June 24, 2025 – In April, the European Commission launched a public consultation process for feedback on ENISA, the EU’s Agency for Cybersecurity, and on the implementation of the Cybersecurity Act, passed in 2019. 

As part of our Future of Digital Security portfolio, IST has engaged a broad range of stakeholders on topics relevant to the request for comment on the revisions of the Cybersecurity Act. We welcomed the chance to submit comments on this public consultation, focusing primarily on questions surrounding the simplification and harmonization of legislation, including leveraging the European Cybersecurity Certification Framework (ECCF) and streamlining incident reporting requirements.

The Institute for Security and Technology (IST) appreciates the opportunity to submit input into the revision of the European Union’s Cybersecurity Act.  

IST is a nonpartisan, nonprofit critical action think tank based in the San Francisco Bay Area that seeks to unite policymakers, technology experts, and industry leaders to identify and translate discourse into impact. We take collaborative action to advance national security and global stability through technology built on trust, guiding businesses and governments with hands-on expertise, in-depth analysis, and a global network. Some of IST’s efforts include the flagship Ransomware Task Force, now in its fifth year of progress towards key recommendations such as articulating concrete steps to “increase the quality and volume of information about ransomware incidents” available to governments. IST is also leading conversations with a diverse range of stakeholders across the AI ecosystem to better understand the emerging risks of AI foundation models and to develop technical and policy oriented risk reduction strategies, driving forward responsible innovation. In all cases, IST aims to foster connections and engagement between companies, organizations, and governments.

As part of our Future of Digital Security portfolio, IST has engaged a broad range of stakeholders on topics relevant to the request for comment on the revisions of the Cybersecurity Act. Our comments in this document focus primarily on questions surrounding the simplification and harmonization of legislation, including leveraging the European Cybersecurity Certification Framework (ECCF) and streamlining incident reporting requirements.

Simplification of Cybersecurity Legislation

As cybersecurity threats grow more complex, regulation has an increasingly important role to play. However, the substantial increase in the number of relevant laws, regulations, and frameworks creates a serious concern for companies and other entities that want to offer products and services within the European Union. Particularly for small and medium sized businesses, many of which are the engine of innovation, reducing the burden of complying with this regulation is critical for them to maintain their competitiveness in the European market.  Importantly, when multiple regulatory frameworks affect the same information and communications technology, they can not only limit commerce in a way that’s counter to the conception of the common market, they can also, perversely, decrease security. Companies that have to invest in administrative, compliance personnel to address duplicative regulations often draw on resources that would otherwise be used to improve the security of the underlying products or services. In the context of substantial geostrategic competition and fast moving technology innovation, companies are prioritizing speed and scale in their deployment of products and services. Well-harmonized cybersecurity legislation can help companies prioritize their efforts, minimize friction in innovation, and serve as a vital tool to improve security outcomes.

With laws such as the Cyber Resilience Act and the NIS-2 Directive coming into force, companies are facing the threat of having to ensure that they track and meet the requirements that regulators in every EU member state have outlined for each of their implementation of these laws. Critical infrastructure sectors, especially those dependent on OT and cross-border operations—energy, communications, transportation, water, and manufacturing—are most in need of harmonized cybersecurity regulations. Without harmonization, these sectors face increased costs, operational risks, and potential security gaps that threaten both economic and national security. Sectors reliant on OT (e.g., energy, manufacturing, transportation) struggle to adapt to new cyber regulations because their systems are complex, continuously operating, and difficult to secure without risking downtime. Disjointed regulations make it even harder to implement effective, sector-appropriate security controls. Providing means by which these companies can meet their compliance obligations through streamlined efforts is critical to curbing the threat of proliferating compliance burdens.  

In addition to harmonizing requirements, reducing administrative burden requires ensuring some level of reciprocity or mutual recognition for compliance. Having even identical requirements for risk management steps will not significantly reduce the compliance burden if an entity needs to demonstrate that compliance to many different auditors who require separate artifacts as proof of the efficacy of the cybersecurity program. 

Leveraging the European Cybersecurity Certification Framework

IST supports efforts to provide consumers and businesses with more information about the security of the digital products and services available in the marketplace, and encourages the wide participation in these efforts. When IST joined the Secure by Design pledge, our statement highlighted “IST envisions a world in which consumers no longer bear the burden of ensuring technology products’ security alone–one where a shared responsibility model enables the development of a more digitally sustainable ecosystem.” We continue to support efforts that allow consumers to make more informed choices and promote the development and use of safer products and services.  

At the same time, it is important that companies that are utilizing good security practices are not overwhelmed by requirements to demonstrate their compliance with specific frameworks, required to submit repeating documentation, or face conflicting or overlapping requirements.  

ECCF should be sufficient to provide CRA compliance: IST strongly recommends that certification under the ECCF serve as a clear, EU-wide path for providers of ICT products and services to meet requirements under CRA. Given the extensive set of requirements to meet this standard, entities that participate in this process should be able to use it to achieve EU-wide compliance standards. This is particularly helpful to small, novel, or newly established companies within European Union member states, as well as non-EU European countries and companies with headquarters outside Europe who want to offer products and services in the EU. Many of these companies are innovating on security solutions and products that can help European Union entities address threats “at the speed of cyber.” Ensuring that certification under ECCF meets CRA compliance requirements will minimize the risk of compliance process proliferation — provided it is positioned as one of multiple pathways to compliance, rather than the sole mechanism. 

ECCF should be interoperable: Because security of products and services is interconnected across the globe, we urge the authorities to make the ECCF interoperable with other frameworks, such as Singapore’s Cyber Trust Certification and the Cyber TrustMark administered by the United States’ Federal Communications Commission. While full interoperability may not be easily achieved, at a minimum ENISA should clearly articulate the differences between the ECCF requirements and the requirements of other efforts; this would potentially provide substantial assistance to both consumers considering their own needs as well as consumers who may need to weigh the tradeoffs of using different products and services.   

ECCF should be developed with stakeholders:  Input from a diverse set of stakeholders, including governments, industry, civil society, academia, and Standard Development Organizations such as ETSI and CEN CENELEC, is essential for effective cybersecurity certification frameworks. This ensures industry expertise and private sector buy-in while enabling public authorities to design well-scoped and contextually applicable schemes. The Stakeholder Cybersecurity Certification Group can enhance this process by providing formal, non-binding opinions on candidate schemes, acting as a preferential sounding board for assessing market impact, and fostering alignment with member states through regular joint meetings with the European Cybersecurity Certification Group.  

Reporting Requirements

We strongly commend the European Union for seeking to simplify cybersecurity legislation, and particularly commend the Commission for directly addressing the benefits of multipurpose reporting. Facilitating reporting that allows organizations to share information about incidents quickly and with limited hassle can increase the information shared with governments and better position them to take action against threats to connected technology.  

As was noted in the U.S. Office of National Cyber Director’s review of public comments on cybersecurity harmonization, incident responders have been clear that overlapping, redundant, and overly burdensome reporting requirements have taken resources away from actual cybersecurity programs and have added burdens to incident responders facing crises. (We encourage all government cybersecurity authorities to read the report from that effort, available at the U.S. national archives.)

Of even greater concern to government authorities, consultations have been clear that the maze of overlapping and burdensome reporting methods has led to real and substantial reduction of actual sharing of information with the government. This includes reducing the amount shared via required reporting channels, as well as reducing the frequency and timeliness of voluntary information sharing with government agencies. Private sector leaders struggle to balance the benefits of sharing intelligence against legal and compliance exposure via regulatory reporting.

Seeking to harmonize reporting requirements while still gathering critical data is vital for government agencies that want to understand the threats they are facing and take action to support effective defense by cybersecurity professionals. 

Given that many cybersecurity incidents have cross-border elements, we encourage the Commission, member states, and ENISA to take a maximalist approach to harmonizing and deconflicting requirements within the European Union and between the European Union and jurisdictions across the globe. While we understand that NIS-2 is being implemented by EU member states with their own national characteristics and different economic conditions, when possible we encourage maximum flexibility in collecting information to reduce the burden on incident responders.   

IST also wishes to encourage efforts to allow for the low-friction transfer of key information regarding cybersecurity incidents of concern between jurisdictions within the European Union – taking an approach that will allow governments to get more information about incidents without adding to the burden placed on entities that have been the victims of cybercrimes. As such, we encourage ENISA to consider consolidating access to reporting platforms for both the CRA and the NIS-2 directives. While these two regulations will require substantially different forms and cover different topics, creating a single access point would simplify reporting efforts for companies and cybersecurity professionals.  

IST also wishes to encourage efforts to allow for the low-friction transfer of key information regarding cybersecurity incidents of concern between jurisdictions within the European Union – taking an approach that will allow governments to get more information about incidents without adding to the burden placed on entities that have been the victims of cybercrimes. While we recognize that the CRA and NIS-2 Directive serve distinct purposes—focused on vulnerability and incident report, respectively—we encourage ENISA to explore ways to streamline the reporting experience. This could include developing clearer navigation or a centralized entry point, while maintaining the necessary separation between reporting mechanisms and obligations under each framework.  

IST also encourages ENISA and EU member states to send clear signals that they welcome voluntary reporting from non-covered entities and to indicate how to make such voluntary reports.  We welcome a discussion of best practices for incident reporting, and invite ENISA to consider the discussions outlined in the Cyber Incident Reporting Framework: Global Edition.)

Conclusion

IST commends the Commission for engaging in this effort, and welcomes opportunities to further discuss our recommendations or to facilitate discussions with members of IST’s task force efforts if that would be of assistance to ENISA.