Digital Explainer – EU & UK changing expectations: what’s new in cybersecurity?

At its core, cybersecurity refers to measures and behaviours that protect the confidentiality and integrity of digital information, and access to the systems on which that information is held, used and shared. Read our overview on it and tips for risk understanding here.

EU Directives and Regulations on cybersecurity

The NIS2 Directive established a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU. It also calls on Member States to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement. NIS2 started coming into force in 2023, but not all EU members have fully complied yet. The EU also has the RCE Directive, a directive on the resilience for critical entities in sectors including energy, transport and health. The Digital Operational Resilience Act (DORA) applies to the financial sector.

What’s the new thinking?

In November 2025, we heard about the EU Digital Omnibus explained here and that was part of a new direction of simplified regulation. On 20 January 2026, the European Commission proposed a new cybersecurity package to ‘further strengthen the EU’s cybersecurity resilience and capabilities in the face of these growing threats.’ The package includes a proposal for a revised Cybersecurity Act, said to enhance the security of the EU’s Information and Communication Technologies (ICT) supply chains. In addition, the Commission proposed targeted amendments to NIS2, with the intent to simplify compliance with EU cybersecurity rules and risk-management requirements for companies.

Digital Omnibus Package and Cybersecurity Act revision

The European Commission’s Digital Omnibus package proposes to streamline incident reporting through a ‘report once, share many’ approach. This would establish a single incident covering the NIS2 Directive, GDPR, eIDAS, DORA and CER Directive, whilst repealing the incident reporting rules under the ePrivacy Directive. The single incident reporting point is expected to apply 18 months after the Digital Omnibus is adopted.

The proposed Cybersecurity Act

The EU says it has two general objectives with its Regulation that it calls a Cybersecurity Act: to increase cybersecurity capabilities and resilience and prevent fragmentation across the single market. It says it will do this by:

• Contributing to strengthening the Union’s cybersecurity governance and helping to ensure that relevant institutions, authorities, and other stakeholders are better prepared to prevent, detect, and respond to cybersecurity threats in a coordinated and effective manner; and
• Supporting the development, implementation, and uptake of common Union cybersecurity instruments, such as certification schemes, and providing harmonised frameworks that build trust and interoperability across Member States.

To help achieve the general objectives, the EU, which refers to this as an intervention, says it will pursue the following specific objectives (SPOs) aimed at addressing the misalignment between the Union cybersecurity policy framework and stakeholders’ needs:

• SPO1: Create capacity effectively to implement Union cybersecurity policies and continuous operational cooperation, enabling more structured cooperation between Member States.
• SPO2: Develop and implement means and mechanisms effectively to support and address the needs of Member States, industry, and other stakeholders, to address the limited uptake and effectiveness of the ECCF.
• SPO3: Create the prerequisites for faster delivery of cybersecurity certification schemes driven by market needs by broadening the scope of the ECCF, ensuring effective maintenance and agile procedures and increasing transparency. It will also address the fragmented compliance landscape and complexity of horizontal and sectoral frameworks.
• SPO4: Create mechanisms and conditions to facilitate compliance with cybersecurity requirements, thereby making their implementation more coherent and effective.
• SPO5: De-risk critical ICT supply chains from entities established in or controlled by entities from third countries posing cybersecurity concerns (high-risk suppliers) and reduce critical dependencies by developing a coherent and effective framework at EU level to address ICT supply chain security risks.

What updates are coming in the UK?

The UK is also planning new laws. Presently, there is a Bill before Parliament that is intended to amend the Network and Information Systems Regulations 2018, about the security and resilience of network and information systems used, or relied on, in connection with the carrying on of essential activities.

The Bill proposes expanding the types of entities caught within the law and increasing the power of enforcement bodies in a number of areas. Areas of focus include:

• Supply chain – similar to EU NIS2. The intention is to cover inter alia data centre service providers and provides a new definition of cloud computing services.
• Future powers – regulators can widen the scope further, enabling them to designate organisations they consider as critical suppliers (CRs) from time to time. These critical suppliers will face similar duties and obligations to other regulated entities.
• Incident reporting – the definition of reportable incidents is broadened to include events having, or capable of having, an adverse effect on the operation or security of network and information systems, thereby capturing incidents that have compromised the integrity or security of a system without causing significant disruption yet. The Bill also contains stricter incident reporting requirements, necessitating an initial notification to be made within 24 hours and a full notification made within 72 hours to the competent authority.
• Penalties and cost recovery – financial penalties for non-compliance are included, plus a cost recovery mechanism. The Bill introduces a penalty, capped at the greater of £10,000,000 or 2% of global turnover. At present, similar examples of non-compliance under NIS could be subject to penalties which do not exceed £1,000,000, or £8,500,000 depending on the enforcement authorities view on materiality. More serious failings can attract the higher maximum amount, which is the greater of £17,000,000 or 4% of global turnover. Regulators can also impose daily fines of up to £100,000 for ongoing contraventions.

If you have questions or concerns about cybersecurity, please contact James Tumbridge and Robert Peake.