On April 16, 2026, the European standards body ETSI submitted a formal position paper to the European Commission, urging modifications to the proposed Cybersecurity Act 2 (CSA2), which aims to revise the EU's existing cybersecurity certification framework.
The document highlights two critical provisions: the expansion of ENISA’s role in developing technical specifications and a specific clause in Article 100(4)(a) that would prevent entities from certain countries, deemed as having cybersecurity concerns, from engaging in European standardization processes linked to Commission requests.
ETSI, one of three recognized European Standardization Organizations (ESOs), consists of over 900 members from 64 countries.
The “High-Risk Supplier” Exclusion
The CSA2 proposal includes the designation of “high-risk suppliers” by the European Commission based on comprehensive EU-level security risk assessments, which would include not just technical but also non-technical risks. Suppliers identified as high-risk would be barred from participating in the development, assessment, consultation, and decision-making processes regarding cybersecurity standards crafted by ESOs under Article 10(1) of Regulation (EU) No 1025/2012.
ETSI argues that contributions to European standardization should remain free from prohibitions established by Union legal frameworks. The organization references the WTO Agreement on Technical Barriers to Trade principles, which mandates openness, consensus, and independence from special interests in the standardization process.
Martin Chatel, Chief Policy Officer at ETSI, emphasized that the organization’s directives afford the flexibility to address security needs on a case-by-case basis. The 2022 European Standardisation Strategy and its governance reforms aim to mitigate undue external influence, thereby preserving principles of openness, transparency, inclusivity, impartiality, and independence. He stated that undermining these principles could jeopardize the functionality, collaborative spirit, and credibility of the standardization system.
ETSI’s concerns echo a previous situation from 2019 when the U.S. Commerce Department's Entity List restricted certain companies from participating in 5G and telecommunications standardization. ANSI noted that the global relevance of a standard relies more on the development process rather than the entities involved. NIST remarked that standardization should foster collaboration among companies from the U.S., EU, and China in a voluntary, industry-led context where market forces and superior technical contributions prevail. Eventually, the Bureau of Industry and Security relaxed these restrictions.
ETSI warns that a similar scenario may unfold within the ITU, ISO, and IEC, where suppliers deemed “high-risk” by the Commission might still be able to influence international standards. A supplier excluded from European standardization might continue to shape the global versions of those standards, consequently diminishing the EU's influence in international forums.
ETSI advocates for any restrictions to be evaluated on an individual basis, coordinated with ETSI and other ESOs, and applied proportionately, rather than established as a blanket rule in EU legislation.
ENISA’s Proposed Role in Drafting Specifications
Article 18 of the CSA2 proposes granting ENISA the authority to draft technical specifications and guidance to aid the implementation of Union legislation, alongside its contributions to standardization activities and assistance to the Commission in evaluating harmonized standards.
While ETSI supports ENISA’s involvement in standardization and an expanded advisory role, it raises concerns specifically regarding the drafting authority. ETSI believes that ENISA’s role should be confined to advising on the legal framework and providing technical guidance. Allowing ENISA to draft specifications may lead to an inconsistent parallel standard-setting structure that deviates from the existing legal framework, where drafting responsibilities are assigned to bodies governed by private law, with the Commission overseeing the process.
As a benchmark for appropriate agency participation, ETSI points to its Technical Committee on Lawful Interception (TC LI), which unites governments, law enforcement, mobile network operators, and vendors to create standards addressing common requirements. Chatel noted that ETSI’s structure already provides a balanced approach that combines openness, efficiency, global impact, and European safeguards, which is vital for Europe to maintain and enhance in the current geopolitical landscape.
Standards as a Policy Instrument
ETSI's paper contextualizes the argument within Europe’s wider standardization strategy. The 2022 EU Strategy on Standardization aims to minimize strategic dependencies and prevent undue influence from non-European actors in the cybersecurity standardization realm, while still upholding principles of openness and impartiality. Regulation (EU) No 2022/2480 subsequently allocated exclusive authority to EU/EEA National Standardization Bodies over specific decisions, including the adoption of Commission standardization requests and the final approval of harmonized standards.
ETSI views its role as fulfilling two complementary functions: addressing market demands from its members and developing standards in direct support of EU legislation. The organization operates independently from other standardization bodies and is not constrained by an “international-first” approach. Standards originating from ETSI, including EN 303 645 for consumer IoT security and EN 304 223 for cybersecurity in AI systems, have gained international adoption after their inception in European processes.
The position paper concludes by advocating for enhanced coordination between the Commission and ETSI to maintain transparency, legitimacy, and trust within the European standardization system, and to avert unintended adverse effects on innovation, competitiveness, and the standing of European industry in the global standardization arena.
Source: Help Net Security News