EU CSA2 and NIS2 Updates: The Proposals and the ISC2 Response

A closer look at the EU’s CSA2 and NIS2 updates, ISC2 member feedback and what the proposals mean for cybersecurity professionals.

On 20 January 2026, the European Commission published a cybersecurity package proposing updates to two pillars of the existing EU cyber framework¹. The package does not create new regimes; instead, it updates two existing instruments: The 2019 Cyber Cybersecurity Act, via Cybersecurity Act 2 (CSA2) revision and the NIS2 Directive, via the NIS2 Simplification amendment. A summary of the proposed updates and ISC2 findings from surveying members follows.

The Cybersecurity Act 2 (CSA2)

The first Cybersecurity Act, adopted in 2019 and updated in 2023 to bring managed security services into scope, established a voluntary EU cybersecurity certification framework and set the mandate of the European Union Agency for Cybersecurity (ENISA, the EU's cyber policy support and certification body). The revision proposes four main changes:

• First, a new framework for ICT supply chain security. The European Commission would gain powers to designate third countries as posing serious cybersecurity risks, classify suppliers controlled by those countries as high risk and restrict the use of their components and certain data transfers.
• Second, a simplified European Cybersecurity Certification Framework, with clearer scope, more efficient governance and a default 12-month timeline to develop a scheme. Organisations would also be able to obtain a "cyber posture certification" usable as evidence of compliance with NIS2 obligations.
• Third, voluntary EU-level individual cybersecurity skills attestation schemes, built around the European Cybersecurity Skills Framework (ECSF) role profiles and delivered by authorised attestation providers.
• Fourth, a reinforced ENISA, with its budget increased by more than 75% and new responsibilities including early threat alerts, ransomware response support and improved vulnerability management services.

What This Means for ISC2 Members

Three changes stand out:

A new category: "key ICT assets". The proposal introduces this concept in EU law. It covers components, systems or services whose failure or compromise could seriously disrupt the EU's critical sectors. The Commission decides which assets qualify, sector by sector, through implementing acts.

Binding mitigation measures. The Commission could impose obligations on organisations along ICT supply chains. These include transparency on suppliers, restrictions on data transfers and outsourcing, personnel vetting and supplier diversification.

Hard rules for telecoms. Mobile, fixed and satellite network providers would have to phase out components from designated high-risk suppliers within 36 months. Penalties for the most serious infringements could reach 7% of worldwide annual turnover.

It is important to note that CSA2 is at the start of its legislative journey. Negotiations between the European Parliament and the Council are expected to run into the second half of 2027. The final text, in particular on supply chain security, may change significantly.

The NIS2 Simplification

The targeted NIS2 amendment is intended to ease compliance without reopening the substance of the Directive. The main changes are as follows:

• A new category of small mid-cap entities², designated as important rather than essential, with a lighter supervisory and penalty regime
• The removal of micro and small³ DNS providers from the scope of the Directive
• New ransomware disclosure obligations under Article 23, including, on request, information on whether a ransom was paid
• An obligation for non-EU entities in scope⁴ to designate an EU-based representative
• New guidelines on supply chain security assessments

What This Means for ISC2 Members

Three changes stand out for practitioners:

Less divergence between Member States. When the Commission issues its implementing acts on cybersecurity risk management measures, Member States no longer can add their own technical or sectoral requirements. This reduces the compliance complexity for cross-border organisations.

A new compliance route. The cyber posture certification gives organizations an additional way to demonstrate compliance with Article 21 obligations, alongside existing frameworks such as ISO/IEC 27001.

Post-quantum cryptography on the national agenda. Member States must include post-quantum cryptography migration in their national cybersecurity strategy.

What ISC2 Members Told the Commission

In April 2026, ISC2 ran an EU-wide consultation, sent to all EU-based members who had opted in to email communications. Members responded from across diverse sectors and ECSF role profiles. Their input shaped the two formal responses ISC2 submitted to the Commission's public consultations on the proposals.

On the new ransomware disclosure obligation, 57% of respondents said their organisations could comply, with a further 20% indicating compliance was somewhat feasible. Three themes emerged from the qualitative input:

• The difficulty of producing accurate information within the 24-to-72-hour reporting windows;
• The need for clearer liability protection for organisations operating across several Member States; and
• The risk of duplication with sectoral reporting channels such as those under DORA.

On supply chain security, two-thirds of respondents (67%) said their organisation formally assesses the cyber posture of its ICT suppliers. However, only 38% considered it feasible to identify which components come from suppliers owned or controlled by third-country entities, and 75% reported being “only somewhat” or “not prepared” to implement mitigations if a key supplier were designated as a high-risk supplier.

On the cyber posture certification, 36% of respondents indicated their organisation would consider using it to demonstrate NIS2 compliance, and a further 49% said maybe, suggesting solid baseline interest in the new tool.

On the individual skills attestation schemes, members were more sceptical. Many questioned the added value relative to existing internationally recognised certifications. Others raised concerns about cost, complexity and the cumulative compliance load on professionals already navigating NIS2, DORA, the Cyber Resilience Act and the AI Act. Several respondents argued that the EU's workforce challenge is driven primarily by hiring practices, compensation levels and the unavailability of skilled people, not by an absence of attestations.

Next Steps and How to Engage with ISC2 Advocacy

CSA2 and the NIS2 amendment now move to the European Parliament and the Council of the EU for negotiation. Once adopted, Member States will have one year to transpose the NIS2 changes into national law.

ISC2 will continue to represent practitioner perspectives throughout the legislative process. To share your views, experience or concerns on these proposals, especially if you are in the EU, you can reach out to the Advocacy team. The strength of ISC2's policy work rests on the voices of its members.. The strength of ISC2's policy work rests on the voices of its members.

Endnotes

---

1. That framework already includes the NIS2 Directive (the EU's main rulebook on cybersecurity risk management and incident reporting for critical sectors), the Cyber Resilience Act (rules for products with digital elements), the Digital Operational Resilience Act (DORA, the EU's financial-sector cyber rulebook) and the Cyber Solidarity Act.
2. Small mid-cap enterprises are defined in Commission Recommendation (EU) 2025/1099 as entities that exceed the standard EU SME thresholds but employ fewer than 750 persons and have annual turnover not exceeding €150 million or annual balance sheet total not exceeding €129 million.
3. Under Commission Recommendation 2003/361/EC, micro enterprises have fewer than 10 employees and turnover or balance sheet at or below €2 million; small enterprises have fewer than 50 employees and turnover or balance sheet at or below €10 million.
4. NIS2 (Directive (EU) 2022/2555) applies to entities operating in sectors listed in Annex I (Highly Critical Sectors: energy, transport, banking, healthcare, digital infrastructure, public administration and others) and Annex II (Other Critical Sectors: postal services, waste management, chemicals, food, certain manufacturing, digital providers and research), provided they meet the size threshold of at least a medium-sized enterprise (50 or more employees, or annual turnover above €10 million). Entities in Annex I sectors above that threshold are classified as essential entities. Entities in Annex II sectors, or in Annex I sectors below that threshold, are classified as important entities. Essential entities are subject to a stricter supervisory and penalty regime.

Related Insights:

ISC2 Members Voice Views and Feedback on U.K. Cybersecurity Bill

Notes from the Advocacy Road on Cybersecurity Policy

Understanding ISC2 Advocacy: Amplifying Member Policy Expertise