The European Union is preparing for a major update of its cybersecurity framework, as the long-awaited review of the Cybersecurity Act (CSA) is now scheduled for 14 January 2026.
Since the CSA entered into force in 2019, the cybersecurity environment in Europe has changed profoundly. The frequency and sophistication of cyber-attacks have increased, while new EU legislation — most notably NIS2 and the Cyber Resilience Act (CRA) — has significantly expanded both regulatory scope and enforcement mechanisms. These changes have also led to a substantial broadening of ENISA’s responsibilities, making a comprehensive review of the CSA both necessary and timely.
What the review aims to achieve
Stakeholders participating in the consultation process largely agree on the overall direction of the reform. The CSA review is expected to:
- Streamline cybersecurity measures,
- Enhance cyber resilience, and
- Simplify the EU regulatory landscape, with the explicit objective of reducing administrative burden and compliance costs for organisations operating in the EU.
A particularly strong point of convergence is the call to harmonise definitions and reporting requirements across major legislative instruments, including NIS2, the CRA and the GDPR. Stakeholders also support the creation of a single EU incident notification platform, which is now being pursued through the Commission’s proposed “digital omnibus” regulation.
Strengthening ENISA's role
Another central pillar of the review concerns ENISA, whose mandate and responsibilities have expanded considerably under recent EU cybersecurity legislation. There is broad consensus that ENISA’s role should be clarified and strengthened, positioning the agency as a central technical coordinator to ensure consistent implementation of cybersecurity rules across Member States. Stakeholders stress, however, that this expanded role must be supported by adequate funding and staffing to be effective.
Reforming the certification framework
The review will also address long-standing challenges within the EU cybersecurity certification framework. To date, only one European certification scheme — the EUCC — has been formally adopted, while several others, including those for cloud services, 5G, digital identity wallets and managed security services, remain under development. Stakeholders are calling for a faster, more transparent and more inclusive certification process, better aligned with international standards, in order to improve interoperability and reduce compliance costs for globally active companies.
There is also growing support for using EU certification schemes as recognised mechanisms for demonstrating compliance with security requirements under other major legislative acts, including NIS2, the CRA and the AI Act.
Outstanding challenges
Significant disagreements remain on sensitive policy issues, particularly around the inclusion of sovereignty requirements in certification schemes and the appropriate balance between voluntary and mandatory certification, especially in critical sectors. Views also diverge on the extent of ENISA’s regulatory authority, with some stakeholders opposing the idea of granting the agency binding regulatory powers.
The Commission’s forthcoming proposal will need to navigate these competing perspectives while aligning the CSA with the broader simplification of cybersecurity reporting obligations under the “digital omnibus” initiative published in November 2025.
