Why Is the CSA Being Reviewed?

Since the adoption of the Cyber Security Act (CSA) in 2019, the cybersecurity threat landscape has evolved dramatically in scale and complexity. The number and sophistication of cyberattacks have increased, and the EU’s legislative framework has expanded significantly with instruments like NIS2, CRA, and DORA.

In this context, ENISA’s role has grown as it took on additional tasks assigned through newer legislation. The review of the CSA is meant to align the agency’s formal mandate with the reality of its expanded operational scope, particularly to ensure it can continue to support cybersecurity coordination both within and beyond the EU effectively.

On the certification side, the ECCF has yet to reach its full potential. Challenges remain regarding the adoption and agility of certification schemes, clarity over responsibilities, and management of the certification lifecycle. There are also concerns about whether the ECCF adequately addresses supply chain cybersecurity risks — particularly non-technical threats — and how voluntary certification frameworks will interact with the emerging obligations under the CRA.

Finally, the CSA review is tied to the Commission’s broader objective of legislative simplification. Read our analysis of this agenda here.

Policy Options on the Table

According to the consultation document, the Commission is considering four possible directions:

• No change – Maintaining the current CSA as is.
• Non-legislative improvements – Making clarifications or updates to ECCF implementation and reporting obligations without revising the law itself.
• Targeted regulatory intervention – Updating ENISA's mandate to reflect additional tasks assigned in other legislation and streamlining ECCF governance and reporting structures.
• Repeal and replacement – Introducing a comprehensive new regulation that extends ENISA’s scope, improves ECCF efficiency, addresses ICT supply chain challenges (including non-technical threats), and simplifies reporting.

Where the EUCC Fits In

The European Common Criteria-based Cybersecurity Certification Scheme (EUCC) — which entered into application in February 2024 — is the first scheme developed under the ECCF. It allows ICT suppliers to voluntarily certify products, such as smartcards, chips, or software, using a harmonized, assurance-based framework.

The scheme is based on the SOG-IS Common Criteria evaluation model, already used in 17 Member States. While voluntary, the EUCC is relevant to both NIS2 and the Cyber Resilience Act (CRA):

• Under NIS2, Member States may require essential and important entities to use EU certification schemes like EUCC.
• Under the CRA, certified products benefit from a presumption of conformity, provided they meet the required assurance level.

Learn more about EUCC and its practical application in our dedicated breakdown.

Next Steps

The consultation is open until 20 June 2025. The feedback can be access via via the European Commission’s Have Your Say portal.