Europe’s Cybersecurity Act Needs a Hard Reboot: Here’s How
Main takeaways
- The upcoming revision of the Cybersecurity Act (CSA) should re-centre certification on transparent, technical processes – delivering assurance and reducing complexity
- Moreover, the CSA’s certification schemes should be made a powerful tool to demonstrate compliance across the board, driving EU regulatory simplification
- To fast-track certification we must move past obsolete, blunt country-of-origin restrictions and adopt a more sophisticated approach to manage geopolitical risks
As the European Commission prepares to revise the Cybersecurity Act (CSA), Europe faces a critical moment to learn from past mistakes. Originally adopted in 2019 to build trust in information and communications technology (ICT) products and services, the CSA has yet to produce a single technology-specific certification scheme ready for adoption across the EU market.
Fast forward to 2025, we must indeed conclude the CSA has unfortunately failed to deliver. It has been mired in non-technical, political debates on restricting non-EU providers – as if that would better equip Europe against cyber threats, or shield European data from foreign laws with extraterritorial reach. Such measures would only leave Europeans with fewer, less secure choices.
The Cybersecurity Act therefore needs a hard reboot. One that empowers independent technical expertise, addresses regulatory fragmentation, and keeps European customer control at the centre. Managing geopolitical risks should be done in a smarter way, where it actually can make a difference.
1. Empower ENISA to promote transparent and inclusive certification
Ever since the CSA’s entry into force, progress has been hindered by limited stakeholder involvement and delayed processes. To truly fulfill the CSA’s goal of creating a streamlined certification framework, the development of certification schemes must be grounded in a transparent process. One informed by real-world industry experience, and driven by a central, independent authority.
To achieve that, governance changes are needed. Indeed, the European Union Agency for Cybersecurity (ENISA) must be empowered to coordinate the development and maintenance of certification schemes, issue technical guidance, and unify practices across EU Member States. As a technically focused body with strong connections to national cybersecurity agencies, ENISA is well positioned to lead on technical matters, free from political interference.
Likewise, these certification schemes must be grounded in a transparent and inclusive process. Involving a diverse set of stakeholders in the drafting and review of certification schemes will help ensure that certificates also reflect practical, real-world use cases. This also improves their adoption and innovation further down the line.
2. Give customers and vendors what they need: Product security benchmarks
The core purpose of the Cybersecurity Act was always supposed to be providing customers with the confidence that the ICT products and services they use provide the security guarantees they expect. This confidence comes from robust, technical security benchmarks. By allowing vendors to showcase compliance with these rules, and go the extra mile with three separate assurance levels, the CSA gives vendors a strong competitive advantage and offers great compliance visibility for customers.
This positive visibility is exactly what’s needed to cut through the existing fragmentation. And while the announced Digital Omnibus simplification package introduces minor tweaks to regulatory fragmentation, much more needs to be done to unify and consolidate the cacophony of cybersecurity rules. This is where the CSA has a role to play.
On the other hand, political interference, such as recurring proposals to include broad exclusionary criteria for non-EU firms in schemes, risks derailing the CSA’s mission. As it has in recent years. While framed as security measures by some, these non-technical criteria (such as ownership restrictions and data localisation) simply do not improve cybersecurity.
Security comes from architecture, coding practices, encryption, and vulnerability management – not geography or the provider’s nationality. Excluding providers based on country of origin would deny Europeans access to secure, innovative solutions, while forcing substandard choices onto users.
3. Move on from obsolete ‘country of origin’ restrictions
European policymakers have expressed understandable concerns regarding supply chain vulnerabilities, extra-territorial government data access laws, trade sanctions, and their possible effects on ICT service continuity and integrity. However, unilateral market access restrictions will never be the appropriate tool to resolve complex geopolitical and legal conflicts, and may create more problems than they attempt to solve.
If the goal is to merely show customers that the parent company of a European subsidiary has its global headquarters in or outside the EU, or its top executives or investors are non-EU nationals, a mere search on Wikipedia will be more cost-efficient than building an elaborate politically motivated scheme into a 300-page technical cybersecurity certification.
But if the goal is to explicitly reserve parts of the EU market for companies with global headquarters in the EU, Europe risks once again falling into this false ‘EU vs non-EU’ dichotomy that has raised concerns among many of its trade partners in the past and led to the demise of the European Cybersecurity Certification Scheme for Cloud Services (EUCS) not so long ago.
Having a company’s global headquarters located in the EU, or its top execs holding a European passport, does not shield a company active in a foreign country from that country’s laws. While it may sound like common sense to most, it has come as a shocker for OVH, a French company doing business in Canada, which received an order to produce electronic evidence in a Canadian criminal investigation that it holds on a server based in France. After all, giving law enforcement the ability to access data regardless of where it’s hosted is what more and more governments do, including the European Union.
Likewise, it would be unfortunate if the EU reserved a chunk of the cloud market for a European company, whose ‘sovereign’ cloud solution in reality turns out to be running entirely on Chinese hardware, or ‘Europe-labelling’ Chinese tech infrastructure for instance.
All this to say, we need greater nuance in how we understand and address these legal tensions, along with a broader perspective and a clearer grasp of active threats at the supply-chain level.
Conclusion
The Cybersecurity Act’s review is an important chance to reboot cybersecurity certification in the EU, and finally deliver the benchmarks customers and vendors would value amidst today’s regulatory cacophony, while the rise of cyber threats never stops.
By refocusing the CSA on its core mission of technical certification, strengthening ENISA’s role, and eliminating regulatory fragmentation, the European Commission can enhance cybersecurity while preserving market openness. Europe cannot afford another five years of missteps – this is the moment to get it right.
