EU Commission opens consultation on revising Cybersecurity Act

To strengthen the European Union’s cybersecurity framework, the European Commission has launched a public consultation to revise the EU Cybersecurity Act. This initiative, announced on April 11, 2025, aims to address the evolving cyber threats and streamline existing regulations to foster a more resilient and business-friendly environment.

The EU Cybersecurity Act, initially adopted in 2019, established the European Union Agency for Cybersecurity (ENISA) and introduced the European Cybersecurity Certification Framework. These measures were designed to enhance the security of digital products, services, and processes across the EU. However, the rapid pace of technological advancements and the increasing sophistication of cyber threats necessitate a comprehensive review and update of the Act.

The consultation will focus on several key areas, including the mandate of ENISA, the European Cybersecurity Certification Framework, and the security challenges within the ICT supply chain. One of the primary objectives is to ensure that ENISA has the necessary resources and authority to effectively support Member States in their cybersecurity efforts. Additionally, the consultation aims to refine the certification framework to make it more adaptable to emerging technologies and threats.

Another critical aspect of the consultation is addressing the security challenges within the ICT supply chain. With the growing reliance on interconnected devices and systems, ensuring the security of the supply chain has become paramount.

At this stage of reflection, the Commission is considering several policy options:

1. Maintaining the status quo: No changes to the current Cybersecurity Act.
2. Non-legislative measures: Enhancing the efficiency of the ECCF and clarifying reporting obligations and other cybersecurity measures.
3. Targeted regulatory intervention: Making specific changes to better reflect ENISA's mandate and formalize procedures within the ECCF, including simplifying reporting obligations.
4. Comprehensive regulatory intervention: Repealing the current Act and proposing a new framework that strengthens ENISA's mandate, improves ECCF efficiency, extends its scope, and addresses ICT supply chain security challenges, including non-technical risk factors.

The ultimate goal of the revision is to streamline, prioritize, and simplify cybersecurity reporting obligations at the EU level, thereby enhancing the implementation of cybersecurity measures across the Union. This approach aims to create a more business-friendly environment, encouraging innovation and investment in cybersecurity solutions. The consultation also emphasizes the importance of international cooperation and alignment with global cybersecurity standards.

Stakeholders from various sectors, including Member State authorities, industry associations, academia, and consumer organizations, are invited to share their insights and feedback through the "Have Your Say" portal until 20 June 2025.