European standards bodies push to keep cybersecurity certification tied to EU standards system
European standardisation organisations CEN and CENELEC have backed the proposed Cybersecurity Act 2 while warning against expanding the use of ENISA technical specifications beyond exceptional cases.
CEN and CENELEC have published a joint position paper responding to the European Commission’s proposed Cybersecurity Act 2, supporting the overall reform while calling for European standards to remain central to EU cybersecurity certification schemes.
The proposal, presented by the European Commission in January 2026, aims to revise the 2019 Cybersecurity Act in response to growing cyber threats, increased digitalisation, and geopolitical pressures affecting Europe’s digital infrastructure.
In their response, CEN and CENELEC argue that cybersecurity certification frameworks should continue relying primarily on standards developed through the European standardisation system. The organisations warn against broader reliance on technical specifications developed directly by European Union Agency for Cybersecurity, known as ENISA, except as a ‘last resort fallback option’.
The position paper points to the EU Toy Safety Regulation as a possible model for limiting when ENISA technical specifications could be used instead of harmonised standards.
The organisations also call for discussions with the European Commission on excluding “high-risk suppliers” from participating in European technical committees responsible for developing cybersecurity standards.
According to the paper, cybersecurity standards for products with digital elements have already been identified as a priority area in the Commission’s 2026 Annual Union Work Programme for European Standardization, with both organisations currently involved in developing related standards.
The debate reflects broader tensions inside the EU over how cybersecurity rules should be developed and governed. While EU institutions are seeking faster and more flexible regulatory tools in response to evolving cyber risks, European standardisation bodies are pushing to preserve the existing standards-based governance model that relies on consensus-driven technical development processes.
The full CEN and CENELEC position paper is available here.
