Introduction 

On 18 March 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a Joint Opinion on the EU’s proposed cybersecurity reforms, responding to legislative proposals introduced on 20 January 2026. The proposal made changes to the Cybersecurity Act (CSA2) and NIS2 Directive in order to strengthen the EU’s ability to handle rising cyber threats and foreign interference. 

Role of the EDPB and EDPS 

The EDPB and EDPS serve critical advisory and supervisory functions within the EU’s legislative process, particularly on matters touching data protection and privacy. Although neither body enacts laws, their opinions carry significant weight in shaping, interpreting, and implementing EU legislation. The EDPB is responsible for ensuring the consistent application of the General Data Protection Regulation (GDPR) across Member States, doing so through guidelines, recommendations, and formal opinions. The EDPS, by contrast, oversees personal data processing by EU institutions and bodies, ensuring their compliance with established data protection standards. Where proposed legislation poses potential risks to fundamental rights, both bodies routinely issue joint opinions; as they have done here. 

Core Findings of the Joint Opinion 

The EDPB and EDPS frame the relationship between data protection and cybersecurity as fundamentally “double-sided.” While cybersecurity serves to protect personal data, certain security measures such as deep packet inspection or user behaviour analytics can themselves interfere with fundamental privacy rights. The authorities, therefore, emphasise that cybersecurity measures must not be guided by effectiveness alone; they must also be strictly necessary and proportionate.  

Against this backdrop, the Joint Opinion identifies areas of support alongside specific concerns. 

Areas of Support  

The authorities broadly support the strengthening of ENISA’s operational mandate and welcome the provision allowing ENISA to advise the EDPB upon request. They also endorse the Single-Entry Incident Reporting Platform, viewing it as a meaningful step toward reducing administrative burdens on organisations without compromising the protection of data subjects, provided the platform is built to the highest security standards given the sensitivity of the information it will handle. 

The EDPB and the EDPS further welcome the proposed measure aimed at ensuring a trusted ICT supply chain framework and addressing non-technical risks in sectors of high criticality. Similarly, there is support for classifying European Digital Identity Wallet and Business Wallet providers as essential entities, as well as for the principle of mandatory ransomware reporting to help disrupt criminal networks.  

Areas of Concern 

• Unregulated large-scale data processing by ENISA: As ENISA assumes a central role in threat intelligence, it may process substantial volumes of personal data, including IP addresses and user credentials. The Authorities firmly state that if such large-scale processing is required, the essential elements and safeguards must be explicitly spelled out in the legislation itself and not delegated to the administrative discretion of ENISA’s management board. Any internal data protection rules adopted by the Management Board must be precise, foreseeable, and developed only after prior consultation with the EDPS. 

  
  

• Omission of the EDPS from inter-agency cooperation: While the CSA2 allows the EDPB to request advice from ENISA, it makes no equivalent provision for the EDPS. The authorities consider this a material gap, as the EDPS must be able to draw on ENISA’s technical expertise when supervising EU institutions and bodies. 

  
  

• Gaps in the Cybersecurity Skills Framework: The proposed ECSF is limited exclusively to cybersecurity professionals. The authorities warn that this leaves a critical blind spot, since most breaches originate from the human factor like phishing, social engineering, and general user error. Confining the framework to specialists fails to address this reality. Equally, the absence of any privacy training within professional profiles is flagged as a significant omission. 

  
  

• Legal uncertainty in certification schemes: The CSA2 introduces a new certification objective concerning an entity’s ability to secure personal data processing but does not clarify how this interacts with the existing GDPR certification mechanisms under Articles 42 and 43. The authorities caution that without explicit guidance, overlapping frameworks risk creating legal inconsistency and confusion for organisations seeking compliance. 

  
  

• Insufficient safeguards for ransomware reporting: Although the authorities fully support the policy objective of disrupting ransomware criminal networks, they note that ransomware reporting which may involve sensitive personal data must be subject to robust data protection safeguards in any implementing acts, in line with the principles of necessity and proportionality. 

Recommendations 

To ensure the CSA2 and NIS2 amendments strike an appropriate balance between cybersecurity and the protection of fundamental rights, the EDPB and EDPS put forward the following recommendations to EU co-legislators: 

• Explicitly include the EDPS in inter-agency cooperation: Article 5(1)(h) CSA2 Proposal should be amended to name the EDPS as a possible requestor of advice from ENISA, and Article 68 should be amended to identify the EDPS as a Union body with which ENISA must cooperate, creating clearer institutional synergies and a more coherent division of responsibilities. 

  
  

• Embed data processing safeguards in primary legislation: If ENISA’s expanded tasks require large-scale personal data processing, the essential elements and safeguards must be set out in the basic legislative act. Fundamental rights authorisations should not be left to ENISA’s Management Board. Where the Board does adopt internal rules under Article 66, prior consultation with the EDPS should be mandatory. 

  
  

• Broaden the ECSF beyond cybersecurity professionals: Article 19(2) should be amended to extend the framework to a “Cybersecurity for generalists” profile, covering the general workforce and citizens. Professional profiles within the framework should also include a dedicated module on EU data protection law compliance, with particular attention to the practical implementation of privacy by design and by default. 

  
  

• Clarify certification schemes and their relationship to the GDPR: The scope of the new certification objective under Article 80(1)(w) should be clarified, including how it relates to GDPR Articles 42 and 43. ENISA should be required to consult the EDPB before adopting any schemes under this objective, and a recital should be added clarifying that these schemes should incorporate controls such as configurable data logging granularity and storage periods that help entities demonstrate GDPR compliance. 

  
  

• Specify data protection safeguards for ransomware reporting: Where ransomware reporting involves the processing of personal data, implementing acts under Article 23(11) of the NIS2 Directive must include robust and explicit data protection safeguards, ensuring full compliance with the principles of necessity and proportionality. 

Conclusion  

The Joint Opinion highlights the need to strike a careful balance between strengthening cybersecurity and safeguarding fundamental rights. While the proposed reforms are a significant step towards enhancing the EU’s resilience against evolving threats, the EDPB and EDPS stress that such measures must always remain necessary, proportionate, and firmly aligned with data protection principles to ensure that security does not come at the cost of individual privacy. 

Want to know more?   

Learn more about India's data protection environment, compliance frameworks, and in-depth analyses of privacy policies at Tsaaro.com.