Cyber security | UK Regulatory Outlook February 2026

European Commission proposes new cybersecurity package  

The European Commission has proposed a new cybersecurity package aimed at strengthening EU information and communication technology (ICT) supply chain security and simplifying compliance.  

The package includes a proposal for a new Cybersecurity Act 2 (CSA2) and amendments to the Network and Information Systems Directive (NIS2). 

The main elements of the proposal for CSA2, which would update and replace the Cybersecurity Act (2019/881), include new trusted ICT supply chain security framework enabling union-level risk identification across the EU's 18 critical sectors as well as a simplified certification procedures. This would allow businesses to use European cybersecurity certification to meet legal obligations. The Commission has also proposed reinforced support from the European Union Agency for Cybersecurity (ENISA) to manage cybersecurity threats. 

The proposal to amend NIS2 Directive (2022/2555) includes simplified compliance with risk-management requirements for companies operating in the EU, complementing the single-entry point for incident reporting proposed in the Digital Omnibus, and removal of micro and small DNS service providers from scope. Small mid-cap companies would be designated as "important" rather than "essential" entities. 

Cross-border entities would be able to demonstrate compliance by obtaining a certificate on their cyber posture under a European cybersecurity certification scheme, alongside new guidelines harmonising supply chain security requirements passed from NIS2 entities to their suppliers, streamlined data collection on ransomware attacks and enhanced supervision of cross-border entities with ENISA's reinforced coordinating role. 

The proposals now require approval by the EU Parliament and the Council of the EU. The Cybersecurity Act will apply immediately upon approval; Member States will have one year to implement the NIS2 amendments.  

The Commission has published the adopted proposals for public consultation. Feedback received will be summarised by the Commission and presented to the European Parliament and Council to inform the legislative debate. The deadline for responses is 7 April. 

However, six Member States have not yet implemented NIS2, while, for those that have, "bedding in" is still underway: against this backdrop, further regulatory change may be seen as unhelpful and adding to uncertainty. Businesses will though welcome measures to provide clearer, more streamlined obligations (particularly those that align with certification schemes). As such, these announcements provide both positive and negative news for business. In the short-term, their biggest impact may be in leading business to reassess the risk of enforcement (especially for more minor or technical infringements of the law). 

UK and Japan launch strategic cyber partnership 

The UK and Japan have launched a strategic cyber partnership to strengthen security against shared cyber threats. The UK prime minister, Sir Keir Starmer, announced the partnership during his recent visit to Japan. 

The framework focuses on three pillars: detecting and deterring cyber threats through intelligence sharing, enhancing whole-of-society resilience; and fostering a joint innovation ecosystem. 

An action plan will set out detailed areas of cooperation between the two nations. 

UK government publishes ambassador scheme to support code of practice for software security 

The UK government has launched an ambassador scheme to drive adoption of its code of practice for software security as part of moves mainly to bolster public sector cyber-resilience, including its cyber action plan, that will also have an indirect impact on business. 

The Department for Science, Innovation and Technology and the National Cyber Security Centre will work with signatory organisations to promote secure software development best practices and inform future policy.  

Read more about the government's cyber security strategy in our previous Regulatory Outlook.