15 May 2026 Eurosmart Contribution to the Public Consultation on the Revision of the EU Cybersecurity Act (CSA2)
Strengthening and Scaling the European Cybersecurity Certification Framework
Eurosmart welcomes the European Commission’s initiative to revise the Cybersecurity Act (CSA2) at a time when Europe faces an increasingly complex cybersecurity landscape shaped by rapid technological evolution, growing threat sophistication and rising strategic dependencies. While the original Cybersecurity Act established the foundations of the European cybersecurity certification framework, Eurosmart considers that the framework now requires a stronger operational impulse to fully deliver on its objectives.
The development, maintenance and operational deployment of additional European cybersecurity certification schemes will be essential to support key Union policy initiatives and regulatory frameworks relying on cybersecurity certification, notably in areas such as cloud services, artificial intelligence, digital identity, IoT, 5G, post-quantum cryptography, edge computing and industrial systems.
Preserving Technical Credibility, Governance and Legal Certainty
At the same time, Eurosmart recognises the added value of strengthening and scaling the European cybersecurity certification framework while underlining the need to preserve technical credibility, legal certainty, market predictability and an appropriate institutional balance between Union and national actors.
The paper therefore identifies a number of areas where the CSA2 proposal would benefit from further clarification and refinement, notably regarding:
- the governance, maintenance and lifecycle management of European cybersecurity certification schemes;
- the preservation of the technical robustness and credibility of the “High” assurance level, including mandatory penetration testing and evidence-based evaluation methodologies;
- ENISA’s evolving role and the necessary separation between technical support, supervisory and certification functions;
- the role of Member States and the ECCG in certification governance and international recognition mechanisms;
- overlaps and articulation between CSA2 and NIS2;
- and the governance, scope and legal framing of the new ICT supply chain security framework under Title IV, including the distinction between technical certification and geopolitical ICT supply chain risk-management measures.
Proposal for a Structured and Risk-Based Approach to ICT Supply Chain Security
Regarding Title IV, Eurosmart supports addressing non-technical cybersecurity risks and ICT supply chain dependencies while stressing the need for proportionality, transparency, consistency with NIS2 and preservation of internal market principles.
The paper therefore proposes a structured qualification-based framework centred on critical or sensitive ICT use cases, objective qualification criteria and proportionate conditions for use, rather than broad supplier-based restriction mechanisms.
Supporting Ongoing Legislative Discussions
The contribution also includes a detailed set of proposed amendments intended to support ongoing policy discussions and future legislative work on CSA2, notably regarding certification governance, assurance levels, technical evaluation requirements, ENISA’s role, international recognition mechanisms, peer review systems and the implementation of Title IV ICT supply chain security measures.
