20 Jun 2025 CSA – Strengthening Strategic Governance, Streamlining Certification, and Safeguarding European Cybersecurity Leadership
Eurosmart’ Answer to the European Commission’s call for evidence
Eurosmart supports a focused revision of the EU Cybersecurity Act (CSA) to strengthen ENISAs role, preserve the integrity of the European Cybersecurity Certification Framework (ECCF), and streamline certification. The CSA remains central to the EUs cybersecurity framework, and its alignment with other regulations (e.g., CRA, NIS2, AI Act) is essential to reduce duplication and simplify compliance.
Rather than a full overhaul, Eurosmart supports targeted improvements (Option 3)
Overview
Preserving key CSA elements
Provisions like accreditation and supervision of Conformity Assessment Bodies (CABs), peer reviews, and mandatory penetration testing for high assurance levels, are critical to maintaining trust, quality, and consistency in certifications across the EU.
Penetration testing at high assurance levels must remain mandatory. It provides deep, real-world validation of security and ensures backdoor-free products. Oversight by public authorities is vital to preserve integrity and public trust. CABs must continue to be accredited by National Cybersecurity Certification Authorities (NCCAs), with processes aligned to standards like ISO/IEC 17065 or 17025. Explicitly referencing these standards in a CSA annex would enhance clarity.
Certification at the high level must only be issued by NCCAs or by CABs formally delegated by them. This governance ensures uniformity, strong public oversight, and reliable technical evaluations such as code reviews. Delegation must be clear, transparent, and subject to supervision and peer review.
Scheme Development
Scheme development has been slow. Eurosmart urges a more agile, strategic process, prioritizing transversal schemes and reusing existing technical foundations. The EUCC scheme serves as a model. ENISA should remain the main coordinator, Ad Hoc Working Group (AHWG) model remains the most suitable option to involve qualified experts from relevant sectors. This process deserves more transparency, mid-term development consultations should be conducted through accessible platforms, and adequate resourcing are vital to effective and timely scheme development.
Non-technical requirements should support strategic goals. At higher assurance levels, optional modules could include compliance with GDPR and demonstration of immunity from non-EU data access laws. These would strengthen digital sovereignty and user trust while avoiding excessive burdens.
Maintenance Model
Ongoing maintenance is essential. The CSA should formalize ECCG subgroups for each scheme, co-led by ENISA and the Commission, with NCCA involvement. These subgroups would manage updates, consult stakeholders, and publish annual roadmaps. ISACs like the EUCC ISAC should support them as technical bodies, offering trusted, agile input from vendors, labs, and authorities. A formal contractual Public-Private Partnership (cPPP) model would ensure efficient and expert-driven maintenance.
Lifecycle-Aware Certification Models
Certification must also consider product lifecycles. Long-life products like QSCDs may not remain fully compliant over time. Conditional certifications, subject to risk analysis, should be allowed. ISACs can help assess vulnerabilities and coordinate stakeholder responses when issues arise, maintaining trust and accuracy in communications. In summary, Eurosmart calls for a CSA revision that builds on the existing framework
EUROSMART_Answer-to-call-for-evidence-CSA-revision