EU cybersecurity reform raises data protection questions in new joint opinion
A new joint opinion by EU data protection authorities examines proposed updates to the Cybersecurity Act and NIS2 Directive, highlighting tensions between stronger cybersecurity measures and the protection of fundamental rights.
The European Union is preparing a significant update to its cybersecurity framework. The proposed Cybersecurity Act 2 and amendments to the NIS2 Directive aim to strengthen the EU’s ability to prevent and respond to cyber threats. However, a joint opinion by EU data protection authorities suggests that these reforms also raise important questions about privacy and the handling of personal data.
The opinion, adopted in March 2026 by the European Data Protection Board and the European Data Protection Supervisor, examines how the proposals could affect individuals’ rights.
At the core of the discussion is a fundamental tension. Cybersecurity measures are designed to protect systems and data from attacks. At the same time, they often rely on monitoring, data sharing, and analysis, which can interfere with privacy and data protection rights. The authorities stress that any such measures must remain necessary and proportionate, not only effective.
One of the central proposals is to expand the role of the EU Agency for Cybersecurity (ENISA). The agency would act more as an operational hub, supporting cooperation between countries and managing information about cyber threats. While this could improve coordination, it also raises concerns about whether ENISA might process large amounts of personal data. The opinion notes that this must be clearly defined in law, including safeguards and limits.
Another key measure is the creation of a single reporting entry point for cybersecurity incidents, including personal data breaches. This is intended to simplify reporting obligations for organisations. The data protection authorities support this approach, arguing that it could reduce administrative burden without weakening protections, provided that strong security measures are in place.
The proposals also introduce a European cybersecurity certification framework. This would allow products and services to be certified as secure. However, the opinion warns that the relationship between cybersecurity certification and existing data protection rules, such as those under the GDPR, remains unclear. Without clarification, organisations may face uncertainty about how different compliance regimes interact.
Beyond technical measures, the reforms address broader risks, including supply chain vulnerabilities and ransomware attacks. For example, companies may be required to report whether they have paid a ransom and provide related details. While this could help authorities understand and prevent attacks, it may also involve processing sensitive information, requiring clear data protection safeguards.
The opinion also highlights a gap in skills policy. A proposed EU cybersecurity skills framework focuses mainly on specialists. The authorities recommend extending it to the general workforce, noting that many cyber incidents originate from human error, such as phishing or poor password practices.
