13 May 2026

EU cybersecurity rules: fixing certification, supply chains and critical entities

Executive summary 

In the recent years, the EU has built one of the world’s most ambitious regulatory frameworks for cybersecurity, driven by rising cybersecurity risks. The challenge the newly proposed cybersecurity package must meet is to make it work in practice. 

The Cybersecurity Act 2 (CSA2) should position ENISA as a trusted EU coordination hub and make the European cybersecurity certification framework useful.1 With a hardened state of international affairs, the ICT supply chain security framework is a positive step to mitigate non-technical risks; the current proposal, however, can result in far-reaching measures and must lay out a clearer, more predictable procedure, including stakeholder involvement. 

Targeted amendments to the NIS2 Directive respond minimally to deep concerns industry has raised over the past years and are welcome.2 More rigorous harmonisation is needed to simplify different national rules on scope, stricter national requirements, multiple supervisory authorities, varying conformity assessment obligations and inconsistent compliance timelines. 

On ENISA’s role: 

  • ENISA should conduct impact assessments for, and coordinate the implementation of, all relevant EU legislation to help develop a more coherent EU cybersecurity framework. 
  • The expanded role in mutual assistance should safeguard the strong partnership with industry. 
  • ENISA should support EU cybersecurity standardisation by advising and coordinating within existing standardisation processes, avoiding parallel technical specifications that would weaken harmonised standards and international alignment. 

On the European cybersecurity certification framework: 

  • Schemes should remain voluntary and provide evidence of compliance with EU legislation to ensure they play a meaningful role. 
  • Mature international and European standards should be used wherever possible, with new schemes developed only to fill clear gaps. 
  • A meaningful advisory structure should replace the misused Stakeholder Cybersecurity Certification Group (SCCG) to improve transparency and quality. 
  • Any extension profiles to schemes should be technical, proportionate, justified by specific uncovered risks and designed to avoid national overlays or market access barriers. 

On the ICT supply chain security framework: 

  • ICT supply chain measures should remain proportionate, applying only where clearly identified non-technical cybersecurity risks cannot be mitigated through existing EU rules, and where impacts have been thoroughly assessed. 
  • A structured consultation mechanism with affected companies should be introduced, to ensure risks are properly understood, measures are feasible and unintended market disruption is avoided. 
  • Risk assessments and high-risk designations changes should follow a clear, evidence-based process with clear criteria, thresholds, timelines and meaningful Member State involvement. 

On NIS2: 

  • NIS2 should be further harmonised across all entities, including scope, size thresholds, incident reporting, classification, main establishment rules and conformity assessment requirements. 
  • Scope should focus on core business activities only, excluding ancillary operations, to avoid disproportionate obligations. 

 

Download the full document
For more information, please contact:
Hanna Harrison
Associate Director for Resilience & Critical Infrastructure
Alberto Di Felice
Policy and Legal Counsel
alberto.difelice@digitaleurope.org +32 471 99 34 25
Back to Cybersecurity
View the complete Policy Paper
PDF
Our resources on Cybersecurity
16 Feb 2026 Policy Paper
Digital omnibus: a first step and what must come next, now
Read more
10 Sep 2025 Position Paper
Feedback on CRA risk assessment guidance
Read more
PDF
25 Jul 2025 Policy Paper
Towards clear guidance for remote data processing solutions under the CRA
Read more
PDF
View all resources
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept