European Commission Evaluates ENISA and Cybersecurity Certification Framework, Proposes Operational Focus and Resource Alignment Enhancements

The European Commission aims to sharpen the European Union's cybersecurity edge by evaluating the performance and effectiveness of key cybersecurity bodies—primarily the European Union Agency for Cybersecurity (ENISA) and the European Cybersecurity Certification Framework (ECCF). This initiative promises ripples across numerous stakeholders including EU institutions, national authorities, ICT industry players, and cybersecurity professionals, who will scrutinize the Commission's insights for fresh regulatory rigor or resource realignment.

Published on January 20, 2026, by the Directorate-General for Communications Networks, Content and Technology (CNECT), the report complies with Article 67 of the Cybersecurity Act (Regulation EU 2019/881). It assesses ENISA’s expanded mandate and the ECCF’s harmonization goal between 2017 and 2023, capturing performance against effectiveness, efficiency, relevance, and EU added value.

This document is an evaluative report, not binding legislation, but it contains detailed assessments and points to specific actionable areas such as improved task prioritization, resource scalability, and stakeholder engagement strategies. It also supports the legislative package amending the Cybersecurity Act, lending weight to future regulatory changes.

The report reveals a key policy orientation favoring a stronger operational focus for ENISA coupled with strategic resource deployment. It indicates a trade-off favoring enhancement of EU-wide certification harmonization (through the ECCF) over less formal, decentralized national approaches, thereby reinforcing EU regulatory influence over cybersecurity standards. The report highlights persistent challenges including resource constraints, recruitment difficulties in IT specialists, and the need for better coordination with Member States.

Stakeholders affected include EU cybersecurity agencies, which may gain clearer mandates and resource scaling; national authorities, facing coordination pressures; ICT industry sectors, particularly those involved in digital product certification, which could encounter more streamlined yet demanding certification protocols; and cybersecurity consumers (businesses and citizens), who stand to benefit from improved market trust and product security but may also bear transitional compliance costs.

Institutionally, this report marks a midpoint evaluation in an ongoing process that may lead to legislative updates. The European Parliament and Council are expected to react next, potentially adopting proposals to refine ENISA’s operational framework and boost ECCF uptake, shaping the EU’s cybersecurity landscape for years to come.

← Atlas › News › Digital & Communication