The European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) recently published their Joint Opinion 4/2026 (the “Opinion”) on the European’s Commission’s proposal for a Cybersecurity Act 2 and proposal for targeted amendments to the NIS 2 Directive (together, the “Proposals”) (previously discussed here).
The EDPB and EDPS generally support and welcome the Proposals. However, the Opinion acknowledges that the relationship between data protection and cybersecurity is “double-sided”. On the one hand, cybersecurity serves the protection of personal data by limiting the risks of unwanted access, modification or unavailability of that data. On the other hand, some cybersecurity measures can interfere with individuals’ rights and freedoms, in particular the rights to privacy and data protection. The Opinion emphasises the need to balance the effectiveness of cybersecurity measures against what is necessary and proportionate, having regard to the impact on fundamental rights and the processing of personal data. As such, the Opinion sets out several recommendations on certain aspects of the Proposals from a data protection perspective.
ENISA role and cooperation with EU bodies
Firstly, the Opinion welcomes the proposal for a Cybersecurity Act 2 (“CSA2”) (via a new Regulation) to replace the existing Cybersecurity Act 2019, and generally supports the strengthened role of the EU Agency for Cybersecurity (“ENISA”). It appreciates the clarification under the new Article 5(1)(h) of the CSA2 that the EDPB, as an EU body, can directly request advice from ENISA, noting that the requirement for a prior request before the provision of advice ensures clear coordination and division of responsibilities. However, it recommends that the EDPS is added as a possible requestor of ENISA’s advice in the new Article 5(1)(h), in view of the EDPS’s role as supervisory authority for personal data processing by European Union institutions, bodies and agencies. Similarly, the Opinion recommends revising the new Article 68(1) of the CSA2 to explicitly state that the EDPS is among the EU bodies with which ENISA will cooperate.
Taking into consideration the authority of ENISA’s Management Board to adopt additional measures necessary for the application of the EU institutions’ data protection framework, the Opinion recommends that any such decision should be limited to technical / practical details in relation to the processing of personal data, and that the EDPS should be consulted before adoption.
The Opinion notes that the European Commission confirmed that there is no intention for ENISA to be mandated or authorised by CSA2 to carry out large-scale processing of personal data in its role as a central hub for operational cooperation. However, it recommends that clarity should be added by way of recital to confirm that the aim is for ENISA to collect and process mainly aggregated non-personal data.
Additionally, the Opinion welcomes the proposed security measures under CSA2 aimed at ensuring a trusted ICT supply chain framework and addressing non-technical risks in high criticality sectors, stating that they may also have a beneficial impact on data protection considerations.
Single Entry Point for Incident Reporting
According to Article 15 of CSA2 proposal, ENISA must establish, provide, operate, maintain and update as necessary, among others, the single reporting platform established pursuant to Article 16(1) of the Cyber Resilience Act (Regulation (EU) 2024/2847) and the single-entry point for incident reporting established pursuant to Article 23a of NIS 2. These tools aim to simplify the different reporting obligations related to cybersecurity.
Building on their Joint Opinion on the Digital Omnibus proposal (previously discussed here), the EDPB and EDPS highlight their strong support for the establishment of a single-entry point for the notification of personal data breaches, as it would reduce the administrative burden for organisations without affecting the level of protection for data subjects. The EDPB and the EDPS also recall the importance of ensuring the security of the notifications submitted to and transmitted through the single-entry point, as data breach notifications often include sensitive information.
European Cybersecurity Certification Framework
The Opinion notes that there may be synergies between the European Cybersecurity Certification Framework as provided for in the Cybersecurity Act 2019 (to be amended by CSA2) and the data protection certification mechanism under the GDPR. It recommends that the CSA2 provides further legal certainty of the scope of the CSA2 certification and its relationship to the GDPR certification, and that the EDPB be consulted before adopting the certification scheme to ensure consistency.
The Opinion highlights the need to consider not only the effectiveness of cybersecurity measures, but also their necessity and proportionality. The EDPB and the EDPS recommend clarifying that certification schemes should, to the extent possible, take into account security controls that can help to demonstrate the fulfilment of GDPR requirements, in particular where the schemes apply to ICT products, ICT services, ICT processes and managed security services that are likely to be used in data processing operations.
European Cybersecurity Skills Framework (“ECSF”)
Article 19 of the CSA2 proposal would require that ENISA develops and makes publicly available the ECSF. The ECSF would help ensure that cybersecurity professionals, employers, training providers, and public authorities across Member States use a shared understanding of what specific cybersecurity jobs require.
The Opinion welcomes the objective of strengthening the EU cybersecurity workforce, subject to certain recommendations. In particular, the ECSF is currently limited to ‘cybersecurity professionals’, and does not include a profile of necessary skills for citizens, civil servants, or non-specialised members of the workforce. The Opinion therefore recommends that Article 19(2) of the CSA2 be extended, so that the general workforce are given the opportunity to develop their cybersecurity skills and digital literacy.
In addition, the EDPB and the EDPS consider that it is necessary for the professional profiles of the ECSF to integrate a module on the need to ensure compliance of cybersecurity measures with EU data protection law, in particular regarding the practical implementation of the principle of data protection by design and by default (Article 25 GDPR).
Targeted amendments to NIS 2 Directive
The Opinion also considers certain targeted proposed amendments to the NIS 2 Directive. In noting that digital wallets are a core component of the EU digital infrastructure, the EDPB and EDPS confirm their support of the designation of European Digital Identity Wallets and European Business Wallets providers as ‘essential entities’, regardless of size.
The NIS 2 proposal includes the possibility that CSIRTs may request certain information from entities regarding ransomware incidents, including whether an entity has paid a ransom, and if so, what amount and to whom (eg., crypto-assets / service providers). The EDPB and the EDPS note that the information to be shared regarding ransomware attacks could be of a potentially sensitive nature. Moreover, such sharing may entail the processing of personal data. Accordingly, they recommend that any implementing acts adopted by the European Commission should specify the applicable data protection safeguards.
The Opinion also welcomes the objective to establish mechanisms and conditions in NIS 2 to help facilitate compliance with cybersecurity requirements, and in that way make their implementation more coherent and effective, as well as the objective to further address the various risks to ICT supply chains, including the non-technical ones.
Commentary
Over the next year, the proposals are expected to undergo further scrutiny and negotiation. It remains to be seen whether EU co-legislators will incorporate the recommendations provided by the EDPB and EDPS. We will continue to monitor the developments in this space and will issue further updates as they become available.
Contact Us
Matheson’s Technology and Innovation Group are available to guide you through the proposed reforms set out in the Proposals, and related legislation. For more information, please contact Marie McGinley, Davinia Brennan and Sarah Jayne Hanna.