Decoding the world of cybersecurity

EU cyber package moves forward

EU telecoms ministers have advanced work on the Digital Networks Act and Cybersecurity Act 2, bringing infrastructure resilience, ENISA’s role, certification, ICT supply chain risk, and NIS2 simplification into scope.

EU cyber package moves forward
Summary
  • EU telecoms ministers broadly supported further work on the Digital Networks Act and Cybersecurity Act 2.
  • The measures bring infrastructure resilience, ENISA’s operational role, certification, ICT supply chain risk, and NIS2 simplification into the same policy track.
  • Member states still want clarification on national security, spectrum, implementation burden, and ENISA’s expanded responsibilities.

EU Council ministers have moved forward work on two measures that could reshape Europe’s approach to secure digital infrastructure, supplier risk, and cybersecurity coordination.

Meeting in Luxembourg on 9 June, telecommunications ministers reviewed progress on the proposed Digital Networks Act and the cybersecurity package, including the proposed Cybersecurity Act 2. Both initiatives sit within the EU’s “One Europe, One Market” roadmap, which is intended to reduce fragmentation across the single market while supporting investment in connectivity, resilience, and advanced digital networks.

The Digital Networks Act is aimed at strengthening the EU’s digital network infrastructure and supporting cross-border business, innovation, and investment. Ministers broadly supported its objectives, including stronger connectivity, competitiveness, resilience, and digital infrastructure security, while calling for more clarity around legal certainty, regulatory simplification, national market conditions, the move from copper to fibre networks, and spectrum management.

Running alongside that work, the cybersecurity package is more directly tied to operational resilience. It includes the Cybersecurity Act 2 proposal, which would strengthen the role of the European Union Agency for Cybersecurity, known as ENISA, streamline parts of the EU cybersecurity certification framework, address ICT supply chain risk, and simplify certain provisions of the NIS2 Directive. Ministers backed the broad direction but want further examination of ENISA’s expanded operational responsibilities.

The Council’s meeting record places network security, certification, procurement, supplier concentration, and operational cooperation within the same policy programme. That reflects the structure of European infrastructure, where telecoms networks, cloud services, data centres, managed service providers, identity platforms, and software vendors are increasingly interdependent.

A failure in one layer can create exposure across several sectors, including government, finance, energy, transport, and healthcare. The policy challenge is that the EU is trying to increase resilience while reducing regulatory friction, even as operators and vendors already face overlapping obligations under NIS2, the Cyber Resilience Act, the Digital Operational Resilience Act, telecoms security rules, and sector-specific regulation.

National security powers remain politically sensitive, particularly where network infrastructure and supplier restrictions are involved. Spectrum management is still a national competence, and member states do not all share the same market structure, investment capacity, or legacy network position. A simplified cybersecurity regime may be attractive in Brussels, but implementation will depend on operators and vendors that already manage complex compliance, assurance, and reporting duties.

ENISA’s role is also becoming a governance issue. The agency already supports certification, cooperation, and policy work, but a larger operational role would require clearer lines of responsibility between national cyber agencies, EU bodies, and regulated operators during cross-border incidents. That boundary is likely to be tested during major attacks on telecoms, cloud, energy, or public services, where coordination speed and legal authority are as important as technical capability.

The proposals now move into a phase where technical policy, national competence, and infrastructure economics will have to be reconciled. Secure connectivity is being treated less as a telecoms concern and more as an economic security, operational resilience, and supplier-risk issue at the centre of the single market.

×