Written by Polona Car.
The Cybersecurity Act (CSA) came into force in 2019 as part of the EU’s efforts to build strong cybersecurity. Since its introduction, the EU cybersecurity regulatory framework has become more complex in response to the rise in cyber-attacks. New EU rules, as well as changes in the geopolitical context, have impacted the CSA, and the regulation is currently under review. Although stakeholders are aligned on most issues, significant differences remain, notably in addressing non-technical risks relating to the security of the information and communications technology (ICT) supply chain.
The Cybersecurity Act in short
Regulation (EU) 2019/881 (the CSA) formalised the role of the European Cybersecurity Agency (ENISA), giving it a permanent mandate, resources and tasks, including operational ones. It also established a voluntary EU cybersecurity certification framework (ECCF) for ICT products, services and processes. The ECCF aims to set up and maintain specific certification schemes, allowing companies operating in the EU to use the certificates recognised across all Member States. In January 2025, a targeted amendment to the CSA was adopted, to enable the future adoption of European certification schemes for ‘managed security services’ covering areas such as incident response, penetration testing, security audits and consultancy. The CSA requires an evaluation and review every five years. Postponed several times, this is now expected on 14 January 2026.
Evolving context
Since the CSA entered into force, cyber-attacks have been on the rise. This has prompted new EU cybersecurity laws to address the growing number and complexity of cyber threats. As a result, ENISA’s roles and responsibilities have expanded. For example, ENISA supports implementation of the Directive on measures for a high common level of cybersecurity across the Union (NIS2) by providing technical guidelines, facilitating information sharing, and enhancing coordination between Member States. Similarly, ENISA supports implementation and enforcement of the Cyber Resilience Act (CRA) by providing technical expertise, developing a single reporting platform for vulnerability and incident reporting, and supporting cybersecurity certification schemes.
As regards certification, implementation of the ECCF has been challenging. So far, only one EU certification scheme has been adopted – the European cybersecurity scheme on common criteria (EUCC), dedicated to certifying ICT products. All other schemes (cloud services – EUCS, 5G, digital identity wallets and managed security services) are still under development. Additionally, there are concerns whether the ECCF effectively addresses non-technical supply-chain cybersecurity risks such as geopolitical dependencies. Questions have also been raised about how voluntary certification frameworks will align with the CRA, which establishes a presumption of conformity (in Article 27) for products certified under a recognised European scheme such as the EUCC.
The proposal for a revised CSA therefore aims to address both ENISA’s growing responsibilities and ECCF implementation. During the consultation, the Commission also gathered views on ICT supply chain security challenges and the simplification of cybersecurity rules, such as how to streamline reporting obligations.
CSA review: Points of convergence among stakeholders
The replies to the call for evidence for the CSA review have shown broad agreement that the CSA should be revised on the following issues: (i) streamline cybersecurity measures; (ii) enhance cyber resilience; and (iii) simplify the EU regulatory landscape. The review is seen as an opportunity to reduce administrative burden and compliance costs. A significant convergence point is the need to harmonise definitions and reporting requirements across major EU acts – such as NIS2, CRA and the General Data Protection Regulation (GDPR) – and establish a single EU incident notification platform. Such a platform has now been put forward in the proposal for a ‘digital omnibus’ regulation.
There is consensus that ENISA’s mandate should be clarified and strengthened to reflect the agency’s growing operational responsibilities under new EU rules such as NIS2 and CRA. Stakeholders note that this expansion should be matched by adequate financial resources and staffing in order to ensure the agency’s effectiveness. The view is that ENISA should serve as a central technical coordinator, to promote consistency and harmonise implementation of EU cybersecurity laws across the Member States, thereby reducing regulatory divergence. This echoes the Council conclusions of December 2024 on a stronger EU Agency for Cybersecurity. Poland went as far as calling for a separate law for ENISA, to separate this item from potential controversy around the EUCS discussions.
Stakeholders widely acknowledge that the process for developing and adopting certification schemes is too slow and opaque. They highlight that a more agile, transparent and inclusive process with clearer timelines is urgently needed. Furthermore, stakeholders underline that certification schemes should be based on and align with international standards in order to ensure global interoperability, maximise acceptance, and reduce compliance costs for companies operating internationally. The prevailing view is that certification schemes should also be leveraged as a recognised means of demonstrating conformity or compliance with security requirements stemming from other major EU legislative acts, including NIS2, CRA and the AI Act.
Potential challenges
Disagreements revolve around the specific content and scope of certification schemes, particularly regarding sovereignty and the legal limits of ENISA’s influence. The most contentious point is the inclusion of sovereignty requirements in certification schemes such as the EUCS. This issue divides stakeholders into those advocating measures to protect European digital autonomy (e.g. both data localisation and corporate headquarters based in the EU) and those prioritising open markets and technical neutrality. Pro‑sovereignty advocates, and stakeholders supporting ‘cloud by Europe‘ models (i.e. entirely EU-based cloud service providers, not controlled by non-EU stakeholders), argue that these measures are crucial to protecting sensitive data and reinforcing EU strategic autonomy. By contrast, major tech companies, such as Microsoft, Amazon and Google, argue that non-technical criteria are subjective and do not improve cybersecurity outcomes, potentially restricting market access and innovation. At Member State level, too, positions are divided, with some countries expressing concern over sovereignty requirements, and others advocating in their favour.
On the nature of certification, the majority view is that it should remain mostly voluntary, to maintain flexibility and innovation. However, mandatory certification in critical sectors where high-security assurance is essential was also proposed. In addition, ENISA’s regulatory power has sparked debate. Some stakeholders, including Amazon, oppose granting ENISA the authority to issue binding opinions or regulatory guidance, arguing that its role should remain technical and advisory.
It remains to be seen to what extent the Commission will consider stakeholders’ views. The CSA review will also need to fit into the simplification of cybersecurity-related incident reporting obligations, which are part of the ‘digital omnibus’ proposal published on 19 November 2025.
Read this ‘At a Glance note’ on ‘Cybersecurity Act review: What to expect‘ in the Think Tank pages of the European Parliament.
Comments are closed for this post.