{"id":178991,"date":"2026-01-16T09:58:00","date_gmt":"2026-01-16T14:58:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/16\/eu-commission-prepares-cybersecurity-act-revision-expanding-certification-scope\/"},"modified":"2026-01-16T11:05:09","modified_gmt":"2026-01-16T16:05:09","slug":"eu-commission-prepares-cybersecurity-act-revision-expanding-certification-scope","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/16\/eu-commission-prepares-cybersecurity-act-revision-expanding-certification-scope\/","title":{"rendered":"EU Commission prepares cybersecurity act revision expanding certification scope"},"content":{"rendered":"<p><a href=\"https:\/\/brusselsmorning.com\/eu-commission-prepares-cybersecurity-act-revision-expanding-certification-scope\/91564\/\">EU Commission prepares cybersecurity act revision expanding certification scope<\/a><\/p>\n<p><a href=\"https:\/\/brusselsmorning.com\/eu-commission-prepares-cybersecurity-act-revision-expanding-certification-scope\/91564\/\">https:\/\/brusselsmorning.com\/eu-commission-prepares-cybersecurity-act-revision-expanding-certification-scope\/91564\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-01-16 09:58:00<\/a><\/p>\n<p>Source Domain: <a href=\"brusselsmorning.com\">brusselsmorning.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. Brussels (Brussels Morning Newspaper) January 16, 2026 \u2013 The European Commission plans to revise the Cybersecurity Act expanding certification schemes to cover companies\u2019 overall risk-management posture alongside ICT products and services. The legislative proposal responds to stalled implementation of 12 existing schemes and aims to introduce clearer procedural rules affecting cloud providers, 5G networks, and managed security services. The Commission expects to publish the revised regulation on January 20 following public consultation revealing broad stakeholder support for harmonisation and reduced administrative burdens.<br \/>\nThe review addresses slow progress since the 2019 Cybersecurity Act established ENISA\u2019s permanent mandate and voluntary EU certification framework. Only the EU Common Criteria scheme achieved formal adoption while cloud, 5G, and digital identity wallet certifications remain under development due to procedural complexities and lack of transparency.<br \/>\nLuca Bertuzzi highlighted draft details. Luca Bertuzzi said in X post,<br \/>\n\u201cEU Commission plans to expand cybersecurity certificates to cover companies\u2019 overall risk-management posture, a draft of the revamped Cybersecurity Act shows. The reform aims to revive stalled EU cyber certification by introducing clearer procedural rules. \u201c<\/p>\n<p>EU Commission plans to expand cybersecurity certificates to cover companies\u2019 overall risk-management posture, a draft of the revamped Cybersecurity Act shows. The reform aims to revive stalled EU cyber certification by introducing clearer procedural rules.https:\/\/t.co\/sxvrr47Otk<br \/>\n\u2014 Luca Bertuzzi (@BertuzLuca) January 16, 2026<\/p>\n<p>Cybersecurity act evaluation reveals implementation challenges<br \/>\nCredit: carnegieendowment.org<br \/>\nThe Commission conducted mandatory five-year evaluation postponed multiple times finally completed December 2025 documenting limited certification framework progress. Stakeholders identified procedural delays transparency issues lack of Union Rolling Work Programme hindering long-term planning for public authorities and industry participants. The evaluation noted 150% increase in cyberattacks during 2024 alongside expanding regulatory landscape including NIS2 Directive Cyber Resilience Act Cyber Solidarity Act complicating compliance landscape further.<br \/>\nENISA\u2019s growing responsibilities under new legislation require mandate clarification and additional financial staffing resources to serve central technical coordinator role across 27 member states. Respondents to public consultation expressed consensus on streamlining cybersecurity measures enhancing resilience simplifying reporting obligations across NIS2 CRA GDPR frameworks establishing single EU incident notification platform.<br \/>\nCertification framework expansion targets managed security services<br \/>\nCredit: zte.com<br \/>\nJanuary 2025 targeted amendment enabled future adoption of European certification schemes for managed security services covering incident response penetration testing security audits consultancy services. The revision addresses current framework limitations focusing primarily ICT products services rather than comprehensive organisational risk management approaches. Expanded scope includes company-wide cybersecurity posture assessment beyond individual product certifications.<br \/>\nDraft proposal introduces tiered assurance levels basic substantial high corresponding technical requirements third-party conformity assessment obligations. ENISA tasked designating additional European cybersecurity laboratories expanding beyond current 12 schemes covering cloud services 5G networks digital identity wallets managed security services operational technology systems.<br \/>\nEnisa mandate strengthening addresses operational responsibilities growth<br \/>\nStakeholders agree ENISA mandate clarification necessary reflecting expanded operational responsibilities under NIS2 CRA Cyber Solidarity Act coordination requirements. Agency positioned central technical coordinator promoting consistency harmonising implementation across member states reducing regulatory divergence currently complicating compliance efforts. Financial resources staffing expansion required ensuring effectiveness growing portfolio management.<br \/>\nThe Commission gathered stakeholder views ICT supply chain security challenges simplification opportunities during public consultation phase. Respondents highlighted non-technical risks including geopolitical dependencies requiring certification framework attention alongside technical product service security assurances.<br \/>\nRisk management posture certification covers organisational practices<br \/>\nProposed expansion covers companies\u2019 overall risk-management posture including governance policies procedures supply chain security practices beyond product-specific certifications. Certification schemes assess organisational maturity frameworks aligning ISO\/IEC 27001 standards ensuring comprehensive cybersecurity approach implementation monitoring. Third-party assessors evaluate risk assessment processes incident response capabilities supply chain risk management continuous improvement mechanisms.<br \/>\nENISA develops harmonised evaluation criteria assurance levels ensuring interoperability mutual recognition across member states eliminating national scheme fragmentation. Market surveillance authorities access certification documentation post-market monitoring enforcing ongoing compliance obligations cybersecurity incident reporting requirements coordination.<br \/>\nCloud services 5g networks enter mandatory certification schemes<br \/>\nCloud service providers face substantial assurance level certification covering encryption key management access controls multi-tenancy isolation data residency compliance requirements. ENISA Cloud Certification Scheme harmonises EUCS Level 1-3 requirements transparency audit logging vulnerability management processes establishing single EU-wide recognition eliminating 27 national schemes.<br \/>\n5G telecommunications networks require certification core network functions radio access networks edge computing platforms serving 450 million EU subscribers. Commission integrates 5G Cybersecurity Toolbox measures mandatory certification obligations ensuring network function virtualisation software-defined networking security multi-vendor interoperability verification supply chain risk management.<br \/>\nProcedural simplification accelerates stalled certification schemes<br \/>\nDraft legislation introduces clearer procedural rules reviving stalled certification development addressing current framework transparency predictability issues. Union Rolling Work Programme regularly updated providing industry long-term planning certainty public-private coordination efficiency improvements. Fast-track procedures high-priority schemes including cloud 5G managed security services digital identity wallets ensuring 2028 market readiness timelines achievement.<br \/>\nENISA certification portal digital submission platform streamlines conformity assessment documentation processing stakeholder coordination. Simplified procedures micro-SMEs reduced documentation obligations technical assistance programmes supporting 85% EU digital economy small business participation cybersecurity compliance ecosystem development.<br \/>\nStakeholder convergence supports regulatory simplification efforts<br \/>\nPublic consultation responses demonstrated broad agreement streamlining cybersecurity measures enhancing resilience simplifying EU regulatory landscape reducing administrative burden compliance costs organisations operating across member states. Respondents called harmonising definitions reporting requirements establishing single EU incident notification platform addressing overlapping obligations NIS2 CRA GDPR frameworks.<br \/>\nENISA strengthening central coordinator role consensus position promoting consistency harmonised implementation reducing regulatory divergence currently fragmenting single market cybersecurity compliance efforts. Commission Digital Omnibus regulation proposal complements certification framework revision establishing unified incident reporting platform operational coordination.<br \/>\nSupply chain security addresses non-technical risk factors<br \/>\nCertification framework expansion addresses non-technical supply chain cybersecurity risks including geopolitical dependencies vendor reliability assessment beyond traditional technical product security evaluations. Organisational certification schemes evaluate third-party risk management software bill of materials generation continuous monitoring capabilities supply chain compromise detection response coordination.<br \/>\nENISA develops supply chain security assurance requirements cryptographic module validation common criteria alignment international standards interoperability. Commission Cyber Resilience Act integration establishes presumption of conformity certified products market surveillance authorities enforcement coordination digital single market consolidation.<br \/>\nInternational standards alignment ensures global interoperability<br \/>\nRevised schemes align ISO\/IEC 27001 information security management ISO\/IEC 27017 cloud security ISO\/IEC 27018 data protection standards ensuring mutual recognition third-country schemes global market access facilitation. Common Criteria ISO\/IEC 15408 evaluation assurance levels FIPS 140 cryptographic validation NIST frameworks alignment US schemes interoperability coordination international cooperation frameworks establishment.<br \/>\nCommission participates ISO\/IEC JTC 1\/SC 27 cybersecurity standards development ITU-T telecommunications security ISO\/IEC 30111 vulnerability handling ensuring EU schemes competitiveness global supply chains participation third-country manufacturers compliance facilitation.<br \/>\nDigital europe programme funds certification infrastructure development<br \/>\nCredit: digital4business.eu<br \/>\nCommission Digital Europe Programme 2026-2028 allocates funding ENISA cybersecurity laboratories infrastructure digital platforms certification framework development supporting 18 facilities technical competence accreditation international recognition establishment. Micro-SME technical assistance programmes simplified self-assessment procedures reduced documentation obligations ensuring small business cybersecurity compliance market competitiveness maintenance.<br \/>\nConnecting Europe Facility CEF2 Digital integrates cybersecurity certification requirements cross-border digital infrastructure projects funding allocation critical sectors connectivity resilience strengthening supply chain security obligations harmonisation.<br \/>\nMarket surveillance coordination ensures post-certification compliance<br \/>\nNational cybersecurity authorities coordinate market surveillance certified products post-market monitoring cybersecurity incident reporting obligations enforcement across 27 member states ensuring ongoing compliance requirements fulfilment. Commission Rapid Alert System coordinates incident information sharing threat intelligence exchange vulnerability coordination platforms operation national CSIRT teams integration.<br \/>\nENISA Cybersecurity Incident Review Teams deploy post-incident investigations supply chain compromise analysis attribution coordination international cooperation frameworks information sharing threat intelligence platforms operation digital single market cybersecurity resilience strengthening.<br \/>\nQuantum-ready cryptography migration planning requirements integration<br \/>\nHigh assurance certification schemes mandate quantum-safe cryptography migration roadmaps post-quantum algorithm integration NIST PQC standards selection hybrid transition strategies documentation ensuring long-term cryptographic resilience establishment. Commission Quantum Technologies Flagship funding quantum-safe VPNs key management cryptographic agility platforms critical infrastructure operators deployment coordination.<br \/>\nENISA Quantum-Safe Cryptography Framework guides 5G networks cloud platforms operational technology controllers cryptographic inventory assessment risk management strategies implementation national quantum readiness strategies coordination digital decade cybersecurity targets achievement.<br \/>\nSME-friendly certification procedures technical assistance provision<br \/>\nThe European Union has prioritized SME-friendly certification procedures and technical assistance provisions to bolster cybersecurity resilience among micro, small, and medium-sized enterprises (SMEs), recognizing their critical role in the digital single market. Traditional certification processes often burden SMEs with excessive costs, complexity, and documentation requirements that hinder adoption. To address this, the EU promotes simplified certification self-assessment procedures tailored for micro-SMEs, featuring reduced paperwork, streamlined audits, and self-declaration options under frameworks like the Cyber Resilience Act (CRA) and EU Cybersecurity Certification Framework. These measures enable smaller businesses to demonstrate compliance with baseline security standards without prohibitive resource demands, fostering trust in their digital offerings.<br \/>\nComplementing these reforms, dedicated technical assistance funding programmes support the digital transformation and cybersecurity compliance of approximately 2.8 million EU small businesses. Initiatives channelled through the Digital Europe Programme and Horizon Europe provide grants, low-interest loans, and expert consultancy to facilitate vulnerability management, secure software development, and supply chain risk mitigation.\u00a0<br \/>\nThe European Union Agency for Cybersecurity (ENISA) plays a pivotal role via its SME Cybersecurity Portal, which offers free, accessible guidance, customizable templates, self-assessment toolkits, and practical resources for threat detection, incident response, and secure configuration. These tools empower SMEs to identify gaps, implement controls, and meet emerging supply chain security requirements, enhancing overall market competitiveness.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>EU Commission prepares cybersecurity act revision expanding certification scope https:\/\/brusselsmorning.com\/eu-commission-prepares-cybersecurity-act-revision-expanding-certification-scope\/91564\/ Publish Date: 2026-01-16 09:58:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":178992,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/brusselsmorning.com\/wp-content\/uploads\/EU-Commission-prepares-cybersecurity-act-revision-expanding-certification-scope.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-178991","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/178991"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=178991"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/178991\/revisions"}],"predecessor-version":[{"id":178993,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/178991\/revisions\/178993"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/178992"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=178991"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=178991"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=178991"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}