MIL-OSI Europe: Answer to a written question – Delayed evaluation report on the functioning of ENISA and the European cybersecurity certification framework – E-000510/2025(ASW)

The Commission is committed to meeting deadlines and at the same time strives to deliver accurate and well-founded evaluation reports of the highest quality.

Such evaluations are carried out in accordance with the Commission’s Better Regulation Guidelines and Toolbox[1]. These require gathering sufficient evidence to assess the performance of a specific intervention.

To ensure overall quality and accuracy, the Commission has exceptionally delayed the evaluation report on the functioning of the European Union Agency for Cybersecurity (ENISA) and of the EU Cybersecurity Certification Framework[2] beyond the deadline provided in Article 67(4) of the Cybersecurity Act (Regulation (EU) 2019/881[3]).

In addition, in the context of the upcoming revision of the Cybersecurity Act scheduled for the end of 2025, the Commission decided to publish the evaluation report at the same time.

The report will be part of a Digital Package related to simplification, which will also include an impact assessment and a proposal for revision of the Cybersecurity Act.

The publication of an evaluation report together with an impact assessment of a proposal is common practice and has the advantage of consolidating discussions that pertain to the same topic.

Once finalised, the Commission will transmit the report together with its conclusions to the European Parliament, as well as to the Council and to the management board of ENISA. The findings of the report will also be made public.

• [1] https://commission.europa.eu/law/law-making-process/better-regulation/better-regulation-guidelines-and-toolbox_en
• [2] https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-certification-framework
• [3] https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng