The European Commission’s proposal to revise the Cybersecurity Act (CSA2) comes at the right moment, as Europe faces an evolving range of cyber threats. With its measures to reinforce ENISA and make harmonisation the key to a more resilient Single Market, the proposal brings the Act closer to the realities of today’s fast-moving cybersecurity ecosystem. 

However, the Commission’s proposal still fails to go far enough on providing a platform for more active industry engagement. It rightly formalises existing structures but falls short of creating mechanisms that allow for regular expert-level exchanges and meaningful industry feedback into the CSA2 framework, building on lessons learned from the past years. Such exchanges are essential, given industry’s role as a front-line defender against cyber threats. 

Now, as the file moves to the European Parliament and the Council of the EU, the co-legislators must ensure certification schemes under the CSA2 remain based on technical criteria. The EU’s cybersecurity needs should be a matter for sober, technical analysis. AmCham EU therefore supports the proposal's structural distinction between technical certification and non-technical supply chain risks. Maintaining this separation prevents restrictive requirements that limit choice, reduce competition and slow innovation. 

The same approach is necessary for the proposal’s provisions to secure critical infrastructure under the new ‘Trusted ICT Supply Chain Framework’ (Title IV). These measures must also be underpinned by an objective, evidence-based approach to ‘non-technical risks’. At the same time, measures involving restrictions on data transfers must be aligned with international agreements to avoid unintended disruptions to global operations. 

Ultimately, US companies share the EU’s commitment to securing the region’s digital resilience. AmCham EU members invest heavily in security and stand ready to support the delivery of a framework that keeps Europe open, secure and competitive.