Brussels, 19 March 2026 – The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s proposal for a Cybersecurity Act 2 (CSA2) and the proposal on amendments to the Network and Information Security 2 (NIS2) Directive.

On 20 January 2026, the Commission published a cybersecurity package proposal to further strengthen cybersecurity in Europe while making compliance with cybersecurity laws easier for organisations. In their joint opinion, issued at the request of the Commission*, the EDPB and the EDPS address the proposed revision of the CSA and the targeted amendments to the NIS2 Directive.

“The relationship between data protection and cybersecurity is reciprocal and deeply interconnected. While cybersecurity supports the protection of personal data by limiting the risks of unwanted access, modification or unavailability of data, it is crucial to ensure that security controls are implemented in a way that does not undermine individuals’ fundamental rights and freedoms.”

EDPB Chair Anu Talus

“While maximizing the effectiveness of cybersecurity measures is vital, we must ensure that the processing of personal data remains limited to what is strictly necessary. We welcome the reinforced role of ENISA to promote digital resilience; our hope is that this new mandate fosters the synergies needed to create a robust ecosystem where security and privacy go hand in hand.”

European Data Protection Supervisor, Wojciech Wiewiórowski

Regarding the Proposal for the CSA2, the EDPB and the EDPS support the general objective to strengthen the role of the European Union Agency for Cybersecurity (ENISA) and to facilitate uptake of cybersecurity certification, as well as the objective to further address the various risks to ICT supply chains, including non-technical ones.

The proposal to provide further clarification on the way ENISA gives support to different stakeholders is well received. The EDPB and the EDPS specifically welcome that ENISA’s advice would be issued upon a prior request from the EDPB, thus ensuring a clear coordination and a clear division of responsibilities. They also suggest adding the EDPS as a possible requestor of advice from ENISA.

In the joint opinion, the EDPB and the EDPS recall that in case the Management Board of ENISA decides to adopt additional measures necessary for the application of the EU Data Protection Regulation, such decisions should be limited to very technical (practical) details related to the processing of personal data. The Proposal should also provide for a prior consultation with the EDPS before adoption of such rules.

The joint opinion welcomes the synergies that might arise from the cooperation between ENISA and other EU institutions and bodies, and also recommends adding an explicit reference to the EDPS as an EU body with which ENISA would cooperate.

While the objective of facilitating uptake of cybersecurity certification is welcome, the scope of the European Cybersecurity Certification Framework and its relationship with GDPR certification should be further clarified. To ensure consistency, ENISA should consult with the EDPB before adopting a certification scheme relating to the security of processing of personal data. Furthermore, certification schemes for products, services and processes that are likely to be used in data processing operations, should take into account security controls that can help to demonstrate the fulfilment of GDPR requirements, to the extent possible.

The EDPB and the EDPS recommend that the European Cybersecurity Skills Framework is not only limited to cybersecurity professionals, but also includes a general workforce profile.

In line with the recent EDPB-EDPS joint opinion on the Digital Omnibus Regulation Proposal, the EDPB and EDPS express their support for the establishment of a single-entry point for the notification of personal data breaches, as it would reduce the administrative burden for notifying organisations without affecting the level of protection for individuals.

Regarding the proposed amendments to the NIS2 Directive, the EDPB and the EDPS welcome the designation of European Digital Identity Wallets and European Business Wallets providers as 'essential entities'.

Note to editors:
* On 21 January 2026, the Commission formally consulted the EDPB and the EDPS and requested a joint opinion on the European Commission’s proposal for a CSA2 and the proposal on amendments to the NIS2 Directive in accordance with Art. 42(2) of Regulation (EU) 2018/1725.