Responses emerge following proposals to update the EU cybersecurity framework

The introduction of a new Cybersecurity Act 2 will fundamentally reshape the role of ENISA, address the limited uptake and effectiveness of the European Cybersecurity Certification Framework (ECCF) and also regulate supply chains provisions for information and communication technologies (ICT). Amendments to the NIS2 Directive (NIS2) will focus on simplification and clarification, consistent with other proposals including the Digital Omnibus Package.

EU agencies and other organisations have recently published their views on the proposals. Responses to the proposals have been largely positive, although further amendment or proposals may be introduced during the upcoming reviews by both the European Parliament and Council.

In the meantime, it is imperative for organisations in scope to maintain awareness of the proposals and any expectations around implementation. For businesses operating high-criticality or critical services covered within NIS2, it is necessary to identify their ICT supply chain as a core compliance issue, understanding the possible associated risks with using certain suppliers and whether continued reliance will be possible in the future.

What do the proposals say?

The proposals comprise different types of legislation, with the Cybersecurity Act 2 proposals being a regulation, and the NIS2 amendments making changes to the NIS2 Directive (referred jointly as "the Proposals").

As a reminder, a 'regulation' must be applied verbatim by Member States across the EU, with a 'directive' setting requirements that Member States need to implement through devising national legislation.

Cybersecurity Act 2

The draft Cybersecurity Act 2 ("CSA2") can be found in full here. As set out in brief above, CSA2 carries three key proposals:

• The reinforcement and expansion of the powers held by ENISA (the EU agency for cybersecurity).
• The reform of the ECCF, including the general rules for certification schemes designed under ECCF.
• The introduction of a framework to cover ICT supply chains, particularly those involving 'critical' and 'high criticality' sectors defined by NIS2. The framework will allow for third countries or vendors within those third countries to be identified as posing cybersecurity risks, and the prevention of those parties from carrying out specific activities.

Framework for ICT supply chains

The CSA2 proposals set out a framework to address 'non-technical' risks to those sectors identified in NIS2 as 'high criticality' or 'critical':

• High criticality sectors including energy, transport, banking, water supplies and public administration
• Critical sectors include postal service, manufacturing, food production and distribution, and digital providers such as online marketplaces and search engines

The framework provides for the identification of key ICT assets in supply chains associated with these NIS2 sectors and sets out security risk assessments. If a security risk assessment finds that a third country poses a "serious and structural non-technical risk" to ICT supply chains, then the Commission will verify the risk and may designate the country as one posing cybersecurity concerns to ICT supply chains. This designation will result from an assessment of that nation's law, practices, independent or democratic control mechanisms and substantiated reports of threat actors operating from there.

Suppliers to the NIS2 sectors from those designated third countries may then be identified as a 'high-risk supplier' following another assessment. These high-risk suppliers will be prevented from, among other things, participation in the creation of European standards and may not seek European cybersecurity certificates.

Most importantly, the Commission is empowered to implement legislation directed at entities within the NIS2 sectors prohibiting them from using, installing or integrating ICT components or components that include ICT components from these high-risk suppliers. High-risk suppliers may seek an exemption from the Commission; they may demonstrate independence, mitigations or safeguards that reduce the identified risk.

Expansion of ENISA power

ENISA will be tasked with a number of roles to benefit both the wider EU and individual Member States. The agency will be responsible for developing capacity and understanding of cybersecurity risks, including offering knowledge and expertise to Member States and also high criticality and critical sectors identified in NIS2. The agency will be expected to raise wider awareness, through technical guidance and sharing best practices, as well as performing and disseminating analysis of market trends.

ENISA will also support technical and operational co-operation across Member States, the network of national Computer Security Incident Response Team (CSIRTs) and EU-CyCLONe, the cyber crisis liaison organisation). This will include developing repositories of verified and reliable threat intelligence, issuing early alerts for significant or large-scale incidents and monitoring ransomware trends including techniques and demands.

A rolling programme of EU-level cybersecurity exercises will also be developed jointly by ENISA and the Commission, with ENIS providing vulnerability management services to stakeholders. Finally, in respect of the reformed ECCF (discussed below), ENISA will contribute to this process by preparing, maintaining and promoting uptake of the certification schemes forming part of the ECCF. The creation and implementation of a Cybersecurity Skills Academy will also form part of ENISA's remit.

Reforming the ECCF

The ECCF allows for the creation of cybersecurity certification schemes which are intended to strengthen cybersecurity. With a broader scope than the first Cybersecurity Act, organisations will now be able to certify their own cyber posture, with certification continuing to apply ICT products, ICT services, ICT processes and managed security services.

As noted above, ENISA (at the request of the Commission) will be responsible for the preparation adoption and adoption of cybersecurity schemes. ENISA is required to comply with any requests within 12 months unless specified otherwise and is required to engage to relevant stakeholders. Each certification scheme will be subject to a maintenance strategy including possible updates or improvements. An evaluation of each scheme, led by ENISA, is required at least every four years, with withdrawal provided as a possibility.

The schemes themselves must contain certain elements, rules and conditions, as well as an assurance level. The three mandatory levels, 'basic', 'substantial' or 'high', level of risk associated with the intended use of the product, service or process, in terms of probability and impact of an incident. As an example, the Commission notes that "A high assurance level would mean that the certified product passed the highest security tests."

National cybersecurity certification schemes covering the same matter and scope as any introduced European scheme will no longer be permitted. Furthermore, where permitted by another piece of EU legislations, a certificate issued under an ECCF scheme may demonstrate compliance and a presumption of conformity with that other EU law.

NIS2 Amendments

The transposition of NIS2 into domestic legislation is still ongoing, despite transposition being required by October 2024, and the issue of a reasoned Commission opinion in May 2025.

The Commission's draft directive to align NIS2 with the CSA2 proposals and additional simplification measures can be found here. The proposed directive aims to both ensure compliance with the cybersecurity requirements introduced by CSA2 and simplify NIS2 in various ways.

The key amendments and updates contained within the draft directive:

• Organisations covered by NIS2 will be permitted to use EU cybersecurity certificates from schemes developed under the umbrella ECCF to prove compliance across various Member States, reducing the need for repeated audits and reporting to different authorities.
• ENISA's role will be strengthened in supporting Member States to supervise organisations operating across multiple EU countries.
• ENISA will also create an EU-wide register of 'essential' and 'important' entities to improve oversight and coordination.
• A new “small mid-cap” company category will be introduced, reducing compliance and supervision burdens compared with large enterprises while keeping key cybersecurity protections.
• Micro and small DNS service providers will be removed from the scope of NIS2 to avoid disproportionate regulatory burdens on very small operators.
• Clarification of those organisations which fall within NIS2, including clearer rules for healthcare providers, electricity producers, hydrogen operators and chemical sector entities.
• Only electricity producers if more than 1 MW total will be identified as essential or important entities under NIS2, reducing obligations for smaller, low-risk generators.
• Submarine data transmission infrastructure, including cables and landing stations, will be brought within the scope of NIS2 cybersecurity requirements. Other maritime critical infrastructures, such as submarine electricity, gas and oil pipelines are already within scope.
• Member States will be required to adopt policies ahead of the adoption of post-quantum cryptography.
• Essential and critical entities are currently required to ensure an appropriate level of security in their supply chain. This has led to excessive requests for information, creating administrative burden suppliers. The Commission will develop guidelines for such information requests including level of detail, structure and format.
• The collection of data on ransomware attacks will be harmonised, but the reporting of that ransomware information should not result in increased liability or extra penalties.

Views on the proposals

European Data Protection Board and Supervisor Joint Opinion

The EDPB and EDPS issued Joint Opinion 4/2026 covering the Proposals. As expected, their response is predicated very much through the lens of data protection and privacy issues. The Joint Opinion is broadly supportive of the Proposals, namely the strengthening of ENISA's role, efforts to increase uptake of cybersecurity certification, and efforts to ensure trusted ICT supply chains.

On specific points:

• Effectiveness alone is not sufficient should not be the sole consideration for cybersecurity measures but impacts on fundamental rights should be limited to those only proportionate and clearly justified, particularly where personal data processing is required.
• The Joint Opinion cautions that any additional measures adopted by ENISA relating to personal data should be limited to technical or practical aspects and be subject to prior consultation with the EDPS.
• They recommend that ENISA consult the EDPB before adopting certification schemes that are likely to affect the security of personal data processing, to avoid regulatory divergence.
• The proposed ICT supply chain framework is focused on addressing risks not primarily associated with data protection. However, the framework may have a beneficial impact by limiting foreign interference with the data of EU data subjects through espionage and surveillance.
• Ransomware data collection and coordination is supported, but the Opinion recommends strong safeguards given the sensitivity of information relating to ransom payments and affected individuals.

European Cyber Security Agency

The European Cyber Security Organisation ("ECSO") published a reaction paper to the Proposals, focusing on a number of key issues across both NIS 2 amendments and Cybersecurity Act 2. ECSO was largely supportive of the proposals, a selection of comments set out below:

• Certifications schemes for organisational cyber posture will simply compliance and enhance legal certainty.
• Structured ransomware incident reporting will strengthen threat intelligence and enable incident response support. However, entities should be supported by national authorities when reporting, including the anonymisation of relevant data.
• The establishment of the EU framework to address non-technical risks in ICT supply chain is firmly welcomed.
• Although revisions to the ECCF provide additional structure, the ECCF should be subject to stronger and broader industry involvement to ensure that internal market needs are taken into account.

Next steps

A consultation on the CSA2 proposals is currently underway. More widely, the Proposals will now be considered in both the European Parliament and Council, with a committee referral to the European Parliament recently confirmed for both the CSA2 and the NIS2 amendments and simplification.