24 Jun 2025

Updating the EU cybersecurity framework: Industry priorities for the Cybersecurity Act revision

Executive summary
The EU’s cybersecurity framework has undergone substantial expansion since the adoption of the Cybersecurity Act (CSA) in 2019. Alongside the CSA, new legislative instruments – including NIS2, the Cyber Resilience Act (CRA), DORA and the Cyber Solidarity Act – now define a much more comprehensive and multi-layered regulatory architecture for cybersecurity across the single
market.

In this context, the CSA review presents an opportunity to strengthen the role of certification as a practical tool for legal interoperability, regulatory coherence and market trust. At the same time, experience with the implementation of the CSA has highlighted areas where targeted improvements are needed to ensure that certification schemes are effective, market-relevant and fully aligned with both technological realities and business models.

The review must preserve the CSA’s original balance: enabling cybersecurity resilience whilst safeguarding competitiveness and innovation. Certification should serve as a facilitative instrument that supports businesses, avoids unnecessary regulatory layering and integrates coherently with existing and emerging EU legislation. In parallel, the CSA review should clarify ENISA’s mandate and strengthen its role in supporting technical consistency, certification development, vulnerability management and international
cooperation, whilst respecting the distinct mandates of other EU bodies.

This paper aims to contribute constructively to the CSA review process, drawing on the experience of both
ICT providers and users across sectors. Our proposals seek to ensure that the CSA remains a cornerstone
of European cybersecurity policy, delivering effective, proportionate and globally interoperable outcomes.

Our key recommendations are to:

  • Preserve the voluntary nature of certification as the general rule. Mandatory certification should
    remain limited to well-defined high-risk use cases, with any expansion subject to full assessment of
    proportionality and market impact.
  • Strengthen certification as a legal interoperability tool across the EU cybersecurity rulebook.
    Certification schemes should serve as recognised instruments to demonstrate compliance with
    technical obligations under other frameworks, minimising duplicative assessments.
  • Accelerate the development of certification schemes, with clearer governance, transparent
    processes and predictable adoption timelines.
  • Improve governance and stakeholder involvement, including a stronger role for stakeholders,
    transparent interaction with Member States and clearer separation between the technical
    preparation and adoption phases.
  • Ensure full harmonisation of certification baselines across Member States, with narrowly
    defined national deviations only where strictly necessary to address unique security concerns.
  • Align EU certification schemes with international standards to maintain global interoperability,
    reduce compliance costs and support European industry’s global competitiveness.
  • Expand ENISA’s mandate, enabling the Agency to concentrate on certification development, policy
    advisory functions, regulatory coherence, international cooperation and vulnerability management,
    whilst avoiding institutional overlaps with other EU bodies.
  • Support ENISA’s role in vulnerability disclosure by enhancing its contribution to the global CVE
    system and ensuring alignment between European and international vulnerability identifier systems.
  • Maintain the European Cybersecurity Competence Centre’s (ECCC) lead role on
    cybersecurity skills development, with ENISA providing strategic input.

DIGITALEUROPE remains committed to working with the EU institutions and Member States to ensure
effective, coherent and globally competitive cybersecurity outcomes for Europe.

Download the full document
For more information, please contact:
Sid Hollman
Policy Manager for Cybersecurity, Digital Infrastructure & Mobility
sid.hollman@digitaleurope.org +32 491 37 28 73
Alberto Di Felice
Policy and Legal Counsel
alberto.difelice@digitaleurope.org +32 471 99 34 25
Back to Cybersecurity & Digital Resilience
View the complete Policy Paper
PDF
Our resources on Cybersecurity & Digital Resilience
04 Jun 2025 Publication & Brochure
Executive Brief: Removing regulatory burden for a more competitive and resilient Europe
Read more
14 May 2025 Policy Paper
Embracing the future of mobility: a strategy for autonomous driving in the EU
Read more
PDF
05 May 2025 Position Paper
The imperative of global harmonisation of cybersecurity rules for collective defence
Read more
PDF
View all resources
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept