EU Commission Press Conference on Cybersecurity Act Update

EU Commission Executive Vice-President Henna Virkkunen delivers a press conference (20 January 2026) on the EU’s Cybersecurity Act and a broader cybersecurity package aimed at strengthening Europe’s cyber resilience and reducing fragmentation across the internal market.

In her opening remarks, Virkkunen describes an increasingly challenging security environment in the cyber domain, highlighting the daily impact of cyber incidents on critical infrastructure and the links between cyber operations and wider hybrid activity. She then outlines the Commission’s proposed updates to EU cybersecurity rules, focusing on stronger implementation, clearer responsibilities, and more practical compliance pathways for businesses.

WHAT’S COVERED IN THIS PRESS CONFERENCE

1. Strengthening EU-level capabilities
Plans to ensure the EU Agency for Cybersecurity (ENISA) is equipped to take on additional tasks and support Member States more effectively.
Measures linked to incident reporting, early alerts, and cooperation with national cybersecurity authorities and CSIRTs.

2. De-risking the ICT supply chain and protecting critical sectors
A risk-based approach to identifying and mitigating cybersecurity risks in key sectors already covered by NIS2 (including critical services such as energy, water, transport, and healthcare).
A push to turn the EU’s 5G cybersecurity toolbox into a more uniform, mandatory approach to avoid market fragmentation and create a level playing field.
Discussion of targeted measures for “high-risk suppliers” and how assessments would guide mitigation steps.

3. Simplification and reduced compliance burden
References to proposals designed to make compliance easier and improve legal clarity, including targeted amendments to NIS2.
Steps intended to reduce unnecessary burden for smaller firms, including changes affecting micro/small companies and a new “small mid-cap” category.

4. A more effective EU cybersecurity certification framework
Explanation of the direction for updating EU-level cybersecurity certification so it becomes more dynamic and useful in practice.
Clarification in the Q&A on the scope of certification (technical characteristics of products/services) versus broader risk considerations addressed elsewhere in the Cybersecurity Act framework.

Q&A HIGHLIGHTS

Journalists question the Commission on:
How “countries of concern” and “high-risk suppliers” would be identified (and whether lists can be updated).
Timelines and implementation, including transition periods discussed in relation to 5G.
What consequences may follow from high-risk designations (including potential restrictions related to procurement, funding programmes, certification, and standardisation activities).
Whether and how economic impact assessments will be considered alongside cybersecurity risk assessments.
A separate question on developments concerning X, including the Commission’s ongoing analysis and consideration of possible next steps under the Digital Services Act (DSA).

This video includes both the statement and the Q&A session, providing a clear overview of the Commission’s approach to cybersecurity governance, supply-chain risk management, and the practical application of EU cyber rules.

CHAPTERS

00:00 Opening: topic and context
00:12 Cyber threat landscape and critical infrastructure
00:41 Why update EU cybersecurity rules
00:55 Cybersecurity package: main pillars
01:02 Strengthening ENISA
02:03 Incident reporting, alerts, and support to Member States
02:32 Supply chain de-risking and economic security
02:52 5G toolbox: towards a mandatory approach
03:24 Simplification under the “digital omnibus”
03:42 NIS2: scope clarifications and reduced burden
04:18 Ransomware data collection
04:21 Certification: why the framework is changing
05:06 Why cybersecurity is central to daily life
05:40 Q&A begins
05:48 Countries of concern and “X” question
08:17 Countries list, updates, and implementation timing
09:41 5G: excluding high-risk vendors
10:24 Catalogue of high-risk suppliers and transition period
11:38 Consequences of high-risk designation
12:09 Possible restrictions and mitigation measures
14:37 Costs, impact assessment, and certification scope
16:04 Technical vs non-technical risks: clarification
18:19 Case-by-case approach and sector risk assessments
20:05 Closing remarks

European Digital Policy Initiative
https://edpi.eu/
  / eudigitalpolicy  
  / eudigitalpolicy  
  / eudigitalpolicy  

Uploaded by James Tamim, EU Digital Policy analyst.

© European Union, 2026