EESC backs Cybersecurity Act 2 with safeguards for ENISA

The European Economic and Social Committee adopted an opinion endorsing the Commission’s proposals to revise the Cybersecurity Act (Cybersecurity Act 2) and to amend Directive (EU) 2022/2555 (NIS 2), while calling for strengthened resources, a mandatory workforce plan for ENISA and proportionate ICT supply‑chain transition planning.

• Main action: The EESC welcomes the Commission’s initiative (COM(2026)11 and COM(2026)13), adopted at plenary on 29/4/2026 (vote 193/0/0), and calls for: mandatory workforce plans for ENISA before assigning new tasks; adequate and sustainable financial resources (including supplementary resources and contribution agreements); and explicit procedural safeguards to ensure certification schemes are practical and interoperable.
• Background and concrete amendments: The EESC proposed concrete text additions including Article 7 bis (cybersecurity awareness and democratic resilience) and Article 103 bis (mandatory transition plans for supply‑chain mitigation). The amendment to Article 103 bis specifies required elements such as asset inventories and dependency mapping, realistic replacement timelines, and safeguards to ensure continuity of services; it also emphasises systematic involvement of industry, SMEs, social partners and civil society. The opinion also flags the Commission’s proposal that part of ENISA’s budget would be self-funded via fees for certification and skills attestation, and cautions this may not match actual uptake.