EPRS reveals critical Cybersecurity Act impact assessment gaps

EPRS reveals critical Cybersecurity Act impact assessment gaps

https://dig.watch/updates/eprs-cybersecurity-act-impact-assessment

Publish Date: 2026-06-15 05:55:00

Source Domain: dig.watch

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.
The Cybersecurity Act review covers ENISA, EU certification, NIS2 simplification and ICT supply chains.

The European Parliamentary Research Service has published an initial appraisal of the European Commission’s impact assessment for the proposed revision of the Cybersecurity Act, finding that the Commission makes a strong case for reform while leaving several analytical gaps.

The Commission proposed the revision on 20 January 2026, alongside a directive on simplification measures under the NIS2 Directive. The proposals were referred to the European Parliament’s Committee on Industry, Research and Energy.

The package covers ENISA’s mandate, the European Cybersecurity Certification Framework, NIS2 compliance simplification and a proposed EU-level framework for ICT supply chain security. EPRS said the impact assessment responds to a more complex cybersecurity landscape, stalled implementation of certification rules, fragmented compliance requirements and growing supply chain risks.

The briefing found that the Commission’s assessment effectively substantiates the need to revise the Cybersecurity Act. It praised the problem definition, intervention logic, use of qualitative and quantitative analysis, SME test, competitiveness check and transparency around evidence and methodology.

However, EPRS also identified weaknesses. It said the assessment lacks operational objectives, does not include a subsidiarity grid despite the initiative’s political significance, and has no distinct proportionality section. The briefing also questioned whether some policy options are sufficiently distinct, noting that they appear partly cumulative.

The briefing concluded that the Commission’s legislative proposals are mostly aligned with the preferred options in the impact assessment, although some issues remain.

Why does it matter?

The Cybersecurity Act revision could reshape several pillars of the EU cyber policy at once, including ENISA’s role, cybersecurity certification, NIS2 compliance and ICT supply chain security. EPRS’s appraisal matters because it provides lawmakers with an early quality check of the evidence underpinning the Commission’s proposal. The briefing suggests the policy case for reform is strong, but also highlights gaps that may become important during parliamentary scrutiny, especially around proportionality, subsidiarity and the design of policy options.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!