Governance, Resilience, and Market Access

INDEX

• Executive summary
• Regulatory standstill and outlook
• Strategic imperatives and the evolution of digital governance
• Next Steps
• Conclusion

Download the Client Alert!

Executive summary 

On 20 January 2026, the European Commission presented a comprehensive “Cybersecurity Package”, proposing a targeted revision of the “EU Cybersecurity Act” (originally adopted as Regulation (EU) n. 2019/881) alongside amendments to Directive (EU) n. 2022/2555 (“NIS2 Directive”).

The original 2019 framework established a permanent mandate on the “European Union Agency for Cybersecurity” (“ENISA”) as the Union’s central technical authority and introduced the “EU Common Criteria-based” (“EUCC”)scheme, laying the foundations of the European cybersecurity certification system. 

Since then, the overall set of existing and emerging threats, has evolved considerably. Modern attacks frequently disrupt vital operations and industrial networks, revealing structural flaws in cross-border coordination. 

The 2026 proposal arrives at a critical juncture where cyberattacks no longer target data alone, but increasingly jeopardise critical infrastructure, essential services, as well as global supply chains. These vulnerabilities are compounded by hybrid threats and growing geopolitical dependencies on foreign technologies. 

Consequently, the proposal moves beyond mere technical standards to address systemic bottlenecks, aiming by reinforcing ENISA’s mandate and restructuring the certification architecture to ensure greater uniformity across the internal market. Additionally, it establishes a formal mechanism to manage risks within ICT supply chains, including the identification of high-risk providers and the implementation of safeguards in high-priority sectors.

For businesses, cybersecurity is no longer confined to regulatory compliance. It directly affects market access, contractual stability, investment planning, and long-term competitiveness within the European digital economy. 

The proposal will now follow the ordinary legislative procedure before the European Parliament and the Council of the EU, then entering a phase of interinstitutional negotiation and technical refinement. If adopted, it is likely to redefine both regulatory obligations and competitive dynamics within the European digital market.

Regulatory standstill and outlook 

The proposed reform initiative marks a shift from a predominantly technical compliance regime toward an integrated governance model anchored in institutional consolidation. At its core lies the strengthening of ENISA as the Union’s central technical authority.

By formalising the Agency’s role in drafting candidate schemes and providing structured technical support to national authorities, the European Commission seeks to eliminate the fragmented national practices that have historically undermined mutual recognition across the EU. This approach ensures a uniform interpretation of assurance levels (ranging from “basic” to “high”) while harmonising evaluation methodologies to facilitate a truly smooth internal market. 

The expansion of ENISA’s mandate includes operating a central EU-wide threat repository, issuing strategic early warnings, managing a unified incident reporting platform, and coordinating large-scale cybersecurity exercises across Member States. These functions position ENISA as the European Union’s definitive technical reference body, bridging the gap between high-level policy and real-time operational coordination.

In the meanwhile, the reform seeks to increase the practical relevance of EU certification schemes. Acknowledging that voluntary schemes have had limited adoption, the European Commission is refining procedures and linking certification more closely with other EU product regulations. This strategy eliminates administrative redundancies and prevents the duplication of audit requirements.

Certification development has also been modernised: new procedures incorporate proportionality principles, encourage international cooperation, and set a clear 12-month timeline for ENISA to propose new schemes. By prioritizing global interoperability, the EU intends to reduce compliance burdens for European companies while establishing its certification framework as a leading international standard.

Most significantly, the revision introduces a step change in supply chain security, treating certification as a tool for technological resilience during geopolitical instability. The creation of mechanisms to identify and monitor high-risk suppliers across eighteen critical sectors represents a decisive move against systemic risks. For the first time, the EU framework allows for the potential withdrawal of deployed products if a supplier is reclassified as high-risk, posing operational and financial implications for critical infrastructure and digital services.

Strategic imperatives and the evolution of digital governance

The proposed reform introduces a comprehensive change in how organisations must operate within the European digital setting, moving from isolated product-focused security to a holistic approach that emphasises organisational maturity.

Companies will be required to implement advanced governance through documented policies, rigorous internal processes, comprehensive control mechanisms, and risk management structures that transcend traditional technical boundaries. As the certification framework expands to encompass cloud services, 5G networks, managed security services, and overall cyber posture, technology providers will face heightened regulatory scrutiny and extended time-to-market cycles, even as their clients benefit from verified security standards. 

Crucially, the introduction of high-risk supplier mechanisms necessitates a proactive approach to supply chain resilience. This forces entities to assess geopolitical dependencies and monitor interconnected infrastructure. Organizations must, therefore, prepare for the potential replacement of hardware and revise contractual frameworks to mitigate the operational shocks of supplier reclassification. 

For small and medium-sized enterprises, this shift creates a dual challenge. Increased reliance on certified vendors may simplify security management while simultaneously driving up procurement costs. Consequently, these firms will require a higher degree of technical due diligence to remain competitive.

On the operational side, the centralisation of reporting through ENISA’s unified platform will significantly intensify obligations for “Security Operations Centres” (“SOCs”). These entities, alongside “Computer Security Incident Response Teams” (“CSIRTs”), must integrate deeply with EU-level reporting systems. While this improves situational awareness across the Union, it also introduces considerable administrative burdens. 

Next steps 

The proposal will follow the ordinary legislative procedure, requiring both the European Parliament and the Council to adopt their respective amendments. Afterwards, it will enter a phase of interinstitutional negotiations and technical refinement, aimed at balancing security measures with the practical needs of the market.

Conclusion 

The proposed reform of the “EU Cybersecurity Act” signals a transition from fragmented technical standards to a unified, geopolitically aware governance model.

• The consolidation of powers around the European Union Agency for Cybersecurity reduces national divergence and centralises threat reporting and operational coordination at EU level.
• Certification is now a tool for technological resilience rather than just a quality mark. The power to exclude high-risk suppliers in critical sectors forces a fundamental reassessment of thirdparty dependencies and hardware lifecycles.
• Closer alignment between certification schemes and horizontal product legislation increases the regulatory weight of EU certificates in determining market access and competitive positioning.
• Cybersecurity becomes a board-level responsibility, requiring integrated risk management, structured oversight to ensure alignment with enhanced EU-wide reporting obligations.

Press release

GA-Alliance lands in Pakistan: strategic partnership signed with Axis Law Chambers

MILAN – 29 January 2026

GA-Alliance, a global legal and tax firm with more than 2,600 professionals in 80 countries, announces its entry into the Pakistani market. The strategic partnership with Axis Law Chambers, a leading full‑service law firm in the region, marks a further expansion of GA‑Alliance’s network, which today covers geographies that generate nearly 90% of global GDP.

The agreement strengthens GA‑Alliance’s commitment to its “one‑stop‑shop” strategy. By integrating local expertise with the highest global standards, the Alliance offers clients a single, efficient access point for all legal and tax needs. This model removes the complexities of managing multiple advisers across different jurisdictions, delivering a coordinated and seamless experience that prioritizes clarity and business growth.

Axis Law Chambers brings to the Alliance a reputation for excellence, particularly in high‑value cross‑border mandates and advice on complex regulatory matters. Regularly listed by Chambers and Partners and The Legal 500, Axis Law stands out for its transactional work in corporate matters, mergers and acquisitions (M&A), employment law, intellectual property, foreign investment, public‑private partnerships, corporate governance, antitrust, tax, data protection and sectoral compliance. The firm advises clients in key industries such as energy, oil & gas, mining, healthcare, telecommunications, automotive, financial services, defense, retail, manufacturing, agriculture, media, IT, logistics, real estate and non‑profit organizations.

Axis Law also boasts one of Pakistan’s most authoritative dispute resolution practices, including litigation and international arbitration, with solid experience in proceedings before ICSID (International Centre for Settlement of Investment Disputes, based in Washington, D.C., and part of the World Bank), ICC (International Chamber of Commerce, based in Paris) and LCIA (London Court of International Arbitration, based in London). This depth of expertise ensures GA‑Alliance clients receive top‑level support in the world’s fifth most populous country, one of the most dynamic economies in Asia.

Francesco Sciaudone, Managing Partner of GA‑Alliance, emphasized the strategic importance of the operation: “Our entry into Pakistan through the partnership with Axis Law Chambers is another step that strengthens our global growth path. At GA‑Alliance, the goal is to simplify complexity for our clients. By extending our ‘one‑stop‑shop’ model to an outstanding Pakistani firm, we are increasingly able to offer our clients the ability to operate with confidence in a very large number of markets worldwide. We are not only expanding our geographic presence; we are enhancing a sophisticated ecosystem where international best practices and precision meet local market leadership to meet clients’ needs in a simple, direct and highly efficient way.”

About GA‑Alliance

With more than 2,600 professionals in 80 countries, GA‑Alliance is a global legal and tax firm with deep European roots, combining a strong legal tradition with a broad international presence. Founded on principles of excellence and innovation, GA‑Alliance offers integrated, multidisciplinary expertise and positions itself as a strategic partner to promote sustainable growth in an ever‑evolving regulatory environment.

About Axis Law Chambers

Axis Law Chambers is a leading Pakistani law firm recognized for excellence in corporate and transactional advice and in resolving commercial disputes. With a team of over 30 professionals and seven partners, the firm assists national and multinational clients in high‑impact transactions, regulatory compliance and complex dispute resolution matters, including international arbitrations.

GA-Alliance Launches Cybersecurity and Digital Compliance Practice and Welcomes Salvatore Figliuolo as New Partner

GA-Alliance, the leading law firm renowned for its innovative and client-centric global legal services, is pleased to announce the establishment of a new Cybersecurity and Digital Compliance Desk. This strategic initiative - designed to support public and private clients, both domestically and internationally, in preventing digital risks, managing data, and ensuring compliance with Italian and international regulations - underscores GA's relentless commitment to providing outstanding and thorough legal support to help businesses navigate the raising challenges of the digital era.

The new practice will be led by Mr. Salvatore Figliuolo, an experienced lawyer who will join GA as a new partner. Mr. Figliuolo has gained extensive exposure to technology law and cybersecurity, both in Italy and abroad, coupled with significant managerial roles in Generative AI companies.

GA realizes the importance of moving from a reactive assistance approach to a more proactive approach, aimed at strengthening clients' digital resilience. As a result, the new desk will offer joint legal and technical support, also thanks to the collaboration with Visibily, a managed security service provider (MSSP) company specialized in advanced enterprise solutions. This unique desk will provide integrated legal and technological services including:

1. Digital risk and vulnerability analysis;
2. Review and set up of internal policies and data management protocols;
3. Training and staff awareness on security and privacy issues;
4. Ongoing assistance during inspections, data breach situations, and digitalization projects;
5. Management of relationships with authorities (e.g., Police, Data Protection, Cybersecurity, European Authorities).

With this new initiative, GA-Alliance reaffirms its commitment to supporting clients through their digital evolution with a practical, multidisciplinary, and prevention-oriented approach. The team will also leverage the existing expertise within the law firm, particularly in privacy and administrative law.

Francesco Sciaudone, Managing Partner of GA-Alliance, commented: "The arrival of Salvatore Figliuolo and the launch of the Cybersecurity and Digital Compliance desk represent a natural evolution in GA's growth toward a more and more sophisticated professional services market. In an environment where companies are increasingly exposed to digital risks, and to evolving complex regulations, we believe essential being able to offer clients a comprehensive and integrated support – both domestically and internationally – combining legal expertise with technological solutions. The cooperation with a sophisticated technical partner and the synergies among our internal desks further strengthen our ability to support promptly, concretely, and strategically our clients in facing these new digital challenges."

This newsletter provides a selection of opinions and analysis from our EU legal experts on interesting policy developments, recent case law and new regulatory directions of major industry practices. It is released biweekly and covers areas such as: Competition Law, Sanctions, Trade, Energy, Finance, EU funds, Data IP and Privacy, Life Sciences, Transport and Court of Justice of the European Union news.

The aim is to provide an up–to–date tool for quick and easy consultation on the most current and important topics at EU level.

• Competition Law and State Aid
• Sanctions
• Trade
• Energy and Green Deal
• Banking & Finance
• EU Funds
• Life Sciences
• Transport and Electric Vehicles
• Data, IP and Privacy
• Consultions and Calls

EUROPEAN COMMISSION (EC)

The European Commission designates adult content platform XNXX as Very Large Online Platform under the Digital Services Act (10.07.2024) – The Commission has formally designated XNXX as a Very Large Online Platform (VLOP) under the Digital Services Act (DSA).Therefore, XNXX will have to comply with the most stringent rules under the DSA within four months of its notification Such obligations include adopting specific measures to empower and protect users online, to prevent minors from accessing pornographic content online, including with age-verification tools, to provide access to publicly available data to researchers, and to publish a repository of ads.

• Link

The European Commission publishes the second report on the State of the Digital Decade (02.07.2024) – The European Commission has published the second report on the State of the Digital Decade, providing a comprehensive overview of the progress made in the quest to achieve the digital objectives and targets set for 2030 by the Digital Decade Policy Programme (DDPP). This year, for the first time, the report is accompanied by an analysis of the national Digital Decade strategic roadmaps presented by Member States, detailing the planned national measures, actions and funding to contribute to the EU's digital transformation.

• Link

Artificial Intelligence Act: fostering responsible AI development in Europe

Overview

The Artificial Intelligence Act (“AI Act”) is set to be published on the EU’s Official Journal soon, following the final approval of the Council of the EU on 21^st May 2024. This landmark legislation aims to establish a regulatory framework for Artificial Intelligence (“AI”) across the European Union, promoting trustworthy and ethical development, deployment, and use of AI technologies. New rules will enter into force twenty days after the publication, with obligations then phased-in gradually over three years, more specifically:

• Bans on prohibited practices, which will apply six months after the entry into force date;
• Codes of practice, which will apply nine months after entry into force
• General-purpose AI rules including governance, which will apply 12 months after entry into force
• Obligations for high-risk systems, which will apply 36 months after the entry into force

The Significance of Codes of Practice

One crucial aspect of the AI Act involves the creation of Codes of Practice for General-Purpose AI (“GPAI”) models. These codes are fundamental for bridging the gap between the high-level requirements outlined in the AI Act for GPAI providers and the practical implementation of those requirements. In essence, they serve as a detailed roadmap for ensuring compliance with the principles enshrined in the new Regulation.

Concerns Regarding Stakeholder Involvement

On 8^th July 2024, certain Members of the European Parliament (“MEPs”) expressed their concerns in a letter sent to EU's AI Office urging to include civil society in the drafting of rules for powerful AI models. In particular, they argued against European Commission's initial approach, which reportedly proposed to allow AI model providers to take the lead in drafting the codes, with civil society organizations (“CSOs”) playing a more limited consultative role.

MEPs expressed apprehension that such an approach could result in codes that prioritize industry interests over broader societal concerns. They advocate for an inclusive process that actively engages a diverse range of stakeholders, including:

• Companies, as input from the AI development and deployment sectors is crucial for ensuring the codes are practical and workable.
• Civil Society Organizations, which bring valuable perspectives on ethical considerations, potential biases, and the impact of AI on fundamental rights.
• Academia, with researchers and experts offering insights into the latest advancements in AI technology and potential risks.
• Other Stakeholders, considering that a diverse range of voices can contribute to well-rounded and comprehensive codes.

At the same time, civil society members highlight the potential for a situation where large technology companies write their own rules, potentially undermining AI Act's goal of establishing equal and globally influential standards for GPAI development.

Looking Forward

The European Commission has acknowledged the need for clarity on stakeholders’ involvement. Details regarding the participation of CSOs and other stakeholders are expected to be included in a forthcoming call for expressions of interest. An external firm will be responsible for leading the drafting process, with the AI Office maintaining oversight and approving the final versions of the codes.

The coming months will be crucial in determining how the EU navigates stakeholders’ involvement in crafting the AI Act's Codes of Practice. A transparent and inclusive process will be essential for establishing strong, effective, and ethically sound standards for trustworthy AI development across Europe.

This newsletter provides a selection of opinions and analysis from our EU legal experts on interesting policy developments, recent case law and new regulatory directions of major industry practices. It is released biweekly and covers areas such as: Competition Law, Sanctions, Trade, Energy, Finance, EU funds, Data IP and Privacy, Life Sciences, Transport and Court of Justice of the European Union news.

The aim is to provide an up–to–date tool for quick and easy consultation on the most current and important topics at EU level.

• Competition Law and State Aid
• Sanctions
• Trade
• Energy and Green Deal
• Banking & Finance
• EU Funds
• Life Sciences
• Transport and Electric Vehicles
• Data, IP and Privacy
• Consultions and Calls

COUNCIL OF THE EUROPEAN UNION (COUNCIL)

Data protection: Council agrees position on GDPR enforcement rules (13.06.2024) – The Council has reached an agreement on a common member states’ position on a new law which will improve cooperation between national data protection authorities when they enforce the General Data Protection Regulation (GDPR). The Council position maintains the general thrust of the proposal but amends the draft regulation as regards clearer timelines, enhanced and efficient cooperation and early resolution mechanism.

• Link