MEP José Cepeda (S&D) has asked the European Commission to recognise mobile phones as critical endpoints for cybersecurity and digital resilience, warning that current EU rules leave citizens, businesses and administrations without clear minimum security standards for devices that access essential public services and hold sensitive data.
In a written parliamentary question submitted on 15 June 2026, Cepeda notes that while frameworks such as the NIS2 directive, DORA and the Cyber Resilience Act strengthen risk management and product security, mobiles appear only indirectly in the regulatory ecosystem. He calls for three concrete actions: a dedicated ENISA guide on mobile endpoint protection covering risk management, updates, encryption, authentication, applications and BYOD policies; assurance that the Cyber Resilience Act review adequately addresses risks from mobile phones, operating systems, pre-installed apps and update cycles; and common guidelines from the Commission, ENISA, the European Data Protection Supervisor and the European Data Protection Board to reconcile mobile cybersecurity with data protection and users' rights.
The question reflects growing concern among MEPs that mobile devices — used for e-government, digital credentials, biometric profiles and corporate systems — are not explicitly treated as critical endpoints under EU law. Cepeda's asks are concrete: a dedicated ENISA guide, a specific review of the Cyber Resilience Act's mobile coverage, and cross-agency guidelines. The Commission is expected to reply within six weeks, and its answer will signal whether it plans to elevate mobile devices to the same regulatory status as other critical digital infrastructure.
EU citizens would benefit from clearer security baselines for their devices, reducing risks of data breaches and identity theft. Mobile device manufacturers and operating system providers would face new compliance requirements if the Commission follows through, potentially increasing costs but also creating a level playing field. EU businesses and public administrations that rely on mobile access to critical services would gain greater assurance about endpoint security. EU regulatory bodies (ENISA, EDPS, EDPB) would be tasked with developing and updating guidance, requiring additional resources.