When the original EU Cybersecurity Act (CSA) became applicable in 2021, it did so with relatively little fanfare. At the time, attention within the cybersecurity policy community largely focused on existing and emerging cybersecurity frameworks such as the NIS Directive, the Digital Operational Resilience Act, and the Cyber Resilience Act. The CSA’s emphasis on voluntary cybersecurity certification schemes and the formalisation of The European Union Agency for Cybersecurity’s (ENISA) mandate – though widely welcomed – did not appear to capture stakeholders’ attention as much as other cybersecurity laws.
Fast forward to 2025, the CSA now sits at the intersection of several critical policy debates, making its revision one of the must-watch developments in EU cybersecurity policy for the years to come.
Sovereignty and cloud security
One of the most contentious aspects of the CSA is its intersection with debates on digital sovereignty and cloud security. The EU Cloud Services Certification Scheme (EUCS), a long-awaited certification framework for cloud providers, has remained stalled for years, due to disagreements among member states over the inclusion of sovereignty requirements.
Recent geopolitical tensions with the United States and ongoing discussions around the Eurostack initiative have reignited calls for the EU to reduce its reliance on non-European cloud providers. Member states are now considering mandating for highly critical use cases, with the Netherlands committing to a sovereign government cloud by 2028, signalling a broader shift in national attitudes.
The European Commission is actively considering how to address “non-technical risk factors” such as “strategic risks and dependencies”, though whether this will translate into a more overtly sovereign approach remains uncertain. Such decisions will likely require significant political input from both member states and the European Parliament, making this a key area to monitor as the revision process unfolds.
Competitiveness and simplification
The von der Leyen 2.0 Commission has made regulatory simplification a cornerstone of its competitiveness agenda, another major theme included in the CSA revision. The proliferation of reporting obligations has created significant challenges for European businesses. The Commission, supported by ENISA, is currently evaluating areas where regulations can be streamlined, with incident reporting representing a clear candidate for harmonisation across horizontal and vertical cybersecurity frameworks.
Another area that would require simplification is the harmonisation of cybersecurity risk management measures under the EU’s Network and Information Security Directive 2 (NIS2). The current fragmented implementation of NIS2 across member states is creating compliance complexity for organisations operating across multiple jurisdictions. While it is unlikely that the CSA revision can address these inconsistencies directly – given that NIS2 transposition is now in member states’ hands – this highlights the broader need for regulatory coherence in EU cybersecurity policy.
Interplay with the Cyber Resilience Act
The CSA’s European Cybersecurity Certification Framework is inextricably linked with the Cyber Resilience Act (CRA), which introduces mandatory cybersecurity requirements for products with digital elements. As the CRA will fundamentally reshape product security for a vast range of software and hardware products, clarifying how these two frameworks interact becomes essential for industry compliance and regulatory effectiveness.
ENISA’s recent report examining the interaction between the CRA and EU Common Criteria Certification underscores the complexity of this relationship. While it remains unclear whether this relationship will be clarified through the revision of the CSA or a separate delegated act, work is underway to assess the extent to which EU certification schemes could be used to demonstrate conformity with CRA essential requirements.
This alignment is not merely a matter of internal coherence, but could also shape the EU’s position in future international discussions on mutual recognition agreements, as highlighted in the International Digital Strategy released in June 2025. The need for greater harmonisation (and “interoperability”) of cybersecurity regulations has become increasingly apparent as organisations struggle to navigate overlapping global cyber requirements.
Supply chain security and ENISA’s mandate
The CSA revision will also address another highly debated policy topic – namely supply chain security – as acknowledged by Henna Virkkunen, European Parliament’s Executive Vice Chair of Tech Sovereignty, Security and Democracy. Much has been debated around the need to strengthen critical infrastructures such as submarine cables, or the release of an ICT Supply Chain Toolbox, showing the EU’s intentions to tackle an area of increasing concern in light of recent geopolitical tensions and targeted cyber operations. However, the contours of the Commission’s lines of action have been kept hidden, which is why attention to how this policy will be presented is increasing.
Last but not least, a central focus of the CSA revision will be the recalibration of ENISA’s mandate. Since 2019, ENISA has become a permanent institution, but the agency’s responsibilities must now be updated to address the increasingly complex threat environment and the expanded scope of EU cybersecurity legislation.
Next steps
Stakeholder input will be crucial in shaping the CSA revision, and concerned organisations should respond to the Commission’s public consultation – open until 20 June 2025.
Feedback from this process, alongside findings from an evaluation study conducted between 2022 and 2024, will feed into an impact assessment that will guide the Commission’s choice among the four policy options outlined in the call for evidence.
A legislative proposal is expected by the fourth quarter of 2025, though the timeline may shift depending on the complexity of the impact assessment process and the contentious nature of the issues under consideration.
Shaping the debate
The revision of the Cybersecurity Act stands at the crossroads of many of the EU’s most pressing digital policy debates: sovereignty, competitiveness, regulatory coherence, and supply chain security. As many questions have yet to be resolved, the CSA revision is set to shape the future of EU cybersecurity policy for years to come.
Stakeholders are encouraged to participate in the consultation process and to monitor the debate as the legislative process unfolds, as the outcomes will have lasting consequences for Europe’s digital resilience and strategic autonomy.
At Access Partnership, we are experts in cybersecurity, both advising regulatory bodies on policy best practice and supporting businesses with remaining compliant. If you are interested in developing a regulatory strategy in line with the existing EU cybersecurity policy framework, please contact [email protected].
