Source: European Parliament
The Cybersecurity Act (CSA) came into force in 2019 as part of the EU’s broader efforts to build strengthened cybersecurity. The CSA formalised the role of the European Union Agency for Cybersecurity (ENISA), giving it a permanent mandate, resources and tasks, including operational ones. It also established a voluntary European cybersecurity certification framework (ECCF) for ICT products, services and processes. The ECCF aims to set up and maintain specific certification schemes, allowing companies operating in the EU to use certificates recognised across all Member States. In January 2025, a targeted amendment to the CSA was adopted to enable the future adoption of European certification schemes for ‘managed security services’ – cybersecurity risk management services provided by third-party providers – covering areas such as incident response, penetration testing, security audits and consultancy. The CSA requires an evaluation and review every five years. After being postponed several times, the current proposal is the result of this review. The Commission published the CSA review proposal on 20 January 2026, together with targeted amendments to the NIS2 Directive. The proposal aims to clarify ENISA’s mandate and improve the ECCF, and introduces new measures for secure and resilient ICT supply chains. In the Parliament, the file has been assigned to the Industry, Research and Energy committee (ITRE), and Marketa Gregorova (Greens/EFA, Czechia) was appointed rapporteur.
Area of Freedom, Security and Justice
