For museums, many of which are rapidly digitalising collections, services and operations, and engage with AI tools, strong cybersecurity is becoming an essential component of institutional resilience. The Commission’s announcement underscores the urgency of this conversation. By adapting to emerging risks, museums can safeguard their digital infrastructures, protect public trust, and remain resilient cultural anchors in an increasingly digital world.
This topic will be discussed further at NEMO’s European Museum Conference 2026 in Vilnius, Lithuania, where digital transformation, AI and cybersecurity will be explored in depth. Save the dates 11-13 October and sign up for a reminder to register.
A strengthened Cybersecurity Act
A press release by the European Commission about the new package, informs about a revised Cybersecurity Act, which aims to ensure that digital products and services entering the EU market are cyber‑secure by design. Key elements include:
- A trusted ICT supply chain security framework enabling the EU and Member States to jointly identify and mitigate risks linked to high‑risk suppliers.
- A simplified European Cybersecurity Certification Framework, making it easier and faster for companies to certify the security of their products and services.
- Expanded responsibilities for ENISA, the EU Agency for Cybersecurity, enabling it to issue early threat alerts, support ransomware response, and improve vulnerability management across the Union.
These measures respond to the growing geopolitical reality in which supply chain vulnerabilities are not only technical, but also linked to dependencies and risks of foreign interference.
Easing the compliance burden for SMEs
Targeted amendments to the NIS2 Directive aim to provide greater legal clarity and reduce compliance costs for thousands of companies across Europe, particularly micro, small and mid‑cap enterprises. The proposals would simplify jurisdictional rules, streamline ransomware reporting, and improve oversight of cross‑border entities with support from ENISA. This more accessible approach is expected to help organisations, including cultural institutions, implement essential cybersecurity requirements more efficiently.
Building Europe’s cybersecurity capacity
Since the first Cybersecurity Act in 2019, ENISA has expanded into a cornerstone of the EU cybersecurity ecosystem. Under the new proposal, the agency will further strengthen Europe’s defensive capabilities by:
- Supporting coordinated EU‑level responses to cyber incidents
- Operating the new single-entry point for incident reporting
- Helping companies recover from cyberattacks
- Leading the development of the Cybersecurity Skills Academy and EU‑wide skills attestation schemes
These efforts aim to build a skilled cybersecurity workforce capable of addressing growing risks across all sectors. NEMO expects this to extend to the culture and heritage field, where institutions are frequently at risk in attempts to disrupt democratic life, social cohesion, and cultural identity.
