EESC Expert Hearing on the Revision of the Cybersecurity Act

On March 3, 2026, Christina Rupp contributed to an expert hearing of the European Economic and Social Committee (EESC) INT Section on the proposed revision of the Cybersecurity Act and targeted amendments to the NIS2 Directive. The hearing was convened to inform the Committee’s opinion and contribute to the broader debate on strengthening the EU’s cybersecurity resilience and capabilities.

She intervened alongside Marketá Gregorová (Rapporteur, Czechia – Piráti), Zdeněk Hřib (Rapporteur of the European Committee of the Regions and Member of the Local Assembly of the City of Prague), Rob Spiger (Microsoft), Valentin Weber (German Council on Foreign Relations), and Lori Roussey (Data Rights).

In her input, Christina focused on the mandate of ENISA and raised the following points: 

- Recent EU legislation – including the NIS2 Directive, the Cyber Resilience Act and the Cyber Solidarity Act – has significantly expanded ENISA’s responsibilities, while also exposing structural challenges. The reform of ENISA should therefore prioritize consolidation over proliferation and ensure that the Agency is fully able to absorb and deliver on the many tasks it has been assigned in the last years.

- The proposal introduces new operational ambitions for the agency not yet covered in existing EU legislation (e.g. early alert service and a ransomware helpdesk for NIS 2 entities, ENISA membership in CSIRTs Network), raising concerns about overload and the unresolved question of whether ENISA should become an operational actor in its own right or remain primarily a support body for Member-state led operational actions. 

- Amid an already crowded landscape of cybersecurity skills related certification initiatives, it is unclear why the Cybersecurity Skills Academy – particularly the development and maintenance of an individual cybersecurity skills attestation scheme – is given equal strategic weight to ENISA’s other envisioned core pillars (policy implementation, operational cooperation, and certification).

- While strengthening the downstream impact of EU-level cybersecurity efforts is welcome, requiring each Member State to deploy at least two liaison officers to ENISA will be difficult given resource constraints. A network of ENISA-employed regional liaison officers covering three to five EU Member States could offer a more feasible alternative.

- The proposal rightly recognizes the need for increased financial and human resources. Any expansion of ENISA’s mandate will need to be matched by adequate resources, which should be clearly reflected in the next Multiannual Financial Framework.