On 20 January 2026, the European Commission proposed a new cybersecurity package intended to strengthen EU resilience and capability in response to growing cyber and hybrid threats. The Commission’s Q&A frames the package as a response to daily threats against essential services and democratic institutions, and it explicitly references amendments affecting the NIS2 framework.
The Q&A indicates a policy direction that will be familiar to security leaders: more consistency, clearer baseline measures, and reduced fragmentation across Member States, while attempting to simplify compliance for organisations in scope. The Commission’s accompanying communications emphasise that the shift to digital services increases exposure and therefore requires stronger resilience at EU level.
For organisations, the immediate practical impact is not “new rules tomorrow” but a clear signal: NIS2 alignment and cybersecurity governance are becoming central compliance requirements rather than best-practice aspirations. The direction also strengthens the case for board-level oversight of cyber risk, tighter third-party controls, and demonstrable incident readiness.
Acompli perspective: The gap that repeatedly hurts organisations is evidence. Many can describe security measures; fewer can show that they are implemented consistently, tested, and governed. Cyber compliance is moving toward measurable assurance: documented risk management measures, tracked remediation, incident playbooks, and supplier controls. Building those artefacts as living records — linked to systems, vendors and risks — reduces friction when regulators, customers, or insurers ask for proof.