As the EU moves to streamline its cybersecurity legislative framework, ISC2 brought together senior policymakers, regulators and practitioners in Brussels to examine what reform must deliver for the cybersecurity professionals responsible for implementing it.
The EU's cybersecurity regulatory agenda is entering a new phase. After years of landmark legislation — NIS2 Directive, the Cyber Resilience Act, DORA, the Cyber Solidarity Act — the focus is shifting from enacting rules to making them work. The European Commission's Digital Omnibus package and the proposed Cybersecurity Act 2 (CSA2) represent the most significant efforts yet to streamline and consolidate the EU cybersecurity regulatory framework. On March 2, 2026, ISC2 convened a policy discussion in Brussels on the Digital Omnibus and CSA2. These reforms will have a direct impact on cybersecurity practitioners in the EU in relation to incident reporting and skills validation.
Tara Wisniewski, ISC2's EVP for Global Advocacy and Strategic Engagement, moderated the event, which brought together Boryana Hristova, Head of Sector for Cybersecurity of Critical Infrastructure at DG CONNECT, European Commission; Paul Diegel, Head of Office to MEP Markéta Gregorová, who is leading the European Parliament's work on CSA2; and Pieter Byttebier, Head of International Policy and EU Affairs at the Centre for Cybersecurity Belgium (CCB). Attendees included representatives from EU institutions, national authorities, industry and academia.
What the Data Shows
Tara Wisniewski opened with EU-specific insights from ISC2's 2025 Cybersecurity Workforce Study to provide context for the discussion. The findings are striking. Across the EU, 94% of cybersecurity professionals report at least one skills need in their organisations, up from 89% the previous year. More concerning still, 54% describe those needs as critical or significant, compared to just 36% in 2024. When asked about the main obstacles to meeting regulatory requirements, EU respondents ranked skills shortage first, cited by 54%, ahead of insufficient guidance from authorities (47%) and lack of funding (46%). Preparedness across the EU cybersecurity regulatory framework remains incomplete: only 33% of EU respondents report being completely prepared for NIS2 Directive, 29% for the Cyber Resilience Act, and 27% for DORA. Meanwhile, 56% say their organisations’ cybersecurity budget would need to increase by 10% or more to comply with current obligations.
On simplification priorities, respondents were clear: 62% identified alignment between international standards with EU regulatory requirements as the top area for improvement, ahead of harmonising incident reporting timelines (50%) and reducing compliance costs (47%).
Streamlining Incident Reporting
Hristova from DG CONNECT outlined the Commission's two-track approach. The first concerns incident reporting, where the Digital Omnibus introduces a "report once, share with many" model through a Single Entry Point (SEP). The second, broader track runs through CSA2: modernizing the overall architecture, introducing maximum harmonisation for future implementing acts, and reducing the jurisdictional complexity that is creating friction for cross-border organisations.
Byttebier, from CCB, welcomed the direction but flagged a practical concern: the SEP is currently designed to serve two distinct purposes simultaneously, simplifying cross-border notification and supporting national certification processes which adds implementation complexity. His recommendation was to build it incrementally, proving the concept before expanding scope. Byttebier added that ransomware reporting as a new obligation within a simplification package warrants careful consideration.
The audience raised the governance dimension. Nina Olesen from ECSO noted that Member States have different institutional structures and asked whether the SEP might initially create reporting gaps. Hristova pointed to existing technical cooperation within the NIS Cooperation Group as a foundation to build on, confirming that alignment of incident reporting templates is already underway.
Certification Schemes: Lessons from a Slow Start
On certification, the panel was candid. Over the past seven years, the current Cybersecurity Act framework has produced a single scheme. Hristova acknowledged the system has not functioned as intended. Byttebier identified two structural causes: insufficient clarity on scope and poorly defined responsibilities for advancing schemes through to completion.
CSA2 addresses both by introducing explicit timelines and clearer divisions of responsibility. Diegel, from the office of MEP Markéta Gregorová, noted that the scheme's success will ultimately depend on whether industry can be incentivised to adopt certification and whether requirements can be grounded in real operational practice. He also noted that the European Union Agency for Cybersecurity (ENISA) will need significantly more resources to deliver.
Byttebier, from CCB, suggested a practical path: considerable expertise already exists across Member States, and ENISA could act as a coordinating umbrella rather than building everything in-house.
On international standards, audience member Marta Przywala from SAP flagged that international certifications could serve as a basis for presumption of conformity alongside EU schemes, potentially easing compliance burdens. Byttebier concurred that meaningful engagement with international standards bodies will be essential.
ISC2 noted that the role of industry in developing certification schemes has, to date, been limited, and that the current CSA2 proposal does not yet adequately address this.
Skills Attestation: A Useful Reference Point, but Questions Remain
The CSA2 proposes European individual cybersecurity skills attestation schemes, linked to the European Cybersecurity Skills Framework (ECSF) role profiles. Byttebier, from CCB, saw value in establishing a common EU-level reference point for cybersecurity competencies, responding to a genuine market need. He raised two implementation risks: the relationship with academic qualifications needs to be clarified to avoid creating disconnected parallel systems, and any scheme must be designed with flexibility, given how rapidly the profession evolves. Tara Wisniewski, noted that ISC2 certifications are mapped to the ECSF role profiles.
Hristova, from DG CONNECT, pointed to ISC2's own workforce research as a key evidence base, and described the scheme as creating a practical benefit for both employers navigating hiring and professionals mapping their development pathways. Diegel, from the office of MEP Markéta Gregorová, acknowledged the strength of the underlying case but raised concern about reliance on voluntary Member State commitments to drive consistent uptake across the EU.
ISC2's Role and Commitment
ISC2 has been an active partner in EU cybersecurity policymaking, contributing to the development of the ECSF, mapping its certifications to ECSF role profiles, and engaging directly with EU institutions through consultations and structured dialogue.
Under the EU Cybersecurity Skills Academy, ISC2 was the first organisation to pledge support, committing free access to its CC training and examination to a total of 50,000 EU learners, combined with scholarships for women pursuing advanced ISC2 credentials.
