The CSA2 proposal (revision of the Cyber Security Act) will face intense discussions among the Council, European Parliament, and Commission, with several provisions contested due to identified weaknesses.
José Luís da Cruz Vilaça, coordinating partner of the European Union Law and Competition practice at Antas da Cunha Ecija, Paulo de Almeida Sande, partner in the same practice and Mariana Tavares, counsel in the same practice, analyze the main issues.
At the core lies the division of competences between the EU and Member States, particularly sensitive in national security—an exclusive Member State competence, provided fundamental EU principles are respected. Article 114 TFEU (internal market, shared competence) is not an adequate legal basis.
Concepts such as HRS and high-risk countries create discretionary uncertainty from the Commission. The erroneous application of proportionality and subsidiarity limits national sovereignty in exclusive areas.
Given the current geopolitical turbulence, the proposal risks exacerbating tensions, as seen in debates on the digital package, original CSA, and 5G Toolbox.
A less restrictive, more balanced legislative process is recommended—one that respects the EU’s constitutional architecture—across the pillars of ENISA, ECCF, NIS2, and secure TIC supply chains.
For more: Click Here
