{"id":74014,"date":"2026-05-18T09:36:37","date_gmt":"2026-05-18T07:36:37","guid":{"rendered":"https:\/\/fedil.lu\/positions\/position-on-the-revised-eu-cybersecurity-act-csa2\/"},"modified":"2026-05-18T09:53:07","modified_gmt":"2026-05-18T07:53:07","slug":"position-on-the-revised-eu-cybersecurity-act-csa2","status":"publish","type":"position","link":"https:\/\/fedil.lu\/de\/positions\/position-on-the-revised-eu-cybersecurity-act-csa2\/","title":{"rendered":"Position on the revised EU Cybersecurity Act (CSA2)"},"content":{"rendered":"<div class=\"text-block js-section\">\n    <h2 class=\"text-block__title\" data-page-navigation=\"\">\n        \n    <\/h2>\n    <div class=\"text-block__text format-text\">\n        <h2 id='s-executive-summary'>EXECUTIVE SUMMARY<\/h2>\n<ul>\n<li>Strengthening cyber resilience, reinforcing EU\u2011level coordination through ENISA and improving coherence across the EU cybersecurity acquis (notably NIS2, the Cyber Resilience Act and DORA) are legitimate and timely objectives.<\/li>\n<li>At the same time, cybersecurity regulation must remain fully compatible with Europe\u2019s competitiveness agenda and the proper functioning of the Single Market.<\/li>\n<li>Cyber resilience, technological sovereignty and economic competitiveness are mutually reinforcing objectives and must be pursued together through a proportionate, risk\u2011based and technology\u2011neutral framework.<\/li>\n<li>Cybersecurity is best achieved through diversification, competition and redundancy in supply chains, rather than through broad supplier restrictions that reduce supplier diversity, increase costs and undermine investment predictability.<\/li>\n<li>The CSA2 framework must remain proportionate and risk\u2011based, technology\u2011neutral, predictable and legally certain.<\/li>\n<li>CSA2 should genuinely simplify and align existing obligations across the EU cybersecurity acquis, avoiding additional layers of regulatory complexity that could divert resources away from effective risk reduction.<\/li>\n<\/ul>\n<h3 id='s-governance-and-enisas-role'>Governance and ENISA\u2019s role<\/h3>\n<ul>\n<li>A stronger and better\u2011resourced ENISA acting as a centre of coordination, expertise and support at EU level, notably through enhanced situational awareness, capacity building and support to Member States is welcomed.<\/li>\n<li>This reinforcement must remain clearly bounded and technocratic in nature, preserving the institutional balance and national competences and avoiding mandate inflation or excessive prescriptiveness.<\/li>\n<li>ENISA should not evolve into a de facto regulator or standard\u2011setter; formal standardisation must remain the responsibility of European Standardisation Organisations (ESOs), with ENISA focusing on coordination and facilitation.<\/li>\n<li>Robust governance, accountability, confidentiality and data\u2011handling safeguards are essential to maintain trust between authorities and industry.<\/li>\n<\/ul>\n<h3 id='s-european-cybersecurity-certification-framework'>European Cybersecurity Certification Framework<\/h3>\n<ul>\n<li>Cybersecurity certification is welcomed as a presumption of conformity across EU cybersecurity legislation and as a practical compliance tool for businesses.<\/li>\n<li>Certification must remain voluntary, risk\u2011based and interoperable with NIS2, the Cyber Resilience Act, DORA and sector\u2011specific frameworks, and must not become a de facto market\u2011access requirement.<\/li>\n<li>CSA2 should prevent the proliferation of overlapping schemes, ensure realistic timelines for scheme development and maintain meaningful, structured and continuous industry involvement throughout scheme development and implementation.<\/li>\n<li>Certification should function as a genuine compliance enabler, reducing duplication and administrative burden rather than adding new regulatory layers.<\/li>\n<\/ul>\n<h3 id='s-ict-supply-chain-security-and-high-risk-suppliers'>\u00a0ICT supply chain security and high\u2011risk suppliers<\/h3>\n<ul>\n<li>While addressing non\u2011technical risks and geopolitical dependencies is legitimate, the proposed framework raises serious concerns regarding proportionality, legal certainty and market impact.<\/li>\n<li>Broad supplier restrictions risk reducing competition, forcing reliance on a limited number of suppliers, increasing costs, creating capacity bottlenecks and delaying network upgrades, without necessarily delivering proportionate security gains.<\/li>\n<li>Any new restrictive measures must remain evidence\u2011based, transparent and risk\u2011driven, be subject to robust due\u2011process safeguards and thorough impact assessments.<\/li>\n<li>Exclusion of suppliers should remain a measure of last resort, and priority should be given to targeted mitigation measures.<\/li>\n<li>Legal certainty is further undermined by insufficient clarity regarding the scope of key ICT assets and by asymmetric transition periods across network types.<\/li>\n<li>Clear and exhaustive definitions of key ICT assets must be set directly in the regulation, and transition periods must be predictable, technology\u2011neutral and applicable to all network types reflecting operational and investment realities.<\/li>\n<\/ul>\n<h3 id='s-economic-impact-and-compensation'>Economic impact and compensation<\/h3>\n<ul>\n<li>The broader economic impact of large\u2011scale supplier changes appears to have been underestimated. Preliminary indications from independent European studies point to significantly higher costs than envisaged in the Commission\u2019s impact assessment.<\/li>\n<li>The absence of a financial compensation mechanism is a major shortcoming, given the substantial investments already made by operators in equipment that may need to be phased out for politically driven reasons.<\/li>\n<li>Appropriate compensation mechanisms are necessary to preserve investment confidence, ensure fair treatment and avoid undermining the economic viability of infrastructure operators.<\/li>\n<\/ul>\n<h3 id='s-fedil-calls-on-eu-co-legislators-to'>FEDIL calls on EU co\u2011legislators to:<\/h3>\n<ul>\n<li>ensure a proportionate, legally certain and risk\u2011based CSA2 framework,<\/li>\n<li>preserve competition, diversification and investment predictability in ICT supply chains,<\/li>\n<li>maintain a balanced governance model with a clearly defined and bounded role for ENISA,<\/li>\n<li>make cybersecurity certification a practical, voluntary and effective compliance enabler,<\/li>\n<li>substantially recalibrate Title IV, including scope clarity and predictable transition periods,<\/li>\n<li>reassess the economic impact of supplier changes and introduce appropriate compensation mechanisms,<\/li>\n<li>ensure proportionate, fair and predictable enforcement mechanisms.<\/li>\n<\/ul>\n<p style=\"text-align: center;\"><a href=\"https:\/\/fedil.lu\/wp-content\/uploads\/2026\/05\/20260512_FEDIL_Position-paper_CSA2.pdf\"><strong>READ THE FULL POSITION<\/strong><\/a><\/p>\n\n    <\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"","protected":false},"author":14,"featured_media":60197,"template":"","class_list":["post-74014","position","type-position","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/fedil.lu\/de\/wp-json\/wp\/v2\/position\/74014","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fedil.lu\/de\/wp-json\/wp\/v2\/position"}],"about":[{"href":"https:\/\/fedil.lu\/de\/wp-json\/wp\/v2\/types\/position"}],"author":[{"embeddable":true,"href":"https:\/\/fedil.lu\/de\/wp-json\/wp\/v2\/users\/14"}],"version-history":[{"count":2,"href":"https:\/\/fedil.lu\/de\/wp-json\/wp\/v2\/position\/74014\/revisions"}],"predecessor-version":[{"id":74023,"href":"https:\/\/fedil.lu\/de\/wp-json\/wp\/v2\/position\/74014\/revisions\/74023"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fedil.lu\/de\/wp-json\/wp\/v2\/media\/60197"}],"wp:attachment":[{"href":"https:\/\/fedil.lu\/de\/wp-json\/wp\/v2\/media?parent=74014"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}