Last week, the Council of the European Union reflected in its report “Balancing regulation and innovation in the technology-driven economy“, presented by the Polish Presidency ahead of the Transport, Telecommunications and Energy Council meeting on 6 June 2025, multiple challenges and recommendations identified by the European Cyber Security Organisation (ECSO) as part of the Streamlining Regulatory Obligations initiative.
The document features a wide range of ideas that ECSO has been developing in close collaboration with its community of cybersecurity experts, addressing key regulatory challenges and proposed actionable solutions across five critical areas: incident reporting, risk management frameworks, assessments and auditing, supply chain security, and conformity assessment.
The ECSO Team shared their insights on multiple occasions, including through research, dissemination efforts, and structured dialogues with key players such as the Presidency’s High-Level Roundtable on Streamlining EU Digital Regulations, held on 10 April 2025 in Brussels.
Key Reflections of ECSO’s Input
Incident Reporting
ECSO’s call for a centralised European incident reporting platform and the use of API-based meta-platforms to streamline compliance was echoed in the Council’s recommendation. The Council also adopted ECSO’s emphasis on standardised formats and the “once-only” principle to reduce duplication.
Risk Management Frameworks
ECSO’s push for harmonisation to reduce compliance burdens for cross-border entities was taken into account, as the Council document reflects the proposal to encourage mutual recognition of national frameworks, acknowledging the fragmentation caused by divergent national implementations of NIS2.
Assessments and Auditing
ECSO’s attention to automated, machine-readable audit processes – including the adoption of the Open Security Controls Assessment Language (OSCAL) – was also referenced in the Council’s call to “automate security audits” and reduce reliance on manual, spreadsheet-based assessments.
Supply Chain Security
The Council’s recommendations to develop tiered supplier classification methodologies and baseline security controls align closely with ECSO’s proposals. The Council also acknowledged the administrative burden of overlapping supplier questionnaires.
Conformity Assessment
ECSO’s suggestion to reuse conformity outputs and enable automated, composition-based assessments was reflected in the Council’s support for “formats that allow for automation” and the reuse of evidence across legislative frameworks.
Regular Engagement for Europe’s Leadership
The alignment between ECSO’s recommendations and the Council’s document demonstrates the value of structured and constant stakeholder engagement and the importance of grounding policy in operational realities.
As the EU continues its journey towards a more streamlined cybersecurity regulatory landscape, ECSO remains committed to supporting the implementation of simplification measures and ensuring that cybersecurity remains a cornerstone of Europe’s leadership.
About the Policy Analysis and Outreach Stream
The ECSO Policy Analysis and Outreach Stream delivers in-depth policy analysis to ECSO Members, helping them decode and act upon key European cybersecurity developments. The initiative involves close collaboration with EU policymakers and the integration of insights from both public and private sectors. By engaging with European and international stakeholders, it promotes meaningful dialogue for a structured, dynamic European cybersecurity landscape.
Cristian Michael Tracci
Senior Manager for Policy Analysis and Outreach
cristian.tracci[at]ecs-org.eu
Simona Kaneva
Manager for Policy Analysis and Outreach
simona.kaneva[at]ecs-org.eu
Angèle Billaud
Trainee, Policy Analysis and Outreach
angele.billaud[at]ecs-org.eu