The EU's new cybersecurity package proposes improvements to supply chain security and simplifying cybersecurity laws, while Europe faces more cyber threats than ever.
On January 19, 2026, the European Union’s Commission announced the proposal of “a new cybersecurity package to strengthen the EU’s cybersecurity resilience and capabilities” in response to cyber and hybrid attacks the continent faces. A 2025 Crowdstrike report found that after North America, Europe faced the most cyber attacks, noting that “entities in Europe are more than twice as likely to be targeted than entities in the Asia Pacific and Japan region.” This difference can be attributed to politically motivated threat actors, whose activity has only increased since the start of Russia’s War on Ukraine in 2022 and other conflicts.
The EU’s first-ever report on the State of Cybersecurity in the Union in 2024 identified a “substantial” cyber threat level, and among other actions, recommended improving supply chain cybersecurity. The new cybersecurity proposal (including a revised Cybersecurity Act) addresses the security of Information and Communication Technologies (ICT) supply chains, the need to clarify the European Cybersecurity Certification Framework, simplifying compliance with EU cybersecurity laws, and continuing plans to support the EU Agency for Cybersecurity (ENISA):
The next steps for this proposal are approval by the European Parliament and the Council of the EU. If they are accepted, nations in the EU would have one year to implement the rules and guidance. This proposal is just one example of the EU working to improve cybersecurity in 2026. One member state, Belgium, has been pushing for the development of Europe-specific digital infrastructure.
Miguel de Bruycker, Belgium’s cybersecurity chief, recently said that compared to the US' progress in digital infrastructure, Europe “...lost the whole cloud. We have lost the internet, let’s be honest. If I want my information 100% in the EU … keep dreaming. You’re setting an objective that is not realistic. In cyberspace, everything is commercial. Everything is privately owned.” This is part of a larger conversation about European digital sovereignty. In late 2025, Switzerland effectively banned the use of public hyperscale clouds and Software-as-a-Service (SaaS) by public bodies processing or holding personal data, preventing the use of American providers like Microsoft 365.
Bruycker is not going as far as Switzerland, and has shared that he feels confident in collaborating with American companies to stop bad actors, as US hyperscalers were a key tool in the Belgian response to cyber attacks from Russian hacktivists. Still, EU and US cooperation is not guaranteed, especially as the Office of the US Trade Representative claimed in a post on X that the EU has “... persisted in a continuing course of discriminatory and harassing lawsuits, taxes, fines, and directives against U.S. service providers” and said that unless this stopped, “the United States will have no choice but to begin using every tool at its disposal to counter these unreasonable measures.”
With or without US involvement, Europe is still fighting cybercrime on several fronts. The European Space Agency recently admitted to a 500 GB theft of sensitive data that happened in September - a hack that may still be ongoing. To make matters worse, there was another attack in December on the ESA that led to the sale of 200 GB by more cyber criminals. There have been some wins in this fight, however. In Spain, Europol recently disrupted Black Axe, a criminal network 30,000 strong known for online fraud, while also being involved in armed robbery and human trafficking. The press release details the 34 arrests made across Spain, the 119,352 EUR frozen in bank accounts, and the 66,403 EUR seized during house searches. Operations like these, along with the EU’s cybersecurity proposal, paint a more optimistic future for Europe’s cyber posture.