Brussels Advances Cybersecurity Agenda While Privacy Regulators Reinforce Guardrails

Key Takeaways

• Cybersecurity Expansion Meets Privacy Safeguards: The EDPB and EDPS support CSA2 and NIS2 reforms while emphasizing that fundamental rights must remain protected.
• ENISA’s Role Grows With Clear Limits: The agency’s expanded mandate is backed, but with defined boundaries to maintain data protection oversight.
• Certification Frameworks Need Better Alignment: Greater coordination with GDPR is needed to prevent fragmented or duplicative compliance requirements.
• Simplified Reporting Gains Support: A single-entry breach notification system could reduce administrative burden without weakening protections.
• Digital Identity Becomes Critical Infrastructure: Identity and business wallet providers are set to face stricter obligations under NIS2 amendments.

Deep Dive

In a joint opinion, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) gave their support to the European Commission’s proposed Cybersecurity Act 2 (CSA2) and targeted amendments to the NIS2 Directive. The package, introduced in January, is designed to strengthen cybersecurity across the EU while easing the compliance burden on organizations.

The endorsement, however, is measured. Both bodies make clear that as cybersecurity frameworks expand, they must remain anchored in the core principles of EU data protection law.

“The relationship between data protection and cybersecurity is reciprocal and deeply interconnected,” said EDPB Chair Anu Talus. “While cybersecurity supports the protection of personal data… it is crucial to ensure that security controls are implemented in a way that does not undermine individuals’ fundamental rights and freedoms.”

A Stronger Cybersecurity Backbone

At the heart of the Commission’s proposal is a more prominent role for the European Union Agency for Cybersecurity, ENISA. The EDPB and EDPS broadly support this shift, particularly as risks tied to ICT supply chains continue to expand beyond purely technical vulnerabilities.

But the support is not unconditional.

The joint opinion welcomes clearer rules on how ENISA provides guidance, especially provisions that ensure its advice is issued only upon request from the EDPB. This, the authorities suggest, helps preserve a clear division of responsibilities between cybersecurity coordination and data protection oversight. They also recommend formally extending that request mechanism to the EDPS.

There is also a note of caution around how far ENISA’s authority should stretch. If its Management Board adopts measures related to the processing of personal data, those measures, the opinion says, should be limited to technical implementation details and subject to prior consultation with the EDPS.

It is a careful balancing act of strengthening centralized cybersecurity capabilities without diluting the role of independent privacy oversight.

Certification Still Searching for Alignment

The Commission’s ambition to expand cybersecurity certification across the EU is another area where the authorities see clear value, particularly in helping organizations navigate risk across complex digital and supply chain environments.

Still, the opinion points to unfinished business.

The relationship between the EU’s cybersecurity certification framework and GDPR certification remains unclear, creating the potential for overlap without full alignment. To address this, the EDPB and EDPS recommend closer coordination, including consultation with the EDPB before ENISA adopts certification schemes tied to personal data processing.

They also emphasize that certification schemes for products, services, and processes should, where possible, incorporate controls that help demonstrate compliance with GDPR requirements.

For organizations, this signals a shift. Certification is no longer just about technical assurance, but rather it is becoming part of how compliance is evidenced across regimes.

Easing Compliance Without Lowering the Bar

One of the more practical elements of the Commission’s package is its focus on reducing administrative friction, and here the authorities are largely supportive.

The proposal for a single-entry point for personal data breach notifications is endorsed as a way to simplify reporting obligations for organizations operating across multiple jurisdictions. The key caveat is that simplification must not weaken the level of protection afforded to individuals.

The joint opinion also calls for a broader approach to cybersecurity capability building. The European Cybersecurity Skills Framework, they argue, should extend beyond specialists to include the wider workforce, reflecting the reality that cyber risk is now embedded across the organization.

NIS2 Expands the Definition of Critical

On the NIS2 side, the proposed amendments continue to widen the scope of what is considered essential to Europe’s digital infrastructure.

As digital identity systems become more central to both public services and private sector transactions, regulators appear increasingly intent on treating them as critical infrastructure rather than peripheral tools.

The joint opinion does not challenge the Commission’s direction. If anything, it reinforces it. But it does so with a clear sense of boundary-setting.

Cybersecurity and data protection, the authorities suggest, cannot be pursued in isolation. The two are intertwined, and efforts to strengthen one must not erode the other.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.