EuroISPA Contribution to the Cybersecurity Act Review

EuroISPA contributed to the online survey of the European Commission on the Cybersecurity Act, emphasising on the following considerations:

• Preserve a technical focus in certification: Cybersecurity certification schemes should remain strictly technical, avoiding political or sovereignty-based criteria to maintain neutrality, credibility, and cross-border interoperability.

• Reinforce ENISA’s role: ENISA should have a stronger mandate to harmonise standards across the EU, promote international standards, and ensure transparency and stakeholder involvement in certification development.

• Simplify and harmonise regulatory frameworks: The CSA should align with other EU regulations (like NIS2, CRA, GDPR, DORA), introducing unified reporting thresholds and single incident-reporting points to reduce overlapping obligations.

• Support SMEs with proportionate compliance: SMEs should be allowed to use simplified, self-declared compliance processes to avoid excessive regulatory burdens that could hinder their participation in the digital economy.

• Exclude internal-use tools from certification: Software and tools developed in-house and not marketed externally should be exempt from certification, unless used in critical infrastructure, to prevent unnecessary regulation.

• Protect open-source and small-scale developers: The CSA must account for the vital role of open-source and small developers by ensuring certification schemes are affordable, inclusive, and supportive of innovation and diversity.

Read more here.