On 21 January 2026, the European Commission adopted its proposal for a Cybersecurity Act 2, aiming to revise the existing Cybersecurity Act of 2019. This revision responds to the significantly evolving cybersecurity threat landscape, shaped by increasing digitalization and a more complex geopolitical environment.
CEN and CENELEC welcome the proposed Cybersecurity Act 2, which seeks to strengthen cybersecurity governance across the European Union and to support the development of a secure, resilient, and competitive Digital Single Market.
The Commission’s 2026 Annual Union Work Programme for European Standardization identifies cybersecurity requirements for products with digital elements as a key policy priority. In this context, CEN and CENELEC are actively developing European cybersecurity standards.
CEN and CENELEC responded to the EC call for feedback on the proposed Cybersecurity Act 2 where we urged the Commission to:
- ensure that standards developed by the ESOs are maintained as the backbone of cybersecurity certification schemes.
- confirm that technical specifications developed by ENISA remain a last resort fallback option. The Article on Common Specifications from the Toy Safety Regulation could be used as inspiration for framing the use and development of ENISA technical specifications.
- start a dialogue with the ESOs regarding the exclusion of high-risk suppliers from the European technical committees developing cybersecurity standards.
The full CEN and CENELEC position paper is available here.
Should you have any questions on this or other policy files, please feel free to contact us at policy@cencenelec.eu.
