What “Act 2” Would Mean in Practice

Europe’s policy direction is clear: fewer silos, more enforceable trust. Conversations about an expanded EU cyber framework—call it a next-phase update to the Cybersecurity Act paired with targeted tweaks to NIS2—aim to reduce overlap, strengthen certification, and make supply-chain assurance less performative and more measurable. Whether or not the final package matches the rhetoric, the vector is unmistakable.

Certification that actually ships

The current certification landscape (EUCC for ICT products, EUCS for cloud services, EU5G, sector schemes) has matured slowly. A stronger mandate would push common requirements, faster scheme finalisation, and clearer paths from “substantial” to “high” assurance. For operators, that means procurement can reference a European baseline rather than a patchwork of national labels. For vendors, it means building once against a published profile instead of maintaining a matrix of one-off demands.

ENISA’s centre of gravity

An upgraded role for ENISA would focus on three areas: scheme stewardship, threat-landscape intelligence aligned to NIS2 sectors, and incident-reporting harmonisation. Expect tighter coupling between certification and operational expectations: telemetry, SBOM/VDR (vulnerability disclosure) processes, secure update mechanisms, and crypto-agility plans become not just “nice to have” annexes but pass/fail criteria.

Supply chain: from promises to proofs

The next phase will privilege verifiable artefacts over policy statements. Think signed SBOMs tied to build provenance, reproducible builds for critical components, continuous vulnerability intelligence mapped to exploitability, and service attestations that reference independent schemes. The practical impact: procurement templates get shorter but sharper; due-diligence moves from PDF questionnaires to machine-readable proofs your SOC can ingest.

This shift also aligns with a broader industrial narrative emerging from the European Commission around “EU Inc” and strategic autonomy. While the language remains cautious, the direction is clear: Europe wants to reduce structural dependence on non-EU technology in critical digital infrastructure. In practice, this will not look like outright bans, but like market shaping through certification, assurance schemes, and trusted-supplier definitions. Cybersecurity policy is becoming industrial policy by other means.

Interlock with identity and trust services

Europe already anchors legal trust through qualified trust services and the eIDAS trust-list fabric overseen by the European Commission. A modernised cyber framework will increasingly expect signatures, seals, timestamps, and status on operational evidence: software releases, audit logs, incident notices, and cross-border regulator exchanges. Certification and trust services are not parallel universes; they are becoming the same conversation.

What vendors and operators should do now

Map certifications to products: decide which lines will pursue EUCC/EUCS at which assurance levels; publish timelines customers can buy against. Harden the delivery pipeline: provenance, signing, update and rollback—tied to measurable SLAs. Operational proofs: design telemetry exports and attestations you can hand to customers and regulators without redaction theatre. Crypto-agility plan: show how you will add composite/PQC without re-architecting. Contract for evidence: move from “best efforts” to “specific artefacts, frequency, and format.”

The TQS Takeaway

Europe is steering toward fewer checklists and more proofs. If you can automate the production of trustworthy artefacts, you will sell faster and sleep better.