Strengthening ENISA’s role and Improving the ECCF

Eurosmart’s Contribution to the Review of the Cybersecurity Act (CSA)

Drawing on its active engagement in European cybersecurity policy development, and going beyond the legal revision of the CSA, Eurosmart outlines in this document practical recommendations for enhancing ENISA’s mandate, simplifying EU cybersecurity compliance, reinforcing the ECCF, and addressing emerging challenges such as supply chain vulnerabilities and the integration of non-technical requirements. These may include the introduction of data protection principles and qualification processes for specific use cases. Eurosmart advocates for a more agile certification scheme development by reusing existing tools and seeking synergies with other EU cybersecurity related legislations.

To support these objectives, Eurosmart highlights several essential insights and proposals, including:

Reinforce ENISA’s Role:

ENISA should have a more strategic mandate, including clearer guidance on legislative interpretation, support for legal mapping, and development of market-driven certification schemes. ENISA should also assume technical responsibilities, such as establishing a European Vulnerability Database and continue supporting schemes’ developmeny.

Enhance the European Cybersecurity Certification Framework (ECCF):

Certification should serve as both a legal and strategic incentive for industry players. Eurosmart advocates for recognition of certificates as evidence of due diligence and encourages the development of schemes relying on emerging technologies like EUDI wallet and post-quantum cryptography.

Simplify Compliance:

The revised CSA and policy makers’ decisions must streamline and harmonize cybersecurity requirements across legislation such as the Cyber Resilience Act (CRA), NIS2 Directive, and Digital Operational Resilience Act (DORA). Clearer legal mappings would reduce complexity and costs for businesses.

Institutionalise Stakeholders' Involvement:

Inclusive and transparent scheme development is critical while maintening a high level of expertise. Eurosmart calls for formalized industry involvement through ENISA’s ad-hoc working groups, intermediary consultations for schemes development, and structured partnerships with bodies like the EUCC ISAC to ensure the maintenance.