EDPB-EDPS Joint Opinion on the Proposal for a Cybersecurity Act 2 and the Proposal on amendments to the NIS 2 Directive

The European Data Protection Board and European Data Protection Supervisor have issued a joint opinion on two legislative proposals: the Cybersecurity Act 2 and amendments to the NIS 2 Directive. This opinion highlights the need for stronger alignment between cybersecurity and data protection frameworks, specifically advocating for the integration of data protection by design and by default principles into the new cybersecurity certification schemes.

The opinion is primarily relevant to entities already in scope of the NIS 2 Directive, including essential and important entities across sectors like energy, transport, banking, and digital infrastructure. It will also directly impact future manufacturers and providers of ICT products, services, and processes seeking EU cybersecurity certification.

Compliance teams in affected sectors should monitor the legislative progress of these proposals closely. They should begin proactive gap analyses to assess how enhanced certification requirements and potential new obligations for incident reporting and vulnerability handling could impact their operations. Engaging with internal cybersecurity and product development teams now will be crucial for future readiness.