The European Commission wants to strengthen the EU’s cybersecurity with CSA2 and NIS2, but regulatory fragmentation and national reflexes complicate true harmonization.
On January 20, 2026, the European Commission presented a new cybersecurity package including a major revision of the Cybersecurity Act (CSA2) as well as targeted adjustments to the NIS2 Directive. The objective is to strengthen the Union’s cyber resilience in the face of constantly increasing threats.
Behind this ambition, a question remains: is European harmonization in terms of cybersecurity really achievable or will it remain a theoretical objective? A question far from being abstract since it conditions the ability of companies to secure their infrastructures while controlling compliance costs in a market which still remains largely fragmented.
The challenges of harmonization between Member States
ENISA report reveals significant gaps between member states. While some have advanced cyber capabilities, others are still struggling to structure basic functions. These disparities fuel national reflexes, sometimes protectionist, which slow down the emergence of a truly European approach.
CSA2 strengthens the role of ENISA by giving it a sharply increased budget and new operational missions. The agency must now manage threat repositories, issue alerts, coordinate exercises and manage a unified incident notification platform. However, these means will have to compensate for decades of unequal investments.
This revision will also have to overcome a major obstacle: convincing member states to give up part of their digital sovereignty. The latter have chosen sovereign approaches and continue to impose specific requirements, particularly in critical sectors. The CSA2 attempts to limit these practices by prohibiting the addition of national requirements when European standards exist, an implementation still uncertain in the current context.
Persistent fragmentation despite European frameworks
At the same time, the EU has increased the number of regulatory texts relating to cybersecurity in recent years (NIS 2, the Cyber Resilience Act, DORA, etc.) to the point of making the normative framework difficult to read. This accumulation creates areas of uncertainty and overlap. Organizations must then respond to multiple, sometimes inconsistent, requirements.
The NIS 2 directive provides a perfect illustration of this. Although it aims for harmonization, its transposition varies greatly from one State to another. Each country adapts the thresholds, the sectors concerned and the supervision methods according to its national priorities, which results in the coexistence of different regimes under the appearance of unity.
Need for interoperability of tools and standards
This regulatory fragmentation directly translates into technical fragmentation. Threat information exchange standards are not uniformly adopted, and each state or sector develops its own tools. This diversity prevents the emergence of a global and coherent vision of cyber threats on a European scale. Thus, during major incidents involving several States, coordination remains very difficult.
CSA2 nevertheless introduces certain advances, in particular by entrusting ENISA with the management of a European vulnerability database. To be effective, this base must imperatively work with existing international systems in order to avoid divergences that would complicate the management of vulnerabilities and supply chains.
Regarding the latter, another major innovation concerns the security of cyber supply chains, with the Commission now able to designate high-risk suppliers or countries and restrict their use in critical infrastructure. But does Europe have the technological alternatives necessary to replace the excluded solutions? Imposed harmonization without alternative solutions could weaken the competitiveness of European players.
The EU cannot ignore the international dimension of cybersecurity. European companies operating on a global scale must be able to rely on globally recognized standards.
