Tue. Apr 29th, 2025

EU Cybersecurity Act: EU Commission opens consultation on review

Apr 11, 2025 , ,
cyber, attack, encryption
The EU is consulting an update of ist 2019 Cybersecurity Act. Photo by geralt on Pixabay

Brussels, 11 April 2025

In an effort to strengthen the EU’s resilience against rising cyber threats, the Commission seeks input to evaluate and revise the 2019 Cybersecurity Act. This initiative reflects the Commission’s ongoing commitment to simplifying rules.

The review will initially focus on the mandate of ENISA, the EU’s cyber agency, the European Cybersecurity Certification Framework, and addressing ICT supply chain security challenges. It is also an opportunity to further simplify cybersecurity rules. By streamlining reporting obligations, the Commission wants to facilitate implementation, cut red tape, and foster a business-friendly environment.

Interested parties, including Member State competent authorities, cybersecurity authorities, industry and trade associations, researchers and academia, consumer organisations, and citizens are invited to give their views on theHave Your Say portal and the EU Survey until 20 June.

Read more about the EU Cybersecurity Act.

 

The EU Cybersecurity Act

The Cybersecurity Act strengthens the EU Agency for cybersecurity (ENISA) and establishes a cybersecurity certification framework for products and services.

A new mandate for ENISA

ENISA, the EU Agency for cybersecurity, is now stronger. The EU Cybersecurity Act grants a permanent mandate to the agency, and gives it more resources and new tasks.

ENISA will have a key role in setting up and maintaining the European cybersecurity certification framework by preparing the technical ground for specific certification schemes. It will be in charge of informing the public on the certification schemes and the issued certificates through a dedicated website.

ENISA is mandated to increase operational cooperation at EU level, helping EU Member States who wish to request it to handle their cybersecurity incidents, and supporting the coordination of the EU in case of large-scale cross-border cyberattacks and crises.

This task builds on ENISA’s role as secretariat of the national Computer Security Incidents Response Teams (CSIRTs) Network, established by the Directive on security of network and information systems (NIS Directive).

A European cybersecurity certification framework

The EU Cybersecurity Act introduces an EU-wide cybersecurity certification framework for ICT products, services and processes. Companies doing business in the EU will benefit from having to certify their ICT products, processes and services only once and see their certificates recognised across the European Union.

More on the certification framework

Targeted amendment

On 18 April 2023, the Commission proposed a targeted amendment to the EU Cybersecurity Act. This targeted amendment was adopted on 15 January 2025 and aims to enable the future adoption of European certification schemes for ‘managed security services’ covering areas such as incident response, penetration testing, security audits and consultancy. Certification is key to ensure high level of quality and reliability of these highly critical and sensitive cybersecurity services which assist companies and organisations to prevent, detect, respond to or recover from incidents.

On 11 April 2025, the Commission launched a public consultation for input to evaluate and revise the Cybersecurity Act.

Source – EU Commission

 

Forward to your friends
Cookie Consent with Real Cookie Banner