Lobbying by European Cyber Security Organisation

European Cyber Security Organisation

ECSO

The European Cyber Security Organisation supports initiatives that strengthen the European cybersecurity market and research through public-private collaboration.

Focus Areas

2024-2025

2022-2024

2016-2021

Links

Website Transparency Register Profile

ID: 684434822646-91

Lobbying Activity

ECSO urges EU to simplify fragmented cyber incident reporting

1 Oct 2025

Topic — The EU is seeking to simplify digital regulations and reduce business compliance burdens.

Message — The group requests a unified platform to replace overlapping incident reporting requirements. They propose a mechanism where one report satisfies multiple regulations and authorities.1 2

Why — Harmonized rules would lower compliance costs for cross-border operators and smaller businesses.3

Impact — Regulatory authorities may have to compromise their specific national reporting preferences.4

Read full response

Meeting with Christiane Kirketerp De Viron (Acting Director Communications Networks, Content and Technology)

16 Sept 2025 · Presentation of the ECSO CISO Community and discussion on ongoing cyber initiatives.

Meeting with Christiane Kirketerp De Viron (Acting Director Communications Networks, Content and Technology) and

27 Mar 2025 · EU initiatives in the area of cybersecurity

Response to EU Start-up and Scale-up Strategy

17 Mar 2025

The European Cyber Security Organisation (ECSO) is a public-private association at the European level in the cybersecurity ecosystem, which started in 2016 under a c-PPP with the European Commission until 2020. ECSO has a member base of around 350 members from the public and private sectors. It aims to increase Digital Resilience and Strategic Autonomy in the European cybersecurity ecosystem. ECSO and its members welcome the EU Start-up and Scale-up Strategy, bring concrete feedback to support the Strategy, and provide the insights of the European cybersecurity ecosystem. Based on the hurdles identified in the document of the call for evidence, and through a consultation effort with its members, ECSO has put forward recommendations for the Strategy: Increase market impact of EU funding: Increase EU funding availability for start-ups and scale-ups, focusing on projects that bring innovative solutions to market, and ensure consortia include diverse participants to facilitate market application. Harmonise and recognise standards: Harmonize European standards, and adopt mutual recognition agreements for national standards and certifications to enable start-ups and scale-ups to serve different customers and leverage public procurement processes. Invest in networks of incubators and accelerators: Establish a European network of sector-specific incubators and accelerators to support start-ups and scale-ups with mentorship and expert advice, helping them grow in diverse markets. Celebrate European solutions: Develop communication campaigns with partners to highlight success stories of European cybersecurity players, promoting their capabilities and contributions to the digital ecosystem. Drive competitiveness: Encourage tax incentives for EU-based start-ups, support market consolidation to create European champions, and facilitate the growth of the European VC ecosystem through competitive providers. Leverage procurement: Use strategic purchasing power to promote European industry by mandating European participation in procurement processes and prioritizing European consortia and SMEs. Attract and develop talent: Offer incentives to attract top foreign talent, emphasize the link between capital access and talent retention, develop industry-collaborative professional courses, and motivate European-trained talent to stay in Europe post-graduation. Promote European solutions in international markets: Adjust trade agreements to support European cybersecurity companies' access to non-EU markets, prioritize global digital infrastructure investments with European cybersecurity solutions, and establish EU trade delegations to major conferences and events. ECSO has further identified some key findings to support the Strategy: Access to finance: There is a significant funding gap in the European cybersecurity market, with venture capitalists being risk-averse and unable to provide the large investments needed for scale-ups. Regulatory and bureaucratic burdens: Cybersecurity start-ups face complex and diverse regulatory frameworks across Europe, requiring them to navigate different national standards and certifications, which increases costs and slows down growth and innovation. Access to market: European cybersecurity solutions are often overlooked in favour of American providers, and there is a lack of strategic procurement by European institutions to support local solutions. Access to talent: The cybersecurity sector in Europe suffers from a workforce and skills gap, gender disparity, and brain drain, making it difficult to find and retain qualified professionals. Access to research and technology infrastructure: There is unequal availability of research and technology infrastructure across European member states, leading to compartmentalized knowledge and unequal development in the cybersecurity sector. For further details, do not hesitate to contact us through the email provided in the portal.

Read full response

Meeting with Despina Spanou (Principal Adviser Communications Networks, Content and Technology)

11 Feb 2025 · Update on ECSO's ongoing cybersecurity work and priorities.

Meeting with Marina Kaljurand (Member of the European Parliament)

9 Dec 2024 · Cybersecurity

Meeting with Lina Gálvez (Member of the European Parliament)

20 Nov 2024 · Cyber Security

Meeting with Daniel Attard (Member of the European Parliament, Shadow rapporteur for opinion) and EUROPEAN TRADE UNION CONFEDERATION

14 Nov 2024 · FDI Screening

Response to Rules specifying the obligations laid down in Articles 21(5) and 23(11) of the NIS 2 Directive

25 Jul 2024

The European Cybersecurity Organisation (ECSO) composed of 300+ Members welcomes the publication of the NIS2 Implementing Act and offers feedback based on the input of interested ECSO Member organisations. Targeted feedback can be found in the two attached documents, while here we provide a high-level overview of the crucial points. The Implementing Act is a good step towards increasing the overall level of cybersecurity; however, in the current stance, it presents the following risks: Excessive and non-proportional costs for implementing cybersecurity requirements. Cybersecurity controls should be risk-based, tailored to address the specific threats and vulnerabilities faced by individual entities, while avoiding unnecessary excessive and disproportionate costs. Ambiguous security requirements, whose implementation may not be streamlined. Highly extensive list of criteria for defining significant incidents might lead to over-reporting of incidents, causing additional financial and administrative burden on the affected entities. The Implementing Act requirements should follow a risk-based approach, linked to existing and recognised compliance schemes such as ISO/IEC 27001. In some cases, it may not be possible to implement certain requirements due to technical limitations, while still achieving the appropriate level of cybersecurity. The specific monitoring and logging requirements might not always be required or even technically feasible. Authorities could instead ask for documentation of decisions and risk appetite, instead of prescribing specific requirements without knowing the organisation's environment and risk posture. Furthermore, two or more criteria should be met for an incident to be considered significant. Prescriptive incident reporting thresholds do not match the proportionality approach. Entities in scope have different sizes, they use different technologies and have different business models. As a result, it can be challenging for them to accurately measure the expected metrics. The following points should be taken into consideration with regards to the articles tackling significant incidents: 1. The Implementing Act should provide more focus on actionable technical references for cybersecurity teams compared to high-level guidelines that are more focused on legal, financial, or managerial aspects. 2. It should be clarified whether the incident has to be reported in the entities main country of establishment or all member states impacted by the incident. 3. The phrase becoming aware, as a criterion to submit an early warning within 24 hours, should be better clarified, providing a formal and operational definition. 4. Categories such as reputational damage, reporting in the media, complaints from users, and the risk of losing customers should be removed or adapted as measurement criteria for categorising incidents due to major risks of manipulation and non-objective measurement. 5. Financial loss following an incident should be removed or adapted as criteria to identify an incident as significant since the economic assessment exceeds the 24-hour reporting time and the current threshold is considered as too low which will inevitably lead to over-reporting. 6. When assessing incidents, determining a figure for the duration of operational disruption deemed significant poses a challenge. The current number should be at least increased. 7. Criteria for defining significant incidents should be tied to the requirements of digital service providers and not to the entity benefiting from the service, given that providers lack visibility on key incident information from a customer. 8. A link should be made between the categorisation of incidents as significant, and the risk management measures outlined in the Annex. 9. Further clarification needed on whether a single incident, affecting both the Digital Service Provider and the service user should be reported by the provider, the user, or both.

Read full response

Meeting with Nicola Danti (Member of the European Parliament, Rapporteur) and BUSINESSEUROPE and

25 Jan 2023 · Stakeholder consultation on the CRA

Response to Cyber Resilience Act

24 May 2022

Please find attached the contribution of the European Cyber Security Organisation (ECSO). The European Cyber Security Organisation (ECSO) is a non-for-profit organisation, established in 2016 to support the Public – Private Partnership on cybersecurity with the European Commission. ECSO unites more than 270 European cybersecurity stakeholders, including large companies, SMEs and start-ups, research centres, universities, end-users, operators, associations, and national administrations. ECSO works with its Members and Partners to develop a competitive European cybersecurity ecosystem providing trusted cybersecurity solutions and advancing Europe’s cybersecurity posture and its technological independence. Executive summary ECSO’s members believe that the Cyber Resilience Act (CRA) should constitute the cornerstone of all the cybersecurity regulation in the European Union by providing horizontal principles and promoting consistency and harmonisation with existing, forthcoming, and revised sectoral legislation The CRA should have a broad scope and include all digital services and devices that could represent a security risk. Standalone software should be kept out of the scope of the CRA as it has very specific applications (dominated by the implementation environment and context of use). Risk categorisation should be identified according to the destination of a product and the risk environment in which it will operate, not just its technical characteristics. The CRA should require security by design and by default to strengthen the resiliency of all digital products and ancillary services, mandate implementation of minimum-security requirements and other best practices like security updates throughout the products life cycle, encryption for data at rest and data in transfer as well as Multi-Factor Authentication (MFA) for all products addressed to the consumer market. ECSO believes that the producers of digital products, across the entire supply chain, should be required to design their products following the principles of SecDevOps and Zero Trust. The CRA should encourage the creation and implementation of an EU-wide Vulnerability Disclosure Policy (VDP) together with bug bounty programmes to reward cybersecurity researchers for their work and ensure a safer online environment. ECSO encourages the creation of an EU-wide cybersecurity label to transparently inform businesses and end-consumers, that are not IT experts, on the origins of each product, its cybersecurity level, and its environmental impact. This label should be very simple to read and would not replace existing certification schemes, but it could be used to encourage the consumption of digital devices and services produced in the EU that comply with EU legislation and standards. ECSO believes that trustworthy EU solutions, meeting stringent security standards, can gain a unique selling point that can differentiate them from cheaper unsecure solutions.

Read full response

Meeting with Margaritis Schinas (Vice-President) and

30 Jun 2020 · Security Union

Meeting with Despina Spanou (Cabinet of Vice-President Margaritis Schinas)

8 May 2020 · Cybersecurity and ECSO's initiatives

Meeting with Alejandro Cainzos (Cabinet of Executive Vice-President Margrethe Vestager)

28 Jan 2020 · Cybersecurity overview

Meeting with Despina Spanou (Cabinet of Vice-President Margaritis Schinas)

9 Jan 2020 · Women4Cyber

Meeting with Vivian Loonela (Cabinet of Vice-President Andrus Ansip)

16 Jan 2019 · Cybersecurity

Meeting with Roberto Viola (Director-General Communications Networks, Content and Technology)

30 Oct 2018 · European Cybersecurity Competence Centre and Network

Meeting with Andrus Ansip (Vice-President) and

21 Jun 2018 · Cybersecurity

Meeting with Carl-Christian Buhr (Cabinet of Commissioner Mariya Gabriel)

2 May 2018 · Cyber Security

Meeting with Michael Hager (Cabinet of Vice-President Günther Oettinger)

29 Mar 2018 · MFF

Meeting with Vivian Loonela (Cabinet of Vice-President Andrus Ansip)

1 Feb 2018 · Cybersecurity topics

Meeting with Mariya Gabriel (Commissioner)

10 Jan 2018 · Cyber-security

Meeting with Vivian Loonela (Cabinet of Vice-President Andrus Ansip)

12 Dec 2017 · Cybersecurity package

Meeting with Carl-Christian Buhr (Cabinet of Commissioner Mariya Gabriel)

6 Dec 2017 · Cybersecurity

Response to Review of ENISA Regulation and laying down a EU ICT security certification and labelling

29 Nov 2017

ECSO represents the contractual counterpart to the European Commission for the implementation of the Cyber Security contractual Public-Private Partnership (cPPP). Since the publication of the package, we have gathered comments both from the ECSO Board and from many ECSO members to provide the Horizontal Working Party of the Council, Member States and the Commission with comments from ECSO on the proposed Joint Communication. Due to the very wide spectrum of cybersecurity and the different interests of ECSO members it would be difficult to report all the suggestions made. For this reason, we have advised our members to report their specific comments to the European Commission through the currently running public consultation on the cybersecurity package. Also, while there was a general consensus on the majority of topics in the Joint Communication, we must recognise that there are important differences on the issue of certification. More time is needed to reach consensus on the details. For this reason, we have opted to give general considerations in the main text and give a general understanding of the various positions / suggestions in a companion paper. Yet, we expect that the ECSO working group dedicated to this topic will soon issue suggestions for a meta-scheme that could be used in the new EU certification framework in a few weeks. This paper presents the positions and suggestions from ECSO on the package. The structure of this position follows the structure of the proposed EU Joint Communication and its content is more of political nature than technical. A final section on “other issues” has been appended with suggestions received from ECSO members on topics that are not mentioned or not enough detailed in the Joint Communication

Read full response

Meeting with Vivian Loonela (Cabinet of Vice-President Andrus Ansip)

26 Sept 2017 · Cybersecurity Package

Meeting with Vivian Loonela (Cabinet of Vice-President Andrus Ansip)

8 Sept 2017 · Cybersecurity

Meeting with Carl-Christian Buhr (Cabinet of Commissioner Mariya Gabriel)

7 Sept 2017 · Cybersecurity

Meeting with Vivian Loonela (Cabinet of Vice-President Andrus Ansip)

27 Jun 2017 · Cyber Security Strategy

Meeting with Andrus Ansip (Vice-President) and

11 Apr 2017 · Cybersecurity

Meeting with Andrus Ansip (Vice-President) and

6 Apr 2017 · Cybersecurity PPP

Meeting with Martin Übelhör (Digital Economy)

14 Nov 2016 · cyber security cPPP