European Union: European Data Protection Board and European Data Protection Supervisor adopted joint opinion on Cybersecurity Act 2

On 18 March 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a joint opinion on the Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security and repealing Regulation (EU) 2019/881 (The Cybersecurity Act 2). The EDPB and EDPS recommend that ENISA consult the EDPS prior to adopting technical rules on personal data processing. The joint opinion suggests expanding the European Cybersecurity Skills Framework (ECSF) to include general workforce profiles rather than limiting it to cybersecurity professionals. Furthermore, the EDPB and the EDPS support the establishment of a single-entry point for personal data breach notifications to reduce administrative burdens. The opinion emphasises that while cybersecurity serves to protect personal data by limiting unauthorised access, such measures must remain necessary and proportionate to avoid interfering with privacy rights. The EDPB and EDPS also recommend that certification schemes should incorporate security controls that demonstrate compliance with General Data Protection Regulation (GDPR) requirements, particularly for ICT products and managed security services used in data processing operations. They also recommend requiring ENISA to consult with the EDPB prior to adopting a certification scheme.