The revision of the Cybersecurity Act (CSA) marks a shift in how the EU approaches cybersecurity: no longer as a purely technical issue, rather a strategic aspect of sovereignty, trust, and control over critical digital infrastructure.

With the revised Network and Information System Directive (NIS2), the Cyber Resilience Act (CRA), and sectoral rules entering into force, the Commission’s proposal acknowledges both the need to simplify compliance for companies, and especially SMEs, and the need to address non-technical risks in supply chains.

The CSA revision seeks to address these challenges, particularly by focusing on simplification, coherence, and usability, while introducing a more strategic approach to supply chain security.

Turning certification into a compliance tool

One of the most relevant shifts in the revision is the repositioning of cybersecurity certification as a compliance-enabling mechanism rather than a purely voluntary market instrument. By highlighting the link between certification schemes and EU legislation, the proposal allows certification to support presumption of conformity with requirements under NIS2 and the CRA.

This can help companies to:

• Rely on standards-based certification to demonstrate compliance across multiple legal acts;
• Reduce repeated audits, surveys, and documentation requests;
• Use one recognised framework instead of parallel compliance processes.

The introduction of entity-level certification, starting with NIS2 entities, supports this approach by allowing companies to demonstrate their cybersecurity posture at once.

A more coherent approach to ICT supply chain security

The CSA revision also introduces of a horizontal EU-level framework for ICT supply chain security. The proposal moves beyond fragmented national approaches by establishing common risk assessment criteria, coordinated at EU level, and covering both technical and non-technical risks.

For European tech SMEs, this is a significant step forward: EU-level risk assessments can reduce fragmentation, increase predictability and allow trusted European providers to compete across border without being subject to shifting national security approaches.

By enabling EU-level risk assessments and coordinated identification of high-risk suppliers, the CSA revision has the potential to strengthen Europe’s ability to manage technological dependencies in a more coherent and predictable way, reinforcing tech sovereignty overall, while providing clearer conditions for European ICT companies to compete as trusted suppliers across the Single Market.

The missing link: cybersecurity and sovereignty

At the same time, the revision makes a deliberate choice to keep cybersecurity certification focused primarily on technical security criteria, even though supply chain provisions explicitly address non-technical and dependency-related risks.

This creates a potential disconnect, especially for digital SMEs operating in strategic markets:

• Customers increasingly assess trust, resilience, and dependencies together.
• Certification schemes cannot yet reflect these broader dimensions.
• Differentiation of trusted European providers on these criteria remains limited.

Technological dependence and security risks cannot be addressed in silos and should, instead, be connected through a single, integrated tool.

After years of deadlock on integrating non-technical risks considerations into EU cybersecurity schemes, most visibly in the scheme for cybersecurity of cloud services (EUCS), the Commission opted to separate certification from supply chain risks.

This choice creates a structural gap. While supply chain rules now reflect considerations on sovereignty, dependency and strategic risks, certification remains confined to technical criteria. For tech SMEs, this means there will still be no EU-level tool that allows to differentiate themselves from competitor on the sovereignty credentials that increasingly matters to customers.

Looking ahead, the success of the CSA revision will depend on whether Europe can bridge the gap between how risk is assessed and how sovereignty and trust are demonstrated. DIGITAL SME remains committed to close this gap, also via initiatives such as the Tech Sovereignty Catalogue.

If Europe wants to reduce technological dependencies and enable its tech companies to compete as trusted and sovereign providers, certification framework will eventually need to reflect these dimensions. It will also be key to ensuring that simplification mechanisms remain genuinely usable for SMEs in practice.