The Cybersecurity Coalition and the Coalition to Reduce Cyber Risk (CR2) submitted comments to the European Union Directorate-General for Communications Networks, Content and Technology’s (DG CNCT) open consultation on revisions to the Cybersecurity Act (CSA) (Regulation (EU) 2019/881).

The consultation sought feedback across three distinct topics:

1. ENISA’s Mandate – The cybersecurity threat landscape has significantly evolved since the original CSA defined ENISA’s, the European Union Agency for Cybersecurity, mandate. Moreover, the Commission has proposed, and the Parliament and Council have adopted, several pieces of legislation giving more responsibilities to the agency. The consultation sought input on potential updates to ENISA’s mandate moving forward. 
2. Certifications – The original CSA established the European Cybersecurity Certification Framework (ECCF), which enabled the creation of tailored and risk-based EU certification schemes for ICT products and services. The consultation sought input on how to facilitate the adoption of existing schemes, how to make schemes under development most effective, how to revise roles and responsibilities for different stakeholders, and how to harmonise certifications with the CRA and other relevant legislation. 
3. Simplification – For its current 2024-2029 mandate, the Commission is proposing unprecedented simplification measures to lighten the costs and burdens associated with regulatory compliance. The consultation sought input on how to harmonise and reduce cybersecurity requirements in EU legislation, including requirements in the Radio Equipment Directive (RED) (Directive (EU) 2014/53), General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), NIS Directive (Directive (EU) 2016/1148), Cybersecurity Act (Regulation (EU) 2019/881), Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554), NIS 2 Directive (Directive (EU) 2022/2555), Critical Entities Resilience (CER) Directive (Directive (EU) 2022/2557), AI Act (Regulation (EU) 2024/1689), Cyber Resilience Act (CRA) (Regulation (EU) 2024/2847), and Cyber Solidarity Act (CSoA) (Regulation (EU) 2025/38).

Regarding ENISA, both the Coalition and CR2 strongly support a holistic and flexible mandate. This will ensure that, as the cybersecurity threat landscape continues to change, ENISA will be able to autonomously reprioritise tasks and reallocate resources in the most effective and efficient way possible. 

They also recommended the Commission provide ENISA with adequate funding for all activities described in its mandate. While the EU has tasked ENISA with significantly more duties through several legislative packages in recent years, this has not been met with a corresponding increase in sufficient funding. According to ENISA’s own estimates, it faces a €3.2 million shortfall to fulfill its operational mandate in 2025 alone.

In addition, the Coalition also recommended that ENISA: 

• Create a centralised resource that amalgamates Member State cybersecurity transpositions, laws, and guidance.
• Institute more transparency and objectivity in stakeholder engagements.
• Increase work related to open source.
• Harmonise the European Vulnerability Database (EUVD) with international approaches.
• Produce a formal mandate to collaborate with international counterparts.

On the issue of certifications, the Coalition and CR2 expressed the desire to avoid duplication of existing schemes, harmonise schemes with requirements in other EU legislation – e.g., CRA, RED, and NIS 2 – wherever possible, and harmonise schemes with international standards, e.g., ISO 27000 series. They also urged different units within DG CNCT to coordinate the EU Cloud Certification Scheme and proposed Cloud and AI Development Act, particularly with regards to sovereignty requirements. 

Regarding regulatory simplification, the Coalition and CR2 urged the Commission to harmonise incident reporting requirements between different EU legislation, for example,  NIS 2 and CRA, and between different Member States’ legislation – e.g., between all 27 Member States’ NIS 2 transpositions. 

The Coalitions also raised the issue of harmonisation on compliance timelines for EU Directives and on security audits; urged the Commission and ENISA to develop a unified set of cybersecurity risk management rules; and establish a single EU-level reporting platform. 

‍