EU Cybersecurity Proposals Pose Significant Risks for Ireland and Irish Businesses – Digital Business Ireland

The EU’s upcoming Cybersecurity Act revision, commonly referred to as CSA2, reflects a growing trend toward centralized digital security governance. While the intention is to create a uniform baseline for cyber resilience, the proposal’s lack of technical specificity raises red flags for jurisdictions like Ireland that already maintain robust, sector‑specific frameworks. By allowing the European Commission to unilaterally label entire third‑country supply chains as high‑risk, the legislation could impose sweeping bans that ignore nuanced risk assessments, potentially stifling innovation and cross‑border trade.

For Irish businesses, especially small and medium‑sized enterprises, the ramifications are tangible. A blanket high‑risk designation could force companies to replace critical hardware or software components sourced from non‑EU vendors, inflating costs and delaying projects across energy, health, transport and financial services. Moreover, the centralised enforcement model diminishes the ability of national regulators to tailor measures to local threat landscapes, risking a mismatch between regulatory intent and operational reality. DBI’s call for objective, risk‑based criteria underscores the need for proportionality in any security mandate.

Policymakers must weigh the security benefits of a harmonised EU approach against the economic friction it may generate. A calibrated amendment—preserving national discretion, mandating transparent risk assessments, and limiting blanket supplier bans—could safeguard Ireland’s digital competitiveness while still advancing collective cyber defence. As the EU finalises CSA2, the dialogue between Brussels and Dublin will serve as a litmus test for how Europe reconciles security imperatives with the diverse needs of its member economies.