POSITION | DIGITAL POLICY | CYBERSECURITY
Cybersecurity Act 2 German Industry’s recommendations on the Regulation of the European Parliament and of the Council on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security and repealing Regulation (EU) 2019/881.
24 April 2026 Executive Summary The ever-increasing cybersecurity threat landscape requires both regulators, industry and operators of critical infrastructures to adopt risk-adequate cybersecurity measures. Such concrete measures should be supported by a lean regulatory framework that outlines requirements and provides companies with the necessary support framework. In recent years, with the NIS2 Directive, the Critical Entities Resilience (CER) Directive, the Cyber Resilience Act (CRA), RED-DA 2022/30, the Cyber Solidarity Act, the EU Cyber Blueprint, the 5G Cybersecurity Toolbox (5G Toolbox) and the Digital Operational Resilience Act (DORA) the European co-legislators have adopted a complex set of rules and regulations. With its revision of the Cybersecurity Act, the European Commission has missed an opportunity to streamline the regulatory framework, which would have been urgently needed. The Cybersecurity Act 2 (CSA 2) is not the cybersecurity trailer to the digital omnibus that German industry had hoped for. German industry’s policy recommendations The European Commission's proposal contains important measures to strengthen the European Cybersecurity Agency (ENISA). A powerful and well-equipped ENISA is integral to increase Europe's cyber resilience. ENISA must be upgraded to a powerful implementation unit and reliable partner that closely monitors the implementation of cybersecurity regulations, advises companies and provides them with up-to-date threat assessments. In general, German industry perceives the high number of implementing acts which the Commission’s proposal entails as critical. Since German industry is a strong advocate of the ordinary legislative procedure which allows for meaningful and transparent stakeholder involvement, requirements should be directly regulated in the CSA 2 based on a mandatory impact assessments and transparent stakeholder involvement rather than through implementing acts. While it is certainly commendable that the development of cybersecurity certification schemes is to be geared towards the needs of industry, this will not cut the Gordian knot. Instead, the European Commission and European industry should focus on implementing the CRA to strengthen the cyber resilience of products. Under the current governance and processes, the development of cybersecurity certification schemes has proven impractical, slow, bureaucratic and costly. EU wide cybersecurity certification can be a valuable instrument to strengthen trust and market transparency, provided that certification schemes are technically defined, risk based, internationally aligned and developed in close cooperation with industry, but should remain voluntary in their application. Bundesverband der Deutschen Industrie e.V. / Federation of German Industries EU Transparency Register: 1771817758-48 | German Lobbyregister: R000534 Steven Heckler and Philipp Schweikle | Innovation, Security and Technology | www.bdi.eu