EuroISPA welcomes the European Commission’s proposals for a revised CybersecurityAct (CSA 2.0) and the accompanying NIS2 Simplification Directive as meaningful steps towards a stronger European cybersecurity framework.
At the same time, we believe further work is needed. Our key priorities:
Certification schemes must remain strictly technical
Reporting obligations must be harmonised across NIS2, CRA, GDPR and DORA, with a single audit principle
Supply chain risk assessments must be objective and evidence-based
Mandatory ICT asset phase-out must remain proportionate and economically sustainable manner
NIS2 simplification measures are essential to support SME and mid-cap operators and preserve competition
Internally developed tools not placed on the market should be exempted from certification requirements
Open source communities, SMEs, and independent developers must be recognised as key contributors to Europe’s cyber resilience
A secure and competitive European digital ecosystem requires a framework grounded in technical evidence, operational feasibility, and proportionality. We look forward to engaging with co-legislators on these important EU policy issues.
https://www.euroispa.org/wp-content/uploads/2020/02/EuroISPA_featured_image25.jpg7201170Secretariathttps://www.euroispa.org/wp-content/uploads/2020/01/logo_euroispa_4c_invers_2-300x127.pngSecretariat2026-05-08 10:22:292026-05-08 10:22:30EuroISPA Contribution to the proposal on CSA 2.0. and the Directive on Simplification Measures and Alignment with the Cybersecurity Act
EuroISPA contributed to the online survey of the European Commission on the Cybersecurity Act, emphasising on the following considerations:
Preserve a technical focus in certification: Cybersecurity certification schemes should remain strictly technical, avoiding political or sovereignty-based criteria to maintain neutrality, credibility, and cross-border interoperability.
Reinforce ENISA’s role: ENISA should have a stronger mandate to harmonise standards across the EU, promote international standards, and ensure transparency and stakeholder involvement in certification development.
Simplify and harmonise regulatory frameworks: The CSA should align with other EU regulations (like NIS2, CRA, GDPR, DORA), introducing unified reporting thresholds and single incident-reporting points to reduce overlapping obligations.
Support SMEs with proportionate compliance: SMEs should be allowed to use simplified, self-declared compliance processes to avoid excessive regulatory burdens that could hinder their participation in the digital economy.
Exclude internal-use tools from certification: Software and tools developed in-house and not marketed externally should be exempt from certification, unless used in critical infrastructure, to prevent unnecessary regulation.
Protect open-source and small-scale developers: The CSA must account for the vital role of open-source and small developers by ensuring certification schemes are affordable, inclusive, and supportive of innovation and diversity.
The past year has brought several significant developments at EU level both in the Cybercrime and Cybersecurity field.
The adoption of the European Commission’s flagship project, the e-Evidence Regulation, in the summer of 2023, was a significant milestone given the ongoing discussions on the topic since 2017. For the first time, law enforcement authorities will now be able to directly address service providers established on the territory of a different Member State. The focus will now be on the technical implementation of the Regulation in the Member States, where new challenges will be posed by the EU-wide harmonisation of the national technical platforms for the secure exchange of data between law enforcement authorities and service providers via a decentralised IT-system.
Another central topic is the importance of encryption. The initial proposal on the Regulation to combat child sexual abuse stipulated detection measures that would have significantly undermined the use of end-to-end encryption in communication services. This provoked a huge wave of criticism showing that secure communications are also important to the broader public. This response ultimately led the European Parliament to explicitly exclude end-to-end encrypted communications from the scope of the Regulation.
At EU Member State level, the implementation of the NIS-2-Directive is still ongoing and will require substantial efforts by the affected companies, especially those that have not been subject to any cybersecurity requirements until now. On the other hand, providers of electronic communication networks and services are already under a sector-specific security regime as part of the European Electronic Communication Code. It will therefore be important that the national implementation of the NIS-2-Directive take into account the already existing security concepts in this sector and only stipulate additional measures where these would in fact lead to a higher level of security.
A political agreement on the Cyber Resilience Act has been reached, which harmonises cybersecurity standards for products and software with digital components and will also assist providers under the NIS-2-Directive to ensure supply chain security. Finally, it must be noted that the enormous frequency of new legal acts in the field of cybersecurity in recent years poses major challenges for the companies affected by them, as their internal processes must constantly be adapted, and it is often hard to find the necessary skilled workers to implement new requirements. With this in mind, along with the new mandate coming up this year, the focus of the upcoming European Commission should be on the smooth implementation of these legal acts rather than on new proposals.
Andreas Gruber Former Chair of the EuroISPA Cybercrime & Cybersecurity Committee
https://www.euroispa.org/wp-content/uploads/2024/03/EuroISPA-featured-Image-1.png7201170Elenahttps://www.euroispa.org/wp-content/uploads/2020/01/logo_euroispa_4c_invers_2-300x127.pngElena2024-04-15 12:15:052024-04-15 12:15:07Cybersecurity in the EU: Milestones, Challenges, and the Road Ahead
