Revision of the Cybersecurity Act (CSA)

Introduction

The Cybersecurity Act (the “CSA”)¹ set a permanent mandate for the European Union Agency for Cybersecurity (ENISA) and established a European Cybersecurity Certification Framework (ECCF) for voluntary European cybersecurity certification schemes for ICT products, services and processes. In this document, the Aerospace, Security and Defence Industries Association of Europe (ASD) is providing its views on:

• Section 1: Mandate of ENISA.
• Section 2: European Cybersecurity Certification Framework (ECCF), with a focus on the European Cybersecurity Certification Scheme for Cloud Services (EUCS).

Our member organisations view the revision of the CSA as a key opportunity to further reflect on the role of ENISA and to strengthen its collaboration with both institutional and non-institutional stakeholders in the cybersecurity domain. In addition, we underscore the importance of establishing an EU-wide Cloud standard that incorporates High+ criteria² or equivalent conditions within the EUCS framework to ensure robust protection of sensitive³ data against undue extraterritorial data access and/or disruption. We believe this can already be legally achieved under the current text of the CSA. However, the upcoming revision should further clarify and formally incorporate these elements. This will be especially important in paving the way for the Cloud and AI Development Act, notably with regard to public procurement.

Section 1: mandate of ENISA

The revision of the Cybersecurity Act (CSA) should clearly define the division of responsibilities between ENISA and other European agencies to avoid duplication. In particular, it should clarify the distinctive roles of ENISA and CERT-EU, with reference to their cooperation as outlined in the Memorandum of Understanding (2021).⁴ This clarification is essential to prevent overlapping functions and ensure effective collaboration.

ENISA’s mandate is central to achieving a high common level of cybersecurity across the EU. The recent launch of the European Vulnerability Database (EVD) represents a major step towards building a sovereign, independent vulnerability management system within the European Union. This initiative underscores the need for a European entity capable of aggregating and coordinating cybersecurity intelligence across national agencies and public-private stakeholders, while fully respecting Member States’ national security prerogatives. To ensure its sustainability, the CSA should explicitly include the maintenance of the EVD as part of ENISA’s mission, backed by appropriate funding. Likewise, ENISA’s responsibility for managing and maintaining the Single Reporting Platform under the Cyber Resilience Act (CRA) should be clearly defined.

ENISA’s roadmap should be regularly shared with stakeholders, with the Executive Director presenting activity reports once or twice a year that incorporate recommendations from the Advisory Group. The Group’s scope should be expanded to include certification matters. Given the strategic importance of cybersecurity, it is essential that the Advisory Group reflects a broad spectrum of EU stakeholders and includes independent voices from the European private sector.

Similarly, the composition of the Stakeholder Cybersecurity Certification Group (SCCG) must reflect EU interests, with significantly stronger industry participation. The SCCG should be regularly updated and consulted on the certification schemes development roadmap and empowered to engage directly with the European Commission through ENISA.

The successful transition from the scheme operating under the Senior Officials Group Information Systems Security Mutual Recognition Agreement (SOGIS MRA) to the Common Criteria-based Cybersecurity Certification Scheme (EUCC), coordinated by an ENISA-led ad hoc working group, demonstrates the effectiveness of this model. For ongoing scheme maintenance, specialised subgroups within the European Cybersecurity Certification Group (ECCG) should be granted formal legal status and composed of recognised experts from national authorities.

Future ad hoc groups should follow a rigorous selection process to ensure EU independence and broad sectoral representation. ENISA must also be adequately resourced to manage these groups effectively. While ENISA already engages external expertise through its list of individual external experts (CEI), strengthening the selection process with additional criteria e.g., open and merit-based procedures, balanced sectoral representation (industry, academia, national authorities), and strong safeguards against conflicts of interest to preserve technical independence would be beneficial.

Finally, the revised CSA should reinforce ENISA’s operational role in supporting EU institutions by contributing to situational awareness, in line with its original mandate. ENISA should also engage with counterpart agencies outside the EU, acting as a representative of the Union to advance strategic and sovereignty interests at the international level.

Section 2: European Cybersecurity Certification Framework (ECCF)

European Cybersecurity Certification Scheme for Cloud Services (EUCS)

Deliberations on the proposed European Cybersecurity Certification Scheme for Cloud Services (EUCS) have been ongoing since December 2019. Most of the discussions have been centred around the inclusion of transparent and harmonised criteria at the highest assurance level of the EUCS scheme, previously introduced and labelled as “High+” requirements.

As European cloud users in a strategic ecosystem and being committed to EU’s digital competitiveness, the European aerospace, defence and security industries strongly advocate for the (re)integration of High+ requirements (or equivalent). Such an approach would guarantee the protection and availability of the most sensitive European data against risks that could derive from an unregulated and unmonitored cloud storage and computing beyond the EU’s territory and legislative control, including service disruption (e.g., interruption of international data links or disruption in the provision of security updates) which could paralyse industrial operations or unlawful access (e.g., through extraterritorial regulations or due to unclear or diverging rules on cryptography of data in transit and at rest).

We consider that the current CSA already permits the legal inclusion of sovereignty criteria in the EUCS, and this should be implemented as soon as possible, ahead of the CSA revision. In any case, the CSA revision should clearly and explicitly affirm the possibility and importance of including such voluntary conditions.

Beyond ensuring legal compatibility between CSA and criteria of EU sovereignty, user privacy, and immunity from extraterritorial laws, the European Cybersecurity Certification Framework must allow for the consideration of other European regulations relating to cybersecurity and privacy. Indeed, the European regulatory landscape for cybersecurity and privacy is dense e.g., CSA, CRA, DORA, NIS2, AI Act, RED, GDPR, Data Act etc. and allowing a certification scheme to take into account certain regulations would greatly contribute to clarifying matters for stakeholders: users of certified ICT products, services, and processes would benefit from immediate assurance, both in terms of cybersecurity and compliance with European regulations.

Rationale

Cloud users, especially in strategic and highly sensitive sectors, require transparency and certainty about the level of protection of their data. There is a high likelihood that users will rely on the EUCS certification scheme to ensure that their data is correctly managed and adequately secured. However, if a future EUCS scheme leaves open the possibility of unexpected and unsanctioned data access, this would mean that the highest level available to users would not provide the latter with adequate protection or information.

EUCS is a voluntary certification scheme, therefore including the High+ requirements would not at all distort the market. Other assurance levels will still exist, and cloud providers not meeting the High+ criteria would remain able to offer their solutions in the EU market. At the same time, the existence of a High+ level would provide a unified EU reference to users, such as our industry, wishing to ensure for their most sensitive needs that suppliers can guarantee the required level of assurance.

The inclusion of such criteria is essential to the implementation of cloud strategies for European organisations operating in our sectors across the Union. Moreover, it would also remove the burden of having to comply with different national laws and contribute to industrial competitiveness, which is in line with the Commission’s strategic priorities.

Furthermore, robust and harmonised criteria would promote greater cooperation within the EU and improve companies’ efficiency by enabling them to choose single solutions across Member States. In contrast, shifting responsibility for defining requirements to the national level would inevitably lead to divergent national requirements, creating legal, technical, and economic uncertainties for both EU cloud providers and users as they implement their cloud strategies. This would lead to regulatory and market fragmentation, which would be contrary the EUCS objective of fostering harmonisation.

The (re)introduction of the High+ requirements would also be fully consistent with the existing Gaia-X labelling framework, and in particular, Label Level 31, which sets conditions relating to providing continuous operating autonomy, supported by EU-located headquarters, control structure and compliance with EU/EEA/Member States’ law (criteria P5.1.2 to P5.1.7). Label level 3 was developed by Gaia-X based upon a clear market demand and it has proven its added value in providing information to users without distorting market dynamics. Gaia-X has thereby set a blueprint for an open and robust EUCS, one that was jointly developed and adopted by both cloud providers and users in Europe.

As the debate around AI regulation and protection grows, it is important to remember that AI depends heavily on cloud infrastructure and access. Therefore, pursuing robust and protective AI solutions without addressing the role of the underlying cloud infrastructure and without incorporating the necessary High+ level is inconsistent.

Therefore, ASD calls on Member States and the Commission to (re)introduce, as soon as possible and certainly before the CSA revision, criteria for the High+ level or equivalent assurance in the main body of the EUCS scheme. It is crucial to protect Europe’s long-term strategic interests rather than sacrificing them for short-term convenience.

Conclusion

The revision of the Cybersecurity Act presents a valuable opportunity to strengthen Europe’s cybersecurity resilience and sovereignty. Clarifying ENISA’s mandate and ensuring effective coordination among European agencies will prevent duplication and enhance operational impact. The European Cybersecurity Certification Framework, especially the EUCS, must include the highest assurance levels to protect sensitive data and meet the strategic needs of European industries. This is already legally feasible under the current CSA, but should be made even clearer in the revised Act. This clarification is especially important to pave the way for the upcoming Cloud and AI Development Act, particularly concerning the procurement of cloud services by public administrations. Moreover, simplifying cybersecurity and incident reporting obligations will reduce administrative burdens and encourage compliance.

ASD encourages policymakers to adopt these recommendations to build a robust, transparent, and harmonised cybersecurity framework that fosters innovation, trust, and industrial competitiveness across the EU.

Notes:

1. Regulation (EU) 2019/881 on the ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act), <https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng>.

2. High+ criteria aim to ensure operating service continuity and removing exposure to non-EU extraterritorial legislation, thus avoiding risks of undue access to Customer’s data. This is addressed in particular through criteria ensuring that the cloud provider’s head office, headquarters and main establishment remain within the EU while storage and processing are also conducted here, and that the cloud provider is not effectively controlled by shareholders from outside the EU.

3. Sensitive data includes but is not limited to classified military plans and operations, intelligence data, R&D data, critical infrastructure vulnerabilities, counter-terrorism intelligence, aircraft design and manufacturing details (especially if dual-use technologies are involved), flight plans for state, military, or sensitive flights.  

4. ENISA (2021), ENISA and CERT-EU sign Agreement to start their Structured Cooperation, <https://www.enisa.europa.eu/news/enisa-news/enisa-and-cert-eu-sign-agreement-to-start-their-structured-cooperation>.