European Commission prepares overhaul of the EU Cybersecurity Act

The European Commission is preparing a revision of the EU Cybersecurity Act that would significantly broaden how cybersecurity certification works across the European Union. The planned changes reflect concerns that the current framework is too narrow and slow to respond to the growing complexity of digital risks.

Why the Cybersecurity Act is being revised

Since the Cybersecurity Act entered into force in 2019, only one EU-wide certification scheme, based on the Common Criteria framework, has been formally adopted. Other anticipated schemes, including those for cloud services, 5G networks, and digital identity systems, have stalled. According to EU officials, the existing process is procedurally complex and lacks sufficient transparency, making it difficult for both regulators and companies to plan ahead.

At the same time, cybersecurity risks increasingly arise not only from individual products, but from how organisations manage security across their operations, suppliers, and service providers. The Commission argues that the current focus on technical compliance alone does not adequately capture these broader risks.

Expanding certification beyond products

Under the proposed reform, EU cybersecurity certification would no longer be limited to information and communication technology products or services. Certification schemes could also assess an organisation’s overall cybersecurity posture, including governance structures, risk management practices, and supply-chain controls.

Managed security services, such as incident response, monitoring, and penetration testing, would become eligible for EU-level certification. This reflects the growing role of outsourced security providers and the need for common standards to assess their reliability and maturity.

A stronger role for ENISA

The revision would also strengthen the role of the EU Agency for Cybersecurity, ENISA. The agency would act as a central technical coordinator across member states, supporting the development and operation of certification schemes under a more structured, long-term work programme.

Expanding ENISA’s mandate would require additional funding and staff, particularly as the agency already plays a role in implementing newer EU cybersecurity laws. The Commission has acknowledged that without extra resources, ENISA would struggle to meet these expectations.

Stakeholder views and next steps

Industry and public-sector stakeholders have broadly welcomed the direction of the reform, particularly its aim to reduce regulatory fragmentation across the EU. Harmonised certification schemes are seen as a way to lower administrative burdens for companies operating in multiple member states, while providing clearer signals about cybersecurity maturity.

According to the Commission, organisational certification would complement, not replace, existing product-based assessments. The goal is to combine technical compliance with a broader evaluation of how organisations manage cybersecurity risks in practice.

Details of the revised Cybersecurity Act, including timelines and legislative proposals, are expected to emerge as discussions progress within EU institutions and with member states.