Connect Europe Statement on the Cybersecurity Act

Brussels, 20 January 2026 – Connect Europe, the leading voice of European connectivity providers representing around 70% of total sector investment, takes note of the European Commission’s proposal to revise the Cybersecurity Act (CSA).

As Europe’s dependence on connectivity continues to deepen and the risk landscape evolves, the security of telecom networks and services is not just a technical necessity – it is a cornerstone of Europe’s resilience. This is why our sector is fully committed to implementing the NIS2 Directive, alongside multiple other national and EU security requirements.

However, we caution against policies that would significantly weaken the very sector they aim to safeguard. Telecom operators face substantial investment requirements to complete 5G and fibre roll-out, while current regulatory conditions and the lack of scale limit their ability to invest. In this context, Connect Europe warns that the adoption of the current CSA draft will exacerbate the burden imposed on the sector, with multi-billion-euro additional regulatory costs that are currently likely to be underestimated. 

While the proposal seeks to revamp the EU cybersecurity certification framework, its ICT supply chain obligations risk imposing significant additional constraints on operators. If these obligations are not grounded in robust, evidence-based risk assessments and supported by mitigating measures such as cost reimbursement mechanisms, they will materially and adversely impact network deployment, operational continuity and investment planning. Currently Europe urgently needs more, not less, investment in connectivity.

Measures must be risk-based, proportionate and workable

In line with Connect Europe’s views on the CSA review, the revised Cybersecurity Act must:

• Deliver real simplification, reducing overlap and duplication across NIS2, DORA, CRA and other relevant frameworks, to refocus resources from compliance to actual security operations.

• Make EU cybersecurity certification market-relevant and proportionate, avoiding costly, untested or mandatory schemes that deliver limited security value in practice.

• Ensure supply chain security measures strictly follow a risk-based approach, while respecting the competence of Member States for national security matters. Measures need to be proportionate, taking into account the need for predictability when rolling out network infrastructure with modernisation cycles of at least ten years – and risk assessments need to be up-to-date, carefully considering the impact on investment, resilience and service continuity. 

Connect Europe calls on EU legislators to correct the CSA proposal during the legislative process and ensure it delivers effective security outcomes without compromising Europe’s digital competitiveness.