EU Commission prepares cybersecurity act revision expanding certification scope

Brussels (Brussels Morning Newspaper) January 16, 2026 – The European Commission plans to revise the Cybersecurity Act expanding certification schemes to cover companies’ overall risk-management posture alongside ICT products and services. The legislative proposal responds to stalled implementation of 12 existing schemes and aims to introduce clearer procedural rules affecting cloud providers, 5G networks, and managed security services. The Commission expects to publish the revised regulation on January 20 following public consultation revealing broad stakeholder support for harmonisation and reduced administrative burdens.

The review addresses slow progress since the 2019 Cybersecurity Act established ENISA’s permanent mandate and voluntary EU certification framework. Only the EU Common Criteria scheme achieved formal adoption while cloud, 5G, and digital identity wallet certifications remain under development due to procedural complexities and lack of transparency.

Luca Bertuzzi highlighted draft details. Luca Bertuzzi said in X post,

“EU Commission plans to expand cybersecurity certificates to cover companies’ overall risk-management posture, a draft of the revamped Cybersecurity Act shows. The reform aims to revive stalled EU cyber certification by introducing clearer procedural rules. “

EU Commission plans to expand cybersecurity certificates to cover companies’ overall risk-management posture, a draft of the revamped Cybersecurity Act shows. The reform aims to revive stalled EU cyber certification by introducing clearer procedural rules.https://t.co/sxvrr47Otk

— Luca Bertuzzi (@BertuzLuca) January 16, 2026

Cybersecurity act evaluation reveals implementation challenges

The Commission conducted mandatory five-year evaluation postponed multiple times finally completed December 2025 documenting limited certification framework progress. Stakeholders identified procedural delays transparency issues lack of Union Rolling Work Programme hindering long-term planning for public authorities and industry participants. The evaluation noted 150% increase in cyberattacks during 2024 alongside expanding regulatory landscape including NIS2 Directive Cyber Resilience Act Cyber Solidarity Act complicating compliance landscape further.

ENISA’s growing responsibilities under new legislation require mandate clarification and additional financial staffing resources to serve central technical coordinator role across 27 member states. Respondents to public consultation expressed consensus on streamlining cybersecurity measures enhancing resilience simplifying reporting obligations across NIS2 CRA GDPR frameworks establishing single EU incident notification platform.

Certification framework expansion targets managed security services

January 2025 targeted amendment enabled future adoption of European certification schemes for managed security services covering incident response penetration testing security audits consultancy services. The revision addresses current framework limitations focusing primarily ICT products services rather than comprehensive organisational risk management approaches. Expanded scope includes company-wide cybersecurity posture assessment beyond individual product certifications.

Draft proposal introduces tiered assurance levels basic substantial high corresponding technical requirements third-party conformity assessment obligations. ENISA tasked designating additional European cybersecurity laboratories expanding beyond current 12 schemes covering cloud services 5G networks digital identity wallets managed security services operational technology systems.

Enisa mandate strengthening addresses operational responsibilities growth

Stakeholders agree ENISA mandate clarification necessary reflecting expanded operational responsibilities under NIS2 CRA Cyber Solidarity Act coordination requirements. Agency positioned central technical coordinator promoting consistency harmonising implementation across member states reducing regulatory divergence currently complicating compliance efforts. Financial resources staffing expansion required ensuring effectiveness growing portfolio management.

The Commission gathered stakeholder views ICT supply chain security challenges simplification opportunities during public consultation phase. Respondents highlighted non-technical risks including geopolitical dependencies requiring certification framework attention alongside technical product service security assurances.

Risk management posture certification covers organisational practices

Proposed expansion covers companies’ overall risk-management posture including governance policies procedures supply chain security practices beyond product-specific certifications. Certification schemes assess organisational maturity frameworks aligning ISO/IEC 27001 standards ensuring comprehensive cybersecurity approach implementation monitoring. Third-party assessors evaluate risk assessment processes incident response capabilities supply chain risk management continuous improvement mechanisms.

ENISA develops harmonised evaluation criteria assurance levels ensuring interoperability mutual recognition across member states eliminating national scheme fragmentation. Market surveillance authorities access certification documentation post-market monitoring enforcing ongoing compliance obligations cybersecurity incident reporting requirements coordination.

Cloud services 5g networks enter mandatory certification schemes

Cloud service providers face substantial assurance level certification covering encryption key management access controls multi-tenancy isolation data residency compliance requirements. ENISA Cloud Certification Scheme harmonises EUCS Level 1-3 requirements transparency audit logging vulnerability management processes establishing single EU-wide recognition eliminating 27 national schemes.

5G telecommunications networks require certification core network functions radio access networks edge computing platforms serving 450 million EU subscribers. Commission integrates 5G Cybersecurity Toolbox measures mandatory certification obligations ensuring network function virtualisation software-defined networking security multi-vendor interoperability verification supply chain risk management.

Procedural simplification accelerates stalled certification schemes

Draft legislation introduces clearer procedural rules reviving stalled certification development addressing current framework transparency predictability issues. Union Rolling Work Programme regularly updated providing industry long-term planning certainty public-private coordination efficiency improvements. Fast-track procedures high-priority schemes including cloud 5G managed security services digital identity wallets ensuring 2028 market readiness timelines achievement.

ENISA certification portal digital submission platform streamlines conformity assessment documentation processing stakeholder coordination. Simplified procedures micro-SMEs reduced documentation obligations technical assistance programmes supporting 85% EU digital economy small business participation cybersecurity compliance ecosystem development.

Stakeholder convergence supports regulatory simplification efforts

Public consultation responses demonstrated broad agreement streamlining cybersecurity measures enhancing resilience simplifying EU regulatory landscape reducing administrative burden compliance costs organisations operating across member states. Respondents called harmonising definitions reporting requirements establishing single EU incident notification platform addressing overlapping obligations NIS2 CRA GDPR frameworks.

ENISA strengthening central coordinator role consensus position promoting consistency harmonised implementation reducing regulatory divergence currently fragmenting single market cybersecurity compliance efforts. Commission Digital Omnibus regulation proposal complements certification framework revision establishing unified incident reporting platform operational coordination.

Supply chain security addresses non-technical risk factors

Certification framework expansion addresses non-technical supply chain cybersecurity risks including geopolitical dependencies vendor reliability assessment beyond traditional technical product security evaluations. Organisational certification schemes evaluate third-party risk management software bill of materials generation continuous monitoring capabilities supply chain compromise detection response coordination.

ENISA develops supply chain security assurance requirements cryptographic module validation common criteria alignment international standards interoperability. Commission Cyber Resilience Act integration establishes presumption of conformity certified products market surveillance authorities enforcement coordination digital single market consolidation.

International standards alignment ensures global interoperability

Revised schemes align ISO/IEC 27001 information security management ISO/IEC 27017 cloud security ISO/IEC 27018 data protection standards ensuring mutual recognition third-country schemes global market access facilitation. Common Criteria ISO/IEC 15408 evaluation assurance levels FIPS 140 cryptographic validation NIST frameworks alignment US schemes interoperability coordination international cooperation frameworks establishment.

Commission participates ISO/IEC JTC 1/SC 27 cybersecurity standards development ITU-T telecommunications security ISO/IEC 30111 vulnerability handling ensuring EU schemes competitiveness global supply chains participation third-country manufacturers compliance facilitation.

Digital europe programme funds certification infrastructure development

Commission Digital Europe Programme 2026-2028 allocates funding ENISA cybersecurity laboratories infrastructure digital platforms certification framework development supporting 18 facilities technical competence accreditation international recognition establishment. Micro-SME technical assistance programmes simplified self-assessment procedures reduced documentation obligations ensuring small business cybersecurity compliance market competitiveness maintenance.

Connecting Europe Facility CEF2 Digital integrates cybersecurity certification requirements cross-border digital infrastructure projects funding allocation critical sectors connectivity resilience strengthening supply chain security obligations harmonisation.

Market surveillance coordination ensures post-certification compliance

National cybersecurity authorities coordinate market surveillance certified products post-market monitoring cybersecurity incident reporting obligations enforcement across 27 member states ensuring ongoing compliance requirements fulfilment. Commission Rapid Alert System coordinates incident information sharing threat intelligence exchange vulnerability coordination platforms operation national CSIRT teams integration.

ENISA Cybersecurity Incident Review Teams deploy post-incident investigations supply chain compromise analysis attribution coordination international cooperation frameworks information sharing threat intelligence platforms operation digital single market cybersecurity resilience strengthening.

Quantum-ready cryptography migration planning requirements integration

High assurance certification schemes mandate quantum-safe cryptography migration roadmaps post-quantum algorithm integration NIST PQC standards selection hybrid transition strategies documentation ensuring long-term cryptographic resilience establishment. Commission Quantum Technologies Flagship funding quantum-safe VPNs key management cryptographic agility platforms critical infrastructure operators deployment coordination.

ENISA Quantum-Safe Cryptography Framework guides 5G networks cloud platforms operational technology controllers cryptographic inventory assessment risk management strategies implementation national quantum readiness strategies coordination digital decade cybersecurity targets achievement.

SME-friendly certification procedures technical assistance provision

The European Union has prioritized SME-friendly certification procedures and technical assistance provisions to bolster cybersecurity resilience among micro, small, and medium-sized enterprises (SMEs), recognizing their critical role in the digital single market. Traditional certification processes often burden SMEs with excessive costs, complexity, and documentation requirements that hinder adoption. To address this, the EU promotes simplified certification self-assessment procedures tailored for micro-SMEs, featuring reduced paperwork, streamlined audits, and self-declaration options under frameworks like the Cyber Resilience Act (CRA) and EU Cybersecurity Certification Framework. These measures enable smaller businesses to demonstrate compliance with baseline security standards without prohibitive resource demands, fostering trust in their digital offerings.

Complementing these reforms, dedicated technical assistance funding programmes support the digital transformation and cybersecurity compliance of approximately 2.8 million EU small businesses. Initiatives channelled through the Digital Europe Programme and Horizon Europe provide grants, low-interest loans, and expert consultancy to facilitate vulnerability management, secure software development, and supply chain risk mitigation. 

The European Union Agency for Cybersecurity (ENISA) plays a pivotal role via its SME Cybersecurity Portal, which offers free, accessible guidance, customizable templates, self-assessment toolkits, and practical resources for threat detection, incident response, and secure configuration. These tools empower SMEs to identify gaps, implement controls, and meet emerging supply chain security requirements, enhancing overall market competitiveness.