Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
This week, the European Commission presented its proposed revision of the Cybersecurity Act, as part of a cybersecurity package. It is meant to address a problem statement defined by an increasingly hostile threat landscape, slow implementation of the CSA certification scheme framework, complexity and diversity of cybersecurity rules, and increasing security risks of information and communication technology supply chains.
The European Commission is pursuing two objectives: bolstering cybersecurity governance, resilience and risk management across Europe, and increasing the uptake of common European instruments, such as certification schemes.
The general direction of travel is not surprising. If the CSA implementation regarding the European Union Agency for Cybersecurity's mandate has gone relatively smoothly, it has proven to be very challenging to put in action the certification scheme framework it was creating. During last year's public consultation, the Commission announced it would give "further consideration of how to address the challenge of nontechnical risk factors" in the cybersecurity certification process.
Fast forward to January 2026, the proposed CSA2 adopts what the Commission states is an unapologetic and necessary focus on European supply-chain security. It visibly reinforces the European stance toward nation-state cyber powers, channeling discussions among member states. Importantly, it proposes adopting a robust sovereignty approach, which could result in very concrete governance implications for IAPP members.
Notably, the CSA2 would equip the European Commission with the power to designate a third country as posing a serious and structural non-technical risk to ICT supply chains. This would follow an assessment made by member states, and risk "verified" by the Commission itself based on criteria, including whether the third country imposes vulnerability disclosure requirements, harbors clearly identified malicious actors, does not have any independent or democratic control mechanisms to correct security concerns, and more.
This proposal is significant for various reasons. From a cybersecurity policy, it questions the articulation between the foreseen ability of the Commission to make such a designation, while the primary security — and attribution — powers remain a member state competence.
More directly to IAPP members' work, the mitigation measures against a designated country as proposed in the CSA2 could be far-reaching and have very direct compliance and governance implications. They include possible prohibitions on data transfers to the designated third country and on using certain service providers originating from that third country, and requirements to have personnel vetted by national regulators.
The general direction of travel of this proposal is not entirely surprising. As the CSA — and, relatedly, the 5G toolbox — was first being implemented, very long, difficult and at times antagonist discussions endued among member states, stakeholders, security researchers and cybersecurity agencies.
The general context may be more favorable to such a proposal at this time but negotiations, particularly with member states, won't be smooth sailing. The challenge for the Commission may also come from within. Some of its proposals could raise questions of compatibility with trade rules. They may also raise concerns about retaliation and operational challenges among European industry stakeholders that operate internationally and/or partner with companies located in third countries that could be designated.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
