Computer & Communication Industry Association
PublishedJanuary 20, 2026

Cybersecurity Act: Focus on Security Standards Welcomed, But Industry Warns Against Exclusionary Amendments

Brussels, BELGIUM – The European Commission’s long-awaited revision of the EU Cybersecurity Act (CSA), presented today, is a welcome step towards harmonising technical security criteria across the European Union and securing Europe’s ICT supply chain. 

The Computer & Communications Industry Association (CCIA Europe) applauds the Commission’s decision to focus on technical security benchmarks and evidence-based certification, rather than introducing discriminatory ‘sovereignty’ restrictions.

By avoiding politically-motivated restrictions in cybersecurity certifications – which, for example, would have barred non-EU providers from high-level certification – the Commission signals its commitment to a competitive and open Digital Single Market.

However, CCIA Europe warns there is a real risk that EU Member States and Members of the European Parliament (MEPs) may attempt to introduce protectionist criteria during negotiations. 

Equally, the proposal leaves the definition of ‘high-risk countries’ broad. Clarifying this concept is essential to provide certainty and clarity for ICT vendors and customers. Metrics for high-risk status should be based on demonstrated, tangible, and objective factors; such as government interference, lack of effective judicial oversight, or the absence of security and law enforcement cooperation agreements. 

As the legislative process begins, EU co-legislators must ensure the CSA revision respects its original promise: the structural harmonisation of technical cybersecurity criteria. Geopolitical supply-chain risks should instead be addressed through dedicated forums, ensuring a clear distinction between high-risk countries and essential trade partners.

The following can be attributed to CCIA Europe’s Technology and Security Policy Manager, Mitchell Rutledge: 

“The Commission has taken the correct approach by anchoring the certification of digital services in technical, objective security criteria rather than bending to political intervention. The Cybersecurity Act has long needed a hard reboot that fixes fragmentation and delivers real-world certificates, not endless debate over blunt country-of-origin market exclusion.”

“We call on the EU institutions to continue to resist the protectionist urge to reinstate discriminatory restrictions that would harm the security of Europe’s digital ecosystem, instead providing a clear and predictable framework for how high-risk vendor assessments are conducted across Europe’s ICT supply chain.”

News

Digital Networks Act Opens Clear Path to Network Fees, Study Warns, as Parliament Risks Making It Worse

Brussels, BELGIUM – A new independent study launched today warns that the European Commission’s proposed Digital Networks Act (DNA) already opens two legal pathways to network fees.  The warni...
reading-tablet
  • Press Releases
    European Union
News

Matt Mandel Joins CCIA as Federal Affairs VP

Washington -- The Computer & Communications Industry Association is pleased to welcome Matt Mandel as Vice President for Federal Affairs. Mandel served as Vice President of Government Affairs at W...
reading-tablet
  • Press Releases
  • Federal Affairs
News

Supreme Court Opts not to Intervene and Block a Texas App Store Law that Likely Violates First Amendment

Washington – In response to an emergency request, the Supreme Court has decided not to intervene in an Appeals Court ruling allowing Texas to enforce its App Store law. The law requires people to sh...
reading-tablet
  • Press Releases
  • Privacy
News

CCIA Files Joint Brief on Internet Content and Federal Legal Protections

The Computer & Communications Industry Association, NetChoice, and the Electronic Frontier Foundation filed a joint amicus brief in Bogard v. Alphabet, asking an appeals court to affirm a lower co...
reading-tablet
  • Press Releases
  • Online Safety