Published on
Telecom operators, trade unions and industry groups have called for the EU’s cyber agency ENISA to steer away from political interference and remain independent in response to a consultation on the European Commission’s review of existing cybersecurity rules.
In May, the Commission began gathering feedback on a revision to the bloc’s 2019 Cybersecurity Act (CSA), which is being revamped in line with efforts to simplify existing rules.
The proposal aimed to give the Athens-based ENISA a bigger mandate, including over the drafting of cybersecurity certification schemes, through which companies can demonstrate that their ICT solutions include the right level of cybersecurity protection for the EU market.
Since 2019, the Commission requested three of these voluntary certification schemes: on baseline ICT products, 5G and cloud services, of which only the first has yet been adopted.
The certification for cloud services (EUCS) turned into a political battle over sovereignty requirements. France has led resistance and wants to be sure that it can continue to use its own scheme – SecNum Cloud – after the adoption of EUCS.
Tech industry association CCIA said ENISA’s role in the certification scheme development “should be explicitly grounded in technical independence, allowing it to make non-political decisions that reflect industry realities and cybersecurity best practices.”
This was echoed by US tech company Amazon which said that the voluntary certification frameworks should be “based purely on technical criteria”.
“We strongly believe that introducing non-technical factors could undermine the framework’s effectiveness and create unnecessary barriers to innovation,” it added.
Global consumer electronics company Lenovo, also warned against introducing non-technical criteria “such as vendor nationality, ownership, or headquarters location—in cybersecurity risk assessments or certification schemes.”
“These measures risk undermining EU principles of non-discrimination, market access, fair competition, and proportionality, while offering little benefit to actual cybersecurity outcomes,” it said.
There have been calls and plans from the Commission to increase the bloc’s independence of suppliers from outside the EU. In the upcoming Cloud and AI Development Act, for example, the Commission plans to strengthen the EU’s position in the industry.
In the European Parliament lawmakers are also calling for measures to boost technological sovereignty and guarantee the bloc’s independence and security by protecting its strategic infrastructure and reducing dependence on non-European technology providers.
ENISA mandate
The Commission began seeking feedback from industry and national governments on the functioning and scope of work of ENISA last year, as reported, in a bid to modify the agency’s mandate and financial support.
There seems to be support to increase its funding among the participants to the consultation. For example, Eco, a German association for the internet industry, said that the agency hadn’t grown in terms of staff despite its expanded remit.
“Given the current geopolitical security challenges and the scale of global cyber threats, its financial resources remain limited compared to other EU bodies. […] It is important to boost ENISA’s role as the independent expert on European Cybersecurity. In order to operate independently and attract necessary resources, staff, and experts to the benefit of its mandate, ENISA has to leverage its public standing among the global community,” the contribution said.
Henna Virkkunen, the EU Commissioner for technology, said earlier this year that she will carry out a so-called Digital Fitness Check – expected before the end of 2025 — which will assess whether all existing tech rules are burdensome to companies, and identify areas for simplification. The CSA is expected to be part of that.