On April 16, 2026, the European standards organization ETSI formally addressed the European Commission with a position paper advocating for modifications to the upcoming Cybersecurity Act 2 (CSA2). This proposed legislation aims to revise the existing EU cybersecurity certification framework and includes significant provisions that ETSI believes could hinder the development of robust cybersecurity standards in Europe.
The core issues highlighted in the position paper involve two main provisions: the proposed enhancement of ENISA’s role in developing technical specifications and a controversial clause in Article 100(4)(a) that would prohibit entities from countries identified as cybersecurity risks from participating in standardization efforts associated with Commission requests.
As one of three recognized European Standardization Organizations (ESOs) under EU law, ETSI has a membership base of over 900 organizations spanning 64 countries, which underscores its importance in the standard-setting landscape.
The “High-Risk Supplier” Exclusion
Under the CSA2 proposal, the European Commission plans to designate certain “high-risk suppliers” based on comprehensive EU-level security assessments, which include both technical and structural risks. Suppliers identified as high-risk would be barred from participating in the development, assessment, and consultation processes for cybersecurity standards created by ESOs, as outlined in Article 10(1) of Regulation (EU) No 1025/2012.
ETSI argues that contributions to European standardization should remain free from legal prohibitions established by Union acts. The organization references principles from the WTO Agreement on Technical Barriers to Trade, which emphasizes openness, consensus, and independence in the development of standards. Martin Chatel, Chief Policy Officer at ETSI, stated, “ETSI’s Directives allow for flexibility to address security needs case by case. The reforms initiated by the 2022 European Standardisation Strategy were designed to mitigate external influence while ensuring transparency and impartiality.” He warned that undermining these principles could jeopardize the collaborative nature and credibility of the standardization process.
The position paper draws parallels to past instances where similar restrictions were imposed, such as the U.S. Commerce Department’s Entity List, which limited specific companies' roles in 5G and telecommunications standardization. ANSI noted that the global relevance of standards hinges on their development process rather than the entities involved. ETSI fears a repeat of this scenario, where suppliers labeled as high-risk by the Commission could still contribute to international standardization efforts, diminishing Europe’s influence in these essential discussions.
ETSI advocates for a case-by-case assessment of any restrictions, emphasizing the need for coordination with ETSI and other ESOs to ensure that measures are proportionate and not codified as blanket legal restrictions in EU legislation.
ENISA’s Proposed Role in Drafting Specifications
Article 18 of the CSA2 empowers ENISA to draft technical specifications and guidance to support EU legislation implementation, alongside aiding standardization initiatives. While ETSI supports ENISA's involvement in standardization efforts, it expresses concerns over the agency’s potential to draft technical specifications. ETSI maintains that ENISA’s role should be limited to advising on legal frameworks and providing technical guidance, as expanding its authority could create an inconsistent parallel standard-setting structure.
As a model for effective agency participation, ETSI points to its Technical Committee on Lawful Interception (TC LI), which unites governmental bodies, law enforcement, and industry stakeholders to develop standards that meet shared requirements. Chatel emphasized that ETSI's existing framework already combines transparency, efficiency, and global impact while maintaining necessary European safeguards.
Standards as a Policy Instrument
ETSI contextualizes its concerns within the broader EU standardization strategy. The 2022 EU Strategy on Standardization aims to mitigate strategic dependencies and prevent undue influence from non-European actors in cybersecurity standards while preserving openness and impartiality. Regulation (EU) No 2022/2480 subsequently granted EU and EEA National Standardization Bodies exclusive authority over critical decisions, including those regarding standardization requests from the Commission.
ETSI articulates its dual role in responding to market demands while developing standards that directly support EU legislation. The organization operates independently from other standardization bodies and does not adhere to an international-first approach. Its initiatives, such as the EN 303 645 standard for consumer IoT security and EN 304 223 for AI cybersecurity, have achieved international adoption following their European origins.
In conclusion, ETSI recommends enhanced coordination between the Commission and ETSI to uphold transparency, legitimacy, and trust within the European standardization system, thus avoiding any unintended negative impacts on innovation, competitiveness, and the global standing of European industry in standardization efforts.
Source: Help Net Security News