EU Cybersecurity Act: strategy, scope and stakes

The EU’s Cybersecurity Act reboot: bold ambitions and new direction

The revision of the EU Cybersecurity Act is set to become a defining pillar of the European Union’s strategy for digital resilience, industrial competitiveness and collective security. A new proposal is expected in the fourth quarter of 2025, with the aim of clarifying the mandate of the European Union Agency for Cybersecurity (ENISA), strengthening the EU Cybersecurity Certification Framework, and simplifying how businesses and public authorities engage with the EU’s cybersecurity architecture.

This is more than a regulatory update. According to Executive Vice-President Henna Virkkunen, the revised EU Cybersecurity Act represents a strategic reset, aligning cybersecurity with the European Union’s broader economic and defence objectives, and placing digital security on a level footing with energy and industrial policy.

Recent developments highlight this shift, where on 1 April, the European Commission published the ProtectEU strategy, signalling a coordinated approach to safeguarding critical infrastructure from physical, cyber and hybrid threats. This was preceded by the White Paper for European Defence Readiness 2030, which identifies cybersecurity as essential to military readiness, strategic deterrence and the integrity of Europe’s supply chains.

Together, these initiatives confirm that cybersecurity is no longer a specialist or technical concern. It is now a central component of European sovereignty, strategic planning and long-term competitiveness.

 

From frameworks to firewalls: where EU cybersecurity stands today

The Union already has a robust legislative toolkit. The Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive), which came into effect in October 2024, is the cornerstone of European Union cybersecurity coordination. It expands obligations on risk management and reporting across 18 sectors and mandates closer cross border cooperation.

Supporting this are key agencies and programmes. ENISA plays a central role in certification, implementation, and crisis response. The EU Cybersecurity Act granted ENISA its permanent mandate and kicked off the Union’s efforts to create trusted certification schemes. Meanwhile, the Cyber Resilience Act and Cyber Solidarity Act introduced new lifecycle security rules for digital products and launched a shared European Union Cyber Shield.

These rules are backed by money and talent strategies. The Digital Europe Programme has earmarked €1.9 billion for cybersecurity, with further resources coming from Horizon Europe and InvestEU. The Cybersecurity Skills Academy, launched during the European Year of Skills, is one answer to Europe’s growing digital talent crunch.

But if laws and funding are the foundation, global diplomacy and real-world crisis planning are the scaffolding. Through cyber dialogues with international partners and coordination via the new Cyber Blueprint, the European Union is working to make its cybersecurity rules operational, cross border, and field-tested.

 

Encryption, lawful access and the political balancing act

One of the biggest tensions in European Union cybersecurity today is the question of lawful access. How can public authorities investigate crime while protecting encrypted communications?

The Commission’s upcoming Technology Roadmap on encryption aims to find this balance. It is expected to propose technical and legal solutions to ensure law enforcement access without undermining cybersecurity or privacy. At the same time, the European Union will revisit its data retention framework, which could reignite long standing debates on surveillance and fundamental rights.

The planned European Critical Communications System is another major step. This common communications platform would help first responders and authorities act quickly during cyber or hybrid crises. But delivering it means solving fragmentation between Member States, no small task.

 

Why the EU Cybersecurity Act revision matters

Since 2019, the Cybersecurity Act has underpinned much of the European Union’s regulatory progress in this space. But the digital world has changed fast and the current law has not kept pace with emerging threats, overlapping frameworks, and operational needs.

The updated Act is anticipated to simplify and harmonise certification, clarify ENISA’s evolving responsibilities, and respond to stakeholder calls for smoother, more transparent compliance. It is also expected to align cybersecurity with the Union’s industrial policy, focusing on strengthening the European Union’s cybersecurity supply chain and reducing dependence on non-European Union vendors.

With cyberattacks targeting everything from hospitals to satellites, the stakes have never been higher. For businesses and governments alike, a streamlined and effective EU Cybersecurity Act is not just a compliance tool. It is a defence layer.

 

The wider strategic picture of the EU Cybersecurity Act

This reform does not sit in a vacuum. It is part of a wider package of strategic files emerging from the Commission. The ProtectEU strategy positions cybersecurity at the heart of European Union resilience, emphasising public and private cooperation, institutional preparedness and stronger links between civil, military and digital sectors.

At the same time, the White Paper for European Defence Readiness 2030 identifies cybersecurity as a top capability gap and calls for faster, joined up investment. According to Commissioner Virkkunen, this includes support for dual use digital technologies, increased interoperability, and integrated crisis planning.

Member States will still drive most national defence decisions, but Brussels is making the case that without shared digital foundations, Europe cannot claim to be secure.

 

What does the European Parliament make of this?

The European Parliament is already weighing in. During a recent meeting in the Security and Defence Subcommittee (SEDE), some Members of the European Parliament warned that the White Paper and related cyber initiatives lacked clarity. They wanted more detail on timelines, funding, and Member State responsibilities.

Others saw the Commission overreaching into defence matters. But most agreed on the urgency of boosting resilience, especially after recent cyberattacks and revelations of foreign interference. One voice stood out: Member of the European Parliament Hannah Neumann highlighted Europe’s one million person cyber skills gap and urged the Commission to use the Blue Card system to attract talent from abroad.

Commissioner Virkkunen responded with a call for pragmatism. She confirmed plans to explore talent attraction and stressed that the revision of the EU Cybersecurity Act was key to making Europe a secure, sovereign digital power.

 

What does the EU Cybersecurity Act revision mean for businesses?

For businesses, the revision of the Cybersecurity Act will not simply shift regulatory expectations. It will reshape how cybersecurity is embedded into operations, supply chains and product development across the single market. Certification is anticipated to become an essential component of market access and trust-building, particularly in sectors covered by NIS2.

Clarity on ENISA’s role could also streamline interactions with national authorities and reduce duplication across Member States. For firms operating cross-border, this may result in more predictable compliance pathways and fewer fragmented certification requirements. However, simplification could come with stricter oversight. Businesses can expect increased scrutiny of vendors, more structured incident reporting obligations, and stronger links between cybersecurity performance and public procurement eligibility.

The reform will also reinforce the expectation that businesses contribute to collective resilience. This includes participation in information-sharing mechanisms, alignment with certification schemes, and engagement in public-private cooperation through cyber exercises and joint preparedness planning. The bar will rise, and so will the penalties for non-compliance. Companies that treat this solely as a technical issue risk falling behind. Those that approach it as a strategic opportunity to align with Europe’s digital sovereignty agenda may gain first-mover advantages, particularly in sectors such as healthcare, mobility, energy and cloud infrastructure.

 

What are the next steps?

The public consultation on the revised EU Cybersecurity Act is open from 11 April to 20 June 2025. This is the key moment for businesses, civil society, and national governments to influence the direction of EU cybersecurity policy. The European Commission plans to adopt the legislative proposal in the fourth quarter of 2025, as part of its broader agenda to enhance internal security and digital resilience.

From encryption to certification, and from regulation to resilience, the revised  Cybersecurity Act will help shape the digital foundations of the European Union. It will clarify ENISA’s mandate, overhaul the cybersecurity certification framework, and prioritise support for a secure and resilient EU supply chain. Companies that grasp the political, operational, and market dimensions of this shift will be best positioned to thrive in the secure, sovereign Europe that the Commission aims to build.

The clock is ticking, and this time, Brussels is not planning to wait.