On 11 April 2025 the European Commission (“the Commission”) launched a public consultation on the review of Regulation (EU) 2019/881 on the European Union Agency for Cybersecurity (ENISA) and on information and communications technology cybersecurity certification (Cybersecurity Act). The consultation forms part of the Commission’s simplification agenda, which is a key focus for its 2025 work programme.

By way of background, the Cybersecurity Act sets out a permanent mandate and objectives for ENISA, as well as establishes a European Cybersecurity Certification Framework (ECCF) for voluntary European cybersecurity certification schemes for information and communication technology (ICT) products, services and processes. One of the certification schemes foreseen by the legislation is the European Union Cloud Services Scheme (EUCS), which has been a subject of much controversy and debate since the publication of the first draft standards by ENISA back in 2020, with the key contentious points relating to the sovereignty requirements for certain cloud services providers (CSPs). Whilst the consultation is sector-agnostic and the Commission is looking for feedback from a broader range of stakeholders, it is certainly of interest to the financial sector given its growing interlinkages with the ICT service providers (including CSPs) in day-to-day operations.

The current consultation is divided into three main parts and covers the following:

  • Section 1: Mandate of ENISA

The Commission seeks stakeholders’ views on a variety of issues concerning the current mandate and the functioning of ENISA, including the importance of the cybersecurity tasks entrusted to ENISA and added value brought by the latter; ENISA’s role in providing technical support in the implementation of European Union (EU) law, as well as the institution’s track record in cooperating with other institutional bodies and stakeholders.

  • Section 2: Functioning of the ECCF

The consultation explores various subjects linked with the functioning of the ECCF, ranging from the baseline topics such as views on the current legislative setup of the scope, objectives and elements of the ECCF, areas for further harmonisation with other European cybersecurity certification schemes, through to consideration of a potential mandatory European cybersecurity certification for certain products, services, processes and/or managed security services. Interestingly from a perspective of financial entities and ICT services providers that recently completed their mutual DORA compliance efforts, the Commission seeks stakeholders’ views on a potential development of voluntary certification of entities that support compliance with EU requirements concerning cybersecurity and data security as stemming from various pieces of legislation (including DORA, NIS2 Directive and others). The consultation also looks at assessing ENISA’s performance in execution of its mandates under the ECCF, including on stakeholder involvement and potential areas for improvement in that space. Finally, the Commission also considers in the consultation issues linked with ICT supply chain security.

  • Section 3: Simplification of cybersecurity and incident reporting obligations

The final section of the consultation document focuses on simplification, and the Commission is looking for stakeholders’ views on the issue of simplification of the European cybersecurity legislation in particular in the context of incidents reporting.

The consultation is open until 20 June 2025, following which the Commission is expected to present its legislative proposal amending the Cybersecurity Act later in Q4 2025.