If you follow EU cybersecurity regulation — or if you run a business that falls under it — the past few months have been unusually eventful. The European Commission has proposed the most significant overhaul of its cybersecurity framework since NIS2 itself. ENISA has published hard data on where the industry is genuinely struggling. And across the EU, the long-delayed enforcement machine is finally moving.

This article covers five developments that, taken together, tell a coherent story: Europe is raising the bar again, the talent to meet that bar is scarce, and the window for ‘wait and see’ is closing.

1. The EU’s New Cybersecurity Package: A Regulatory Upgrade Nobody Saw Coming

On 20 January 2026, the European Commission proposed a comprehensive new cybersecurity package — a revision of the 2019 Cybersecurity Act, paired with targeted amendments to NIS2 itself. This is not a minor update.

The proposal introduces a horizontal framework for trusted ICT supply chain security — the first of its kind in EU law. It would allow the Commission and Member States to act jointly against ‘non-technical risks’ in ICT supply chains: in plain terms, the ability to restrict suppliers from third countries that pose a strategic cybersecurity threat.

For the first time, the EU is treating supply chain security not just as a technical problem — but as a geopolitical one.

Beyond supply chain, the package significantly expands and simplifies the European Cybersecurity Certification Framework (ECCF). Organisations would be able to use certification to demonstrate compliance and obtain a presumption of conformity with NIS2 — a major simplification for entities already overwhelmed by audit requirements.

ENISA gets a budget increase of more than 75% and takes on new operational roles: managing EU-wide vulnerability databases, issuing early warnings, coordinating cybersecurity exercises, and operating a unified incident notification platform.

The package is now under negotiation, with political agreement expected later in 2026. Any adopted measures would be phased in over several years. But the direction is clear: the EU is building a more centralised, more aggressive cybersecurity architecture.

Source: European Commission – New measures to strengthen cybersecurity resilience and capabilities (January 2026)

Source: Mayer Brown – European Commission Proposes Major Cybersecurity Package (February 2026)

2. ENISA’s NIS Investments 2025: The Talent Crisis Is Now Structural

ENISA’s 6th annual NIS Investments report, published in December 2025, contains data that every CISO, policymaker, and business owner should read carefully. It surveyed 1,080 security professionals across all 27 Member States, and the picture it draws is one of a sector under serious strain.

The headline finding is a pivot from people to technology. Overall cybersecurity budgets have stabilised at around 9% of IT spending — roughly €1.5 million median across surveyed entities. But within those flat budgets, organisations are moving resources away from hiring and towards technology platforms and managed services. The reason is not strategic preference — it is necessity.

The talent gap has become a structural problem. 76% of organisations reported difficulty attracting cybersecurity professionals, and 71% struggle to retain them. Across the EU, the shortage is estimated at nearly 300,000 professionals. For SMEs, the numbers are starker: 59% struggle to fill cybersecurity roles.

The talent shortage is not a pipeline problem anymore. It is a structural constraint that is reshaping how organisations defend themselves — and not always for the better.

Regulatory compliance — primarily NIS2, DORA, and the CRA — is the main investment driver for 70% of organisations. This is generating real operational value: 41% credit compliance-driven investments with improving risk management, 35% with faster incident detection. Policy is working. But implementation is not keeping up.

Half of all organisations cited vulnerability and patch management as their top NIS2 implementation challenge. Nearly one in three had not conducted a cybersecurity assessment in the past 12 months. And 28% take more than three months to patch critical vulnerabilities.

The most concerning forward-looking finding: supply-chain and third-party compromises are the second highest concern for the future (47%), and SMEs — the very organisations most likely to be the entry point — report the lowest confidence in their ability to withstand a cyber incident.

Source: ENISA – NIS Investments 2025 Main Report

Source: ENISA – What’s Driving Cybersecurity Investments and Where Lie the Challenges

3. NIS2 Transposition: 20 Member States Down, the Rest Moving Fast

The original NIS2 transposition deadline was October 2024. Most Member States missed it. Many organisations took this as a signal that enforcement was distant — a reasonable read at the time, but an increasingly dangerous one now.

As of January 2026, over 20 of the 27 EU Member States have formally completed NIS2 transposition into national law. Germany, Portugal, and Austria finalized their legislation in late 2025. Spain, France, and Poland are in the final stages. Ireland remains at an earlier stage, but even there, the legislative process is underway.

The pressure is coming from above. In May 2025, the European Commission issued reasoned opinions — formal legal warnings — to 19 Member States for failing to notify full transposition. The next step would have been referral to the Court of Justice of the EU. The message was received.

One important nuance: national implementations vary. Some countries, including Italy and Slovenia, have extended the list of regulated sectors beyond the EU Directive’s baseline. Belgium has introduced enhanced board-level governance obligations. Others have aligned liability provisions with existing national civil law frameworks. If you operate across multiple EU jurisdictions, you need country-specific analysis — not just the Directive itself.

Enforcement activity is expected to accelerate through 2026 as national supervisory frameworks, registration systems, and entity designations fall into place. There are no major public enforcement actions under NIS2 yet — but that is a function of timing, not intent.

Source: Wavestone – NIS 2 Directive: Transposition Status and What Companies Must Do (January 2026)

Source: Goodwin – Navigating NIS2: What Organisations Need to Know as EU Implementation Unfolds

4. The Cyber Resilience Act: The Clock Is Running

While most attention is focused on NIS2, a second major piece of EU cybersecurity legislation is quietly advancing toward enforcement. The Cyber Resilience Act (CRA) entered into force in December 2024 and begins applying in full from September 2026.

From 11 September 2026, the CRA imposes mandatory reporting requirements for actively exploited vulnerabilities and serious cybersecurity incidents for any product with digital elements placed on the EU market — regardless of where it was designed or manufactured.

Who does this affect? Any organisation that develops or sells software, hardware, or connected products in the EU. This includes manufacturers, ISVs, and device makers across every sector. The CRA is, in scope terms, far broader than NIS2.

The European Commission is currently finalising guidance to help manufacturers and developers meet CRA requirements, with a public consultation on that guidance still ongoing. In parallel, the EU is developing conformity assessment frameworks and certification schemes tied to CRA obligations.

For SMEs that develop or sell digital products, the CRA represents a compliance challenge with a firm deadline. Unlike NIS2 — where timing varied by Member State — the CRA applies at EU level with a single, fixed date.

Source: European Parliament – EU Cybersecurity Act revision (January 2026)

Source: Inside Privacy – What to Watch in 2026: Key EU Privacy & Cybersecurity Developments

5. SMEs: Still the Weakest Link — and Now the Most Targeted

Running through all four of the above stories is a common thread: SMEs are simultaneously the most exposed, the least prepared, and the most consequential element of the EU’s cybersecurity architecture.

The ENISA NIS Investments 2025 data is unambiguous on this point. SMEs consistently report the lowest confidence in their ability to prepare for, withstand, and recover from cyber incidents — across every threat category. They face the same compliance requirements as larger entities, with a fraction of the resources.

The supply chain dynamic makes this urgent. Large enterprises — the ones that are well-resourced and well-audited — increasingly depend on SME suppliers, integrators, and service providers. Attackers know this. Supply-chain and third-party compromises are now the second most feared future threat among EU organisations, at 47%.

The cybersecurity of the EU’s critical sectors is only as strong as the SMEs that sit in their supply chains. And right now, that chain has serious weak links.

The regulatory answer to this problem is clear in intent but imperfect in execution. NIS2 imposes supply chain risk management obligations on essential and important entities — meaning those larger organisations are now required to assess the security posture of their suppliers. This creates both pressure and opportunity for SMEs: pressure to demonstrate compliance, and opportunity to differentiate on security credentials.

What SMEs need most, according to the ENISA data, is accessible guidance, affordable tooling (including managed and cloud services), and practical skills development. The framework exists. The implementation support remains uneven.

Source: ENISA – NIS Investments 2025

What This Means in Practice

These five developments are not isolated news items. They form a coherent regulatory and operational picture:

1. The EU is building a more centralised, more prescriptive cybersecurity framework — and it is moving faster than most organisations realise.

2. The talent and resource constraints are real, structural, and not going away — which makes the quality of your process and documentation more important, not less.

3. Enforcement is arriving market by market, with national supervisory authorities now actively building their frameworks.

4. If you are an SME — whether in scope directly or as part of a supply chain — the time to prepare is before your national authority comes looking, not after.

If you want to understand what compliance actually looks like for a small or medium-sized business — without the jargon and without assuming you have a security team — that is exactly what I wrote NIS2 Practical Compliance for SMEs to address.

Available on Amazon: amazon.com/dp/B0GRQVQG8C

About the Author

Angelos Varthalitis is a CISO with over 20 years of cybersecurity experience, running avsecadvisory and writing at varthalitis.eu. His work focuses on EU regulatory compliance for SMEs and non-technical decision-makers.