Industry Calls for Keeping ENISA Independence

The European Commission is reviewing the 2019 Cybersecurity Act (CSA) with a focus on expanding ENISA’s mandate, particularly in the area of cybersecurity certification schemes. The proposed changes aim to simplify existing rules and strengthen ENISA’s authority, allowing it to oversee the development of certification frameworks that ensure ICT products meet the EU’s cybersecurity standards. However, the process has sparked concerns among telecom operators, trade unions, and industry groups about the risk of political interference undermining ENISA’s technical independence.

Industry stakeholders, including the tech association CCIA and companies like Amazon and Lenovo, have stressed the importance of keeping ENISA’s role grounded in technical expertise rather than political considerations. They warn that introducing non-technical factors such as vendor nationality or company headquarters could compromise the effectiveness of cybersecurity frameworks, hinder innovation, and conflict with the EU’s principles of non-discrimination and fair market access.

The debate over the EU Cloud Services (EUCS) certification scheme has underscored these tensions, with France advocating for the continued use of its national SecNum Cloud scheme. Meanwhile, the European Parliament and Commission are considering broader measures to enhance technological sovereignty, reduce dependence on non-European providers, and protect the EU’s strategic infrastructure, as seen in the forthcoming Cloud and AI Development Act.

Consultation participants have also called for increased funding and resources for ENISA, noting that its staffing levels have not kept pace with its expanding responsibilities. As the Commission prepares a Digital Fitness Check by the end of 2025 to assess and simplify tech regulations, the CSA and ENISA’s evolving mandate will remain central to the EU’s cybersecurity and digital sovereignty agenda.