Jochen Michels, Director, Public Affairs, Europe, Kaspersky
The 2025 work program of the EU Commission highlights simplification as a key factor in strengthening the EU’s prosperity and resilience. High cybersecurity standards and enhancing the adoption process of European Cybersecurity Certification Schemes were identified as priorities.
The 2019 Cybersecurity Act established ENISA – the European Union Agency for Cybersecurity – as a permanent institution. In response to increasingly complex cyber threats and evolving legislation, ENISA’s mandate now requires an update. By the end of 2024, the Council of the EU had already called for such a revision in its resolutions. Updating the EU Cybersecurity Act is also a key initiative under the ProtectEU Strategy. While the European Cybersecurity Certification Framework (ECCF) is helpful for strengthening cybersecurity across the Union, there is still a need to refine its processes, clarify role definitions, and expand risk coverage to further improve resilience. The overarching goal is to streamline cybersecurity regulations and ease administrative burdens for businesses, thereby advancing the EU’s objective of developing a secure and resilient supply chain, underpinned by a robust cybersecurity industrial base.
In spring 2025, through a public consultation and an accompanying survey, the EU Commission engaged with authorities and groups relevant to cybersecurity, EU bodies, trade associations, industry representatives, researchers, academics, cybersecurity professionals, consumer organizations, and citizens. The aim was to collect views on potential revisions to the current ENISA mandate, the ECCF, and challenges related to ICT supply chain security, as well as the need to simplify cybersecurity measures and reporting obligations. The survey was open-ended regarding the extent of changes to the existing provisions.
Kaspersky’s views
In its feedback, Kaspersky – as global cybersecurity company dedicated to supporting a secure and resilient digital space and to protecting users across the EU and worldwide – first and foremost welcomed the EU Commission’s initiative to revise the EU Cybersecurity Act and acknowledged the regulation’s pivotal role in shaping cybersecurity governance.
Regarding the extent of potential regulatory changes, the company suggested that a targeted regulatory intervention would enable pragmatic improvements to address the current shortcomings of the Act, while preserving legal and operational continuity. In particular, this approach would provide an opportunity to clarify ENISA’s expanding mandate, enhance the efficiency and adoption of certification schemes, and streamline reporting obligations:
Kaspersky advocated for clarifying and strengthening ENISA’s mandate in the course of the revision of the existing provisions. It warned that ENISA’s growing responsibilities across various EU regulations risk overstretching its capacity. Kaspersky supports targeted amendments to formalize ENISA’s cross-regulatory role, to improve coordination among Member States, and to ensure legal certainty for the industry. It also called for increased resources, such as budget and staff, and prioritization mechanisms to enable ENISA to fulfill its expanded role effectively.
The European Cybersecurity Certification Framework is currently hindered by a lengthy and overly complex development process, which risks producing outdated schemes and stifles innovation. To address this, a more agile, time-bound process with streamlined responsibilities was proposed, allowing ENISA and its technical experts to take a more direct role, with final validation by the EU Commission. Additionally, the current lack of formal update mechanisms for certification schemes should be resolved through recurring and transparent review processes. The EU should pursue international mutual recognition of its certificates to lower compliance costs and enhance global competitiveness.
Kaspersky also identified a critical need to simplify and harmonize cybersecurity reporting obligations across Europe. Companies face overlapping and inconsistent requirements under various frameworks such as the CSA, CRA, NIS2, DORA, and GDPR, leading to unnecessary administrative burdens and diverting focus from actual risk mitigation. Targeted legislative changes should align reporting thresholds, standardize formats, and streamline obligations to reduce compliance complexity and enhance overall effectiveness.
