The EU is in the midst of a policy recalibration. Spurred by a landmark report on competitiveness in 2024, Brussels leadership has pursued a wide-reaching simplification agenda aimed at making it easier for innovative businesses to operate and flourish in the Single Market. Meanwhile, concerns around the EU’s reliance on foreign technology have emboldened calls for digital sovereignty and internally-driven tech growth.
The Commission’s cybersecurity and digital technology mandates serve as key instruments to pursue sovereignty and simplification in tandem. Last week, policymakers released a proposal for a revised EU Cybersecurity Act (CSA) that brings these twin ambitions further into focus. While still awaiting adoption, the proposal offers important takeaways for the cyber industry’s EU compliance obligations. It also signals that Brussels, seeking to supercharge innovation, is actively heeding industry calls for regulatory simplification.
The EU Cybersecurity Act
Initially passed in 2019, the EU Cybersecurity Act introduced a voluntary cybersecurity certification scheme and strengthened the European Union Agency for Cybersecurity (ENISA) with an indefinite mandate.
The Act is patently ripe for a refresh. Adoption of the European Cybersecurity Certification Framework (ECCF) as outlined in the CRA has been mixed at best. Only the EUCC covering ICT products and services has been fully adopted, while schemes related to cloud services, 5G, digital identity wallets and managed security services remain in varying stages of materialization.
Moreover, the EU’s overall technology regulatory regime has complexified generously since the CRA’s initial passing, with legislation like the AI Act, Digital Operational Resilience Act, the Cyber Resilience Act, and the NIS2 Directive contributing to a fragmented network of rules that are often confusing or redundant. The ensuing compliance burden on businesses, alongside emergent geopolitical concerns and technological advancements, has incentivized major CSA reform.
On January 20, the Commission released an extensive revision overhauling the CSA in order to address these concerns and expand the instruments available at the EU level to support comprehensive cyber security and resilience.
Streamlining the European Common Certification Scheme
The stalled implementation of the ECCF was a major target in the revised Cybersecurity Act. The introduction of a fully mandatory certification scheme was on the table, but the Commission favored a lighter touch, opting instead to clarify the procedural complexities hindering businesses’ ability to comply. The result is a new, simplified process with a more productive governance structure and the possibility to attain an across-the-board certification of an entities’ entire cyber posture. These certifications will be able to demonstrate presumption of conformity with other relevant EU doctrines, including NIS2.
Bottom line for business:
A streamlined certification process covering full-scope cyber posture rather than a component-by-component checklist will benefit businesses that can demonstrate secure-by-design principles and foundational, full-lifecycle cyber readiness. This will be a particular boon to companies operating across complex, diffused cloud-native environments.
Since the scheme is still voluntary, businesses can use the certification as a guiding document that improves their overall market position compared to non-certified entities.
De-Risking Geopolitically Vulnerable Supply Chains
Complementing the ECCF, the revised CSA also took aim at non-technical cyber risks, such as those associated with foreign interference and ICT supply chain dependencies. The proposed act would set out a plan to decouple critical cyber assets– most notably 5G and telecom networks– from “high-risk suppliers,” or vendors established in, or controlled by, certain third-party countries.This “horizontal framework” is intended to be technology and sector neutral, applying uniform scrutiny through a risk-based approach while supporting and reinforcing other Union directives.
Bottom line for business:
This provision addresses cyber concerns while also supporting the EU’s broader agenda of digital sovereignty. Aligning company messaging with the EU’s newfound emphasis on technological autonomy can support strategic engagement with the European public sector.
A designation of high-risk suppliers based on security and economic risk assessments is forthcoming, but the move is likely to predominantly impact Chinese ICT technology. This could open market space for less established suppliers who can demonstrate a high standard of cybersecurity and compliance.
Centralizing Cyber Oversight with ENISA
The revision expands the competencies of ENISA in order to centralize reporting obligations and support easier compliance. ENISA will operate a single entry point for incident reporting, housing an initiative proposed in late 2025’s Digital Omnibus. The agency will also oversee certification schemes and manage cooperation between Member States on incident triage, response and remediation. The Agency’s budget would increase by more than 75% to accommodate these new responsibilities.
Bottom line for business:
The expansion of ENISA’s budget and mandate will generate new pathways for public-private partnerships and procurement. As the Agency’s role in EU cyber resilience fortifies, establishing a point person responsible for communication with ENISA will help companies reap the rewards of a more centralized, streamlined EU compliance ecosystem.
Easing Compliance Burdens
Presented as add-on directives to the revised CSA, the Commission also unveiled targeted amendments to the NIS2 Directive that aim to further reduce compliance burdens. The NIS2 amendments provide jurisdictional and legal clarity, streamline data collection for ransomware attacks and reinforce ENISA’s coordination mandate.
Moreover, the amendments introduce to the NIS2 a new designation of small-mid cap (SMC) businesses that will benefit from certain compliance and supervision easements. Small-mid cap enterprises are defined by an earlier EU designation as, generally, companies that employ fewer than 750 persons and have an annual turnover not in excess of €150 million, but that are larger than SMEs.
Bottom line for business:
The Commission predicts that these measures will ease compliance burdens for nearly 28,000 businesses. Companies falling under the new small-mid cap designation can expect the greatest tailwinds, not just with respect to cyber but more generally as the designation is further deployed across EU rulemaking.
The revised CSA goes far to reduce administrative burdens and enable secure innovation in the Single Market. It strengthens the instruments at the EU’s disposal to empower sound cyber practices and reinforces other relevant legislation, enhancing regulatory harmonization. This reflects a growing understanding of cyber resilience as both an operational imperative for the EU market and a means to empower sustainable innovation.
Interested in how EU policy insights can inform your next power move? Learn more about the OpenPolicy ecosystem and book a demo today.
