EDPB and EDPS support strengthening EU’s cybersecurity and easing compliance while protecting individuals’ personal data

Mar

2026

EDPB and EDPS support strengthening EU’s cybersecurity and easing compliance while protecting individuals’ personal data

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s proposal for a Cybersecurity Act 2 (CSA2) and the proposal on amendments to the Network and Information Security 2 (NIS2) Directive.

On 20 January 2026, the Commission published a cybersecurity package proposal to further strengthen cybersecurity in Europe while making compliance with cybersecurity laws easier for organisations. In their joint opinion, issued at the request of the Commission*, the EDPB and the EDPS address the proposed revision of the CSA and the targeted amendments to the NIS2 Directive.

“The relationship between data protection and cybersecurity is reciprocal and deeply interconnected. While cybersecurity supports the protection of personal data by limiting the risks of unwanted access, modification or unavailability of data, it is crucial to ensure that security controls are implemented in a way that does not undermine individuals’ fundamental rights and freedoms.”
EDPB Chair Anu Talus

“While maximizing the effectiveness of cybersecurity measures is vital, we must ensure that the processing of personal data remains limited to what is strictly necessary. We welcome the reinforced role of ENISA to promote digital resilience; our hope is that this new mandate fosters the synergies needed to create a robust ecosystem where security and privacy go hand in hand.”
European Data Protection Supervisor Wojciech Wiewiórowski

Regarding the Proposal for the CSA2, the EDPB and the EDPS support the general objective to strengthen the role of the European Union Agency for Cybersecurity (ENISA) and to facilitate uptake of cybersecurity certification, as well as the objective to further address the various risks to ICT supply chains, including non-technical ones.

The proposal to provide further clarification on the way ENISA gives support to different stakeholders is well received. The EDPB and the EDPS specifically welcome that ENISA’s advice would be issued upon a prior request from the EDPB, thus ensuring a clear coordination and a clear division of responsibilities. They also suggest adding the EDPS as a possible requestor of advice from ENISA.

In the joint opinion, the EDPB and the EDPS recall that in case the Management Board of ENISA decides to adopt additional measures necessary for the application of the EU Data Protection Regulation, such decisions should be limited to very technical (practical) details related to the processing of personal data. The Proposal should also provide for a prior consultation with the EDPS before adoption of such rules.

The joint opinion welcomes the synergies that might arise from the cooperation between ENISA and other EU institutions and bodies, and also recommends adding an explicit reference to the EDPS as an EU body with which ENISA would cooperate.

While the objective of facilitating uptake of cybersecurity certification is welcome, the scope of the European Cybersecurity Certification Framework and its relationship with GDPR certification should be further clarified. To ensure consistency, ENISA should consult with the EDPB before adopting a certification scheme relating to the security of processing of personal data. Furthermore, certification schemes for products, services and processes that are likely to be used in data processing operations, should take into account security controls that can help to demonstrate the fulfilment of GDPR requirements, to the extent possible.

The EDPB and the EDPS recommend that the European Cybersecurity Skills Framework is not only limited to cybersecurity professionals, but also includes a general workforce profile.

In line with the recent EDPB-EDPS joint opinion on the Digital Omnibus Regulation Proposal, the EDPB and EDPS express their support for the establishment of a single-entry point for the notification of personal data breaches, as it would reduce the administrative burden for notifying organisations without affecting the level of protection for individuals.

Regarding the proposed amendments to the NIS2 Directive, the EDPB and the EDPS welcome the designation of European Digital Identity Wallets and European Business Wallets providers as 'essential entities'.

Note to editors:

* On 21 January 2026, the Commission formally consulted the EDPB and the EDPS and requested a joint opinion on the European Commission’s proposal for a CSA2 and the proposal on amendments to the NIS2 Directive in accordance with Art. 42(2) of Regulation (EU) 2018/1725.

Langues disponibles: anglais

Topics

Information Security

Cybersecurity

+ Voir plus d'actualités

Actualités

EDPB-EDPS Joint Opinion on the Proposal for a Cybersecurity Act 2 and the Proposal on amendments to the NIS 2 Directive

19 mars 2026

On 18 March 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a joint opinion on the European Commission’s proposal for a Cybersecurity Act 2 (CSA2) and the proposal on amendments to the Network and Information Security 2 (NIS2) Directive. The EDPB and the EDPS support strengthening EU’s cybersecurity and easing compliance while protecting individuals’ personal data.

Read the press release

Read the joint opinion

Towards trustworthy AI in the EU public administration: The EDPS Compass for its new role under the AI Act

17 mars 2026

Under the AI Act (Regulation (EU) 2024/1689), the European Data Protection Supervisor is now a market surveillance authority for AI systems used by EU institutions and a notified body for high-risk AI assessments.

The EDPS has already launched its AI Preparedness Strategy in May 2024 and established an AI Unit. Our latest document outlines:

New tasks and strategic vision under the AI Act;
Operational approach to supervising AI systems;
Four strategic pillars guiding its role as both regulator and assessor.

This move aims to ensure safe, compliant, and human-centric AI across EU bodies.

Read the Compass

Latest EDPS Newsletter out now

17 mars 2026

After a very busy start to 2026 indeed, we have a bumper newsletter for you.

Catch up on everything from our joint opinions issued with the European Data Protection Board, new rules to protect the independence of EU data protection officers, blog posts from the Supervisor on a range of topics, a look back at some big events, and more!

Read on

+ Voir tout l'agenda

Agenda

25 mars 2026

Wojciech Wiewiórowski meeting with Ambassador Jan Braathu, OSCE Representative on Freedom of the Media, Brussels, Belgium

20 mars 2026

6th meeting of the High-level Group for the Digital Markets Act, Participation by Wojciech Wiewiórowski, Brussels, Belgium

20 mars 2026

AI Board Meeting, Participation by Wojciech Wiewiórowski, Brussels, Belgium

18 mars 2026

Ad-hoc plenary of the European Data Protection Board, Participation by Wojciech Wiewiórowski (online), Brussels, Belgium

17 mars 2026

Leonardo Cervera Navas meeting with Ms Cecilia Alvarez, EMEA Privacy Policy Director at Meta, Brussels, Belgium (Transparency Registry ref. 28666427835-74)

Agenda: Exchange of views on recent developments in the field of AI and data protection

Meeting minutes