment of a risk-based framework aimed at addressing risks posed by high-risk third country suppliers. At the same time, the text seeks to fortify the European Cybersecurity Certification Framework by facilitating the demonstration of compliance by businesses.
Furthermore, the proposal envisions creating a centralised single-entry point for incident reporting while ENISA is provided with an amplified mandate to monitor threats, issue early warnings and support incident response.
On the same day, the Commission issued a proposal for targeted amendments to the NIS 2 Directive which aim at simplifying compliance, especially for SMEs. Through the introduction of a new category of “small mid-cap enterprises”, the amendments should reduce compliance costs for 22,500 out of 28,700 companies that are subject to NIS 2.
