Key Takeaways
- The EU Cybersecurity Act is being revised to address the growing threat of cyberattacks and improve resilience across the EU.
- The revision should focus on fostering interoperability, equipping the EU with effective cybersecurity rules and certification frameworks, and enhancing public-private collaboration.
- ENISA should be granted increased resources and funding to develop robust, cross-border frameworks and deliver unified standards and guidelines.
- The revision should streamline the development of new ICT certification schemes and support expert-led stakeholder input.
- The ultimate goal is to empower harmonization and collaboration to tackle the issues of fragmentation and isolation in EU cybersecurity.
Introduction to the EU Cybersecurity Act Revision
As Brussels prepares to present the revised EU Cybersecurity Act, it has a rare opportunity to strengthen the foundations, creating a more ambitious piece of legislation that focuses on fostering interoperability in order to improve resilience across the EU. The cybersecurity industry has undergone enormous change since the Act was issued in 2019. The wide availability of generative AI and subsequent rise in agentic AI has meant bad actors are now unearthing infinitely more inventive ways of launching attacks and breaching defenses. The sheer pace of change within the technology industry and increasing digitization across all sectors means that creating up-to-date cybersecurity regulation is becoming even more difficult.
The Need for Improved Cybersecurity Regulation
It’s for this reason that any revision of the EU Cybersecurity Act should focus on equipping the bloc with the means to navigate and implement cybersecurity rules and certification frameworks effectively across EU27, that aligns with international frameworks, enhances public-private collaboration and market uptake. While the initial EU Cybersecurity Act was a welcome piece of regulation and has undoubtedly elevated the EU’s cybersecurity posture, more can be done to drive resilience if we work together. Currently, we have several cybersecurity regulations that are being implemented at a different pace, states of maturity, and some of them in at least 27 different ways across the EU member states. Local amendments combined with a lack of harmonized definitions and reporting requirements are having the opposite impact on cybersecurity resilience that the EU cyber acquis intended.
Addressing Fragmentation in EU Cybersecurity
The European Union is currently rolling out the Digital Omnibus which aims to align the various incident reporting requirements set under the many existing legislations. In order to fully achieve this objective, the co-legislators should ensure that ENISA’s revised mandate aligns with its new obligations set under NIS2 and the Cyber Resilience Act. As a first step to solving this issue of fragmentation, ENISA must be granted a significant increase in resources and funding that is commensurate with the mission that we’re asking it to fulfill. Adequately resourced, ENISA would be able to work more closely with national cybersecurity agencies to effectively develop robust, cross-border frameworks and deliver unified standards and guidelines with the urgency that our threat environment demands.
Enhancing ENISA’s Role
Beyond coordination, ENISA’s role in monitoring the threat landscape and providing central intelligence should be significantly enhanced in the revision to ensure organizations stay ahead of emerging risks. This would enable ENISA to provide timely and effective support to EU member states, helping them to respond to and mitigate the impact of cyberattacks. Furthermore, ENISA’s enhanced role would facilitate the development of a common understanding of cybersecurity risks and threats, allowing for more effective collaboration and information sharing between EU member states.
Streamlining ICT Certification Schemes
Finally, the Cybersecurity Act review should focus on streamlining the development of new ICT certification schemes, which has proven to be a complex process over the past few years, with only one adopted EU scheme so far. Supporting a framework that fosters expert-led stakeholder input into the development of the technical criteria could be a critical component for the faster, and more scalable adoption and deployment of such schemes. This would enable the EU to develop certification schemes that are effective, efficient, and widely adopted, ultimately enhancing the overall cybersecurity posture of the EU.
Conclusion and Recommendations
Ultimately, any revision to the EU Cybersecurity Act should look to tackle the issues of fragmentation and isolation by empowering harmonization and collaboration. Threat actors are not going to sit by idly and ENISA must be given the ability to act as the unifying force that drives cross-border threat intelligence, establishing a baseline of common practices to be adopted across the region. By providing ENISA with the necessary resources and funding, streamlining ICT certification schemes, and enhancing public-private collaboration, the EU can create a more robust and resilient cybersecurity framework that is better equipped to address the evolving threat landscape.