With the publication of the European Commission’s proposal for a revised EU Cybersecurity Act on January 20th, Europe takes an important step toward strengthening its cybersecurity framework for a more complex and interconnected world. The proposal reflects how much both the threat landscape, and the broader geopolitical context have evolved since the original Act was adopted in 2019.
Cybersecurity has increasingly become a strategic issue. The rapid adoption of generative and agentic AI, combined with deep digitalisation across all sectors, has expanded the scale, speed and sophistication of cyber threats. At the same time, questions of resilience, dependency and trust have moved to the centre of policy discussions, as geopolitics and cybersecurity become more closely intertwined.
Against this backdrop, the Commission’s focus on harmonisation and interoperability is particularly welcome. Cyber resilience cannot be built through fragmented implementation or isolated national approaches. It depends on shared frameworks, common definitions and the ability to act coherently across borders – especially because the threat from cyberthreats has no borders.
A key element of the proposal is the strengthened mandate of ENISA. Enhancing the Agency’s resources, coordination role and operational capabilities has the potential to improve situational awareness and support more consistent implementation of EU cybersecurity policy across Member States. If implemented well, this can help bridge the gap between legislation and practical resilience.
The proposed reform of the ECCF also moves in a constructive direction. Clearer timelines streamlined procedures and closer alignment with other EU legislation is essential to make certification more predictable and useful for both authorities and market participants. Maintaining a risk-based, technically focused and internationally aligned approach will be key to ensuring uptake and trust. An additional incentive for achieving a fast-track approach is to formalise expert input channeled into the development of the certification schemes. Such a multi-stakeholder collaboration would be a valuable support to ENISA and the national expert group ECCG.
The introduction of a horizontal framework for ICT supply-chain security reflects the reality that cybersecurity is now inseparable from broader resilience and economic security considerations. Addressing non-technical risks linked to governance, ownership and control is a complex task, and one that will require careful calibration as the proposal moves through the negotiation process. This will be essential to achieving the intended security objectives while preserving openness, innovation, and collaboration with trusted partners.
From our perspective, the overall direction of CSA2 reinforces the importance of security approaches that reduce systemic risk and dependency. As discussions now move into the next phase, constructive engagement between EU institutions, Member States and industry will be crucial. We will continue to deepen our commitment to Europe through our cloud-native, Zero Trust architecture designed to minimise attack surfaces and decouple security from underlying infrastructure that are well aligned with the EU’s goals and digital sovereignty aspirations.
Join our LinkedIn group Information Security Community!
