***At the start of this year, the European Union put forward a few amendments to its cybersecurity laws. Amel Osman, ***Managing Director and Head of UAE at H/Advisors, explains why the news is of relevance for UAE-based organisations selling into Europe or supporting EU supply chains.
On 20 January 2026, the European Commission published a Cybersecurity Package proposing a revision to the EU Cybersecurity Act and targeted amendments to the NIS2 Directive, which sets cybersecurity obligations for “essential” and “important” entities across high-criticality sectors, including finance, energy and transport.
NIS2 is the EU’s main cybersecurity law for organisations that run …
***At the start of this year, the European Union put forward a few amendments to its cybersecurity laws. Amel Osman, ***Managing Director and Head of UAE at H/Advisors, explains why the news is of relevance for UAE-based organisations selling into Europe or supporting EU supply chains.
On 20 January 2026, the European Commission published a Cybersecurity Package proposing a revision to the EU Cybersecurity Act and targeted amendments to the NIS2 Directive, which sets cybersecurity obligations for “essential” and “important” entities across high-criticality sectors, including finance, energy and transport.
NIS2 is the EU’s main cybersecurity law for organisations that run or support essential services. The direction of travel is unambiguous and warrants early attention from UAE-based organisations with EU exposure: a push to accelerate and expand EU cybersecurity certification, an enlarged coordinating role for ENISA (the EU Agency for Cybersecurity), heightened scrutiny of third-party and supply-chain risk, and measures intended to streamline, and in practice, harden, NIS2 compliance expectations.
Operational teams will rightly prioritise controls, resilience measures, and statutory reporting. Communications and corporate affairs leaders, however, should treat this as an equally material development: across Europe, cybersecurity is being reframed as a prerequisite for trust, market access, and institutional confidence.
In that environment, organisations will be assessed not only on what they do, but on whether they can articulate, with discipline and consistency, their governance, risk posture, and response readiness to regulators, customers, investors, employees, and strategic partners.
Supply chains have become reputational terrain
A key shift is tougher scrutiny of suppliers. The proposals introduce the idea of “non-technical” cyber risk linked to suppliers that may be subject to third-country influence, and they set out a pathway for the EU to label certain providers as “high-risk vendors”.
That label could carry real commercial impact, including restrictions in EU public procurement and limits on participation in EU cybersecurity certification. In some sectors, particularly telecoms and connectivity, the proposals also contemplate phased removal of key components from vendors designated as high risk within a defined timeframe.
For UAE-based organisations with global technology stacks, this is as much a communications issue as a procurement one. EU customers and partners will ask how you assess third-party risk, how you avoid over-reliance on any single supplier, and what you will do if EU requirements change. The most credible approach is calm and factual: explain your governance, due diligence process, supplier diversification, and continuity planning, and reaffirm your commitment to comply with applicable rules in each market.
Amel Osman is Managing Director and Head of UAE at H/Advisors
Certification is turning into a brand proof point
The package makes certification less of a technical “nice to have” and more of a commercial trust signal. It aims to speed up how EU certification schemes are developed and adopted, and points to a future “entity certification” approach designed to make compliance more straightforward. Certification may remain voluntary on paper, but the direction is clear: EU rules, including NIS2, are likely to rely on certification more heavily, effectively making it a requirement in regulated contexts.
For leadership teams, the implication is practical. Treat credible certification like any recognised quality mark: it can strengthen confidence in tenders, partner due diligence, and investor discussions. Communicate it carefully and accurately. Certification is not a guarantee that incidents will never happen; it is evidence of defined controls, oversight, and independent assurance.
Incident communications will happen faster
The proposed NIS2 changes add a specific reporting requirement for ransomware incidents and give ENISA a role in coordinating cross-border risk assessments, including “concentration risk” where too many organisations rely on the same providers. In practice, this means incidents may become visible to more stakeholders, more quickly, and expectations for timely, consistent communication will rise.
Preparedness is therefore critical: clear holding lines, defined spokesperson roles, and ready employee communications, because credibility will be judged as much by governance and process as by technical detail.
Who is most exposed in the UAE–EU corridor?
The most immediate exposure sits in NIS2’s core sectors, including finance, energy and transport. The impact will also extend through supply chains to ICT and tech-enabled service providers supporting EU-regulated entities, including cloud and data centres, managed services, software vendors, and telecoms and satellite connectivity. It will also affect logistics operators and industrial groups supplying EU customers.
What this means and what to prioritise
For UAE-based organisations with EU exposure, this package should be treated as an early warning signal: cybersecurity is becoming a visible proxy for governance, reliability and eligibility to do business. The communications risk is straightforward. If stakeholders believe you are unprepared, overly dependent on questioned suppliers, or unable to explain your controls with clarity, confidence can erode quickly even before any regulatory requirement formally applies.
Four actions are worth prioritising now:
- Set a CEO-ready “cyber trust” narrative. Agree the language leadership will use to describe oversight, decision-making, accountability and third-party discipline, and ensure it is consistent across markets and channels.
- Prepare a supply-chain and vendor position. Document, in plain language, how you assess vendor risk, avoid concentration, and maintain continuity if requirements shift. Keep it factual and non-political.
- Define how you will speak about certification. If you use certification or plan to pursue it, frame it carefully as independent assurance of controls and governance, not a promise of zero incidents.
- Pressure-test crisis communications. Review holding statements, escalation routes, spokesperson roles and employee communications, and plan for faster disclosure expectations and cross-border coordination.
Brussels’ cybersecurity package isn’t just another compliance file. It’s a reset in what Europe treats as “trustworthy”, and it will show up in tenders, partner due diligence and reputation. The tenacious organisations will get ahead of it, shape the narrative early, and communicate with calm control. The slow movers will be left reacting, and in regulated markets, hesitation can quickly become lost work, tougher terms, or stalled deals.