Cullen International published an analysis of the proposed changes to the EU cybersecurity certification framework under the draft Cybersecurity Act 2 (CSA2) delivered by the European Commission on 20 January 2026.

The CSA established an EU framework for the voluntary cybersecurity certification of ICT products, services, processes or managed security services. It also granted a permanent mandate to the EU cybersecurity agency (ENISA).

Importantly, EU cybersecurity certification schemes would only address technical risks and remain voluntary unless mandatory under EU or national law.

Against this background, the EU cloud scheme (EUCS), for which a final draft version is still pending, triggered a debate among EU member states as to whether cloud certification should extend beyond technical requirements to also include strategic risks.

The draft CSA2 is underpinned by a report from the Commission evaluating the effectiveness, efficiency, and coherence of both the EU cybersecurity certification framework (ECCF) and ENISA. The report accompanying the draft CSA2 identified shortcomings in the current framework that hinder the effective uptake of certification schemes (due to delays in their development) and alignment with other EU cybersecurity instruments.

In particular, the report highlighted the need to:

• simplify and clarify the procedures related to the development of EU cybersecurity certification schemes;
• ensure coherence between the CSA and other instruments like the Directive on measures for a high common level of cybersecurity across the EU (NIS2); and
• adapt ENISA’s mandate to address for example, emerging cybersecurity threats and policy fragmentation among member states.

To address these issues, the draft CSA2 proposes a set of amendments that include:

• introducing binding timelines for the development of certification schemes within 12 months of a Commission request;
• expanding the scope of the ECCF to include a “cyber posture” certification scheme to facilitate compliance for entities operating in several member states with NIS2 obligations; and
• strengthening the role of ENISA to develop guidance on EU cybersecurity rules implementation and promote the uptake of certification schemes.

The above is an extract from Cullen International's series of analyses on the European Commission's proposal on the draft CSA2. 

For more information and to read the full report, please click on “Access the full content” - or on “Request full report”, in case you are not subscribed to our European Digital Economy service.