ETSI raises concerns over proposed changes in EU Cybersecurity Act revision

The European Telecommunications Standards Institute (ETSI) has published a position paper responding to the European Commission’s proposal for a revised Cybersecurity Act, known as Cybersecurity Act 2 (CSA2).

The document addresses how the proposed legislation could affect the European standardisation system, particularly in the field of cybersecurity. ETSI notes that the revision aims to update the EU framework in response to evolving cyber risks and geopolitical developments.

One of the key issues raised concerns the role of the EU Agency for Cybersecurity (ENISA). ETSI supports ENISA’s involvement in providing technical guidance and contributing to standardisation activities but cautions against expanding its role to drafting technical specifications, which could create parallel processes outside established frameworks.

The paper also examines proposed provisions related to ‘high-risk suppliers’. Under the draft regulation, certain entities could be excluded from participating in the development of cybersecurity standards. ETSI argues that such restrictions could affect the openness of the standardisation process and its alignment with existing principles, including transparency, consensus, and broad participation.

ETSI emphasises that standards play a role not only in regulatory compliance but also in facilitating international cooperation and trade. It notes that limiting participation could affect the global relevance and adoption of European standards.

The organisation also highlights the importance of maintaining a market-driven approach to standardisation, where decisions are based on technical merit rather than policy considerations. It points to the need to preserve established principles under EU law and international agreements, including openness and neutrality.