The European Commission introduced a cybersecurity package on 20 January 2026 aimed at strengthening cyber resilience in industrial environments, including operational technology (OT) and industrial control systems (ICS). The package includes tighter supply-chain security, enhanced incident reporting, and defined compliance pathways for manufacturers and service providers. It comprises a revised Cybersecurity Act (CSA2) and targeted amendments to the NIS2 Directive, seeking to harmonize EU-wide certification, expand the mandate of the European Union Agency for Cybersecurity (ENISA), and enforce more stringent supply-chain and incident response requirements across sectors such as manufacturing, energy, and critical infrastructure services.
Background
The CSA2 proposal would repeal the 2019 Cybersecurity Act and overhaul the European Cybersecurity Certification Framework (ECCF) to ease compliance. It introduces "cyber posture certification," allowing entities under NIS2 to demonstrate multi-framework compliance with a single certificate. The proposal also strengthens security measures for the information and communications technology (ICT) supply chain and authorizes ENISA to coordinate incident response and lead standards development at the EU level. NIS2 amendments broaden the directive's scope, emphasize management accountability, and require quicker incident reporting and improved supply-chain diligence for critical and important entities. Member states will have one year to implement NIS2 changes once adopted. The Commission estimates political agreement could be reached by early 2027.1New EU cybersecurity package: What the proposed reforms mean for companies operating in the EU
Details
CSA2 is structured around four pillars: an expanded ENISA mandate, a reformed ECCF, enhanced ICT supply-chain controls, and streamlined EU-wide compliance through certification. ENISA's role would grow to include coordination of cross-border supervisory actions and development of sector-specific cybersecurity tools and standards, including those for manufacturing. The reworked ECCF is designed to accelerate certification scheme development and minimize overlap between frameworks such as NIS2, the Cyber Resilience Act (CRA), and the Digital Operational Resilience Act (DORA). Achieving ECCF certification would provide evidence of compliance across multiple regulatory regimes.2The EU Cybersecurity Package 2026: the next chapter on the horizon | Stibbe
The revised NIS2 framework requires entities operating OT/ICS environments-such as production sites, utilities, and critical suppliers-to implement structured risk management, governance accountability, supply-chain evaluation, and maintain rapid incident detection and reporting. Key provisions include expanded sector coverage, executive accountability, and harmonized sanctions across member states.3IT Regulations: Which IT laws should you be aware of in 2026? | it-sa
Industry associations, including CECIMO, have called for clearer alignment of OT-focused cybersecurity regulations and suggest that ENISA be authorized to engage directly with sectors to support tailored standardization for the machine tool industry.4CECIMO’S POSITION
In Germany, the NIS2 Implementation Act entered into effect in December 2025, requiring "important" or "particularly important" entities to register with the Federal Office for Information Security (BSI). By the 6 March 2026 deadline, around 11,500 organizations had registered, with BSI expecting additional registrations among the estimated 29,850 affected entities.5NIS-2-Richtlinie
Outlook
The timeline anticipates political agreement by early 2027. Following adoption, CSA2 will apply directly across the EU, and member states will have one year to implement NIS2 amendments into national law. This staged rollout will result in a multi-year transition period as manufacturers, system integrators, and suppliers invest in certification, secure remote access, continuous monitoring, and air-gapped protections to comply with evolving regulatory requirements.
