ETSI’s Response to the European Commission’s Proposal for the Cybersecurity Act 2

The European Commission’s Cybersecurity Act 2 aims to modernise the bloc’s digital trust framework by expanding mandatory certification for a broader range of products and services. Building on the original 2019 Act, the proposal seeks to create a unified, risk‑based approach that aligns with emerging technologies such as artificial intelligence, edge computing and 5G networks. As the EU’s primary standards development organization, ETSI’s input carries weight in shaping the technical specifications that will underpin the new regime, making its response a key reference for policymakers and industry alike.

ETSI’s position paper highlights three core recommendations. First, it supports a tiered certification model that matches security requirements to the actual risk profile of a device, thereby avoiding a one‑size‑fits‑all mandate. Second, the institute urges the Commission to institute transparent governance structures, including early stakeholder consultation, to ensure that standards remain technically sound and commercially viable. Third, ETSI cautions that excessive compliance costs could impede innovation, especially for small‑ and medium‑sized enterprises (SMEs) developing IoT and 5G solutions, and recommends a minimum two‑year transition period to mitigate disruption.

The implications extend beyond EU borders. A harmonised certification scheme could become a de‑facto global benchmark, encouraging non‑EU manufacturers to adopt EU‑aligned security standards to access the European market. Conversely, if the framework proves overly restrictive, firms may seek alternative markets or lobby for exemptions, fragmenting the global security landscape. ETSI’s advocacy for flexibility and cross‑border certificate recognition aims to preserve a competitive, innovation‑friendly environment while strengthening overall cyber resilience across the continent.