EU Commission Press Conference on Cybersecurity Act Update

EU Commission Executive Vice-President Henna Virkkunen delivers a press conference (20 January 2026) on the EU’s Cybersecurity Act and a broader cybersecurity package aimed at strengthening Europe’s cyber resilience and reducing fragmentation across the internal market.
This is an edited (transformative) version of the European Commission’s Press conference, created to improve accessibility. Edits that add transformative value include cutting repetition, silences, and stutters; restructuring the content by theme and topic; adding on-screen context; and enhancing video and audio quality. This edited version does not distort the meaning or message of the original video.

In her opening remarks, Virkkunen describes an increasingly challenging security environment in the cyber domain, highlighting the daily impact of cyber incidents on critical infrastructure and the links between cyber operations and wider hybrid activity. She then outlines the Commission’s proposed updates to EU cybersecurity rules, focusing on stronger implementation, clearer responsibilities, and more practical compliance pathways for businesses.

WHAT’S COVERED IN THIS PRESS CONFERENCE

1. Strengthening EU-level capabilities
Plans to ensure the EU Agency for Cybersecurity (ENISA) is equipped to take on additional tasks and support Member States more effectively.
Measures linked to incident reporting, early alerts, and cooperation with national cybersecurity authorities and CSIRTs.

2. De-risking the ICT supply chain and protecting critical sectors
A risk-based approach to identifying and mitigating cybersecurity risks in key sectors already covered by NIS2 (including critical services such as energy, water, transport, and healthcare).
A push to turn the EU’s 5G cybersecurity toolbox into a more uniform, mandatory approach to avoid market fragmentation and create a level playing field.
Discussion of targeted measures for “high-risk suppliers” and how assessments would guide mitigation steps.

3. A more effective EU cybersecurity certification framework
Explanation of the direction for updating EU-level cybersecurity certification so it becomes more dynamic and useful in practice.
Clarification in the Q&A on the scope of certification (technical characteristics of products/services) versus broader risk considerations addressed elsewhere in the Cybersecurity Act framework.

Q&A HIGHLIGHTS

Journalists question the Commission on:
How “countries of concern” and “high-risk suppliers” would be identified (and whether lists can be updated).
Timelines and implementation, including transition periods discussed in relation to 5G.
What consequences may follow from high-risk designations (including potential restrictions related to procurement, funding programmes, certification, and standardisation activities).
A separate question on developments concerning X, including the Commission’s ongoing analysis and consideration of possible next steps under the Digital Services Act (DSA).

CHAPTERS

00:00 Opening: topic and context
00:12 Cyber threat landscape and critical infrastructure
00:41 Why update EU cybersecurity rules
00:55 Cybersecurity package: main pillars
01:02 Strengthening ENISA
02:03 Incident reporting, alerts, and support to Member States
02:32 Supply chain de-risking and economic security
02:52 5G toolbox: towards a mandatory approach
03:24 Simplification under the “digital omnibus”
03:42 NIS2: scope clarifications and reduced burden
04:18 Ransomware data collection
04:21 Certification: why the framework is changing
05:06 Why cybersecurity is central to daily life
05:40 Q&A begins
05:48 Countries of concern and “X” question
08:17 Countries list, updates, and implementation timing
09:41 5G: excluding high-risk vendors
10:24 Catalogue of high-risk suppliers and transition period
11:38 Consequences of high-risk designation
12:09 Possible restrictions and mitigation measures
14:37 Costs, impact assessment, and certification scope
16:04 Technical vs non-technical risks: clarification
18:19 Case-by-case approach and sector risk assessments
20:05 Closing remarks

Europe Echo
https://europeecho.com
https://www.instagram.com/EuropeEcho
https://www.tiktok.com/@EuropeEcho
https://www.facebook.com/EuropeEcho
https://twitter.com/EuropeEcho

Uploaded by James Tamim, EU Digital Policy analyst.

© European Union, 2026
Edits applied by Europe Echo (transformative value add): repetition, silences, and stutters removed; content restructured by theme so questions and answers stay together and topics remain organised (some sections may be reordered to separate topics more clearly); on-screen context and detailed descriptions added (topic labels, chapters, captions) to make long briefings easier to follow; and video/audio quality enhanced (cropping, splicing the correct audio-language tracks, voice isolation, and colour correction).

Видео EU Commission Press Conference on Cybersecurity Act Update канала Europe Echo