ETSI Warns EU Cybersecurity Act 2 Risks Fragmenting Global Standards

Executive Summary

The European Telecommunications Standards Institute (ETSI) has formally warned that a clause in the proposed EU Cybersecurity Act 2 (CSA2) could effectively ban its experts from participating in global cybersecurity standardization bodies, including the Internet Engineering Task Force (IETF) and the Institute of Electrical and Electronics Engineers (IEEE). In a position paper sent to the European Commission on April 16, 2026, ETSI argues that Article 100(4)(a) of the draft legislation would create a conflict of interest, forcing organizations that develop technical specifications for EU certification schemes to withdraw from international standards development. This move, ETSI contends, would fragment global cybersecurity standards, reduce the EU's influence in shaping them, and ultimately weaken the security of products and services within the single market.

Technical Analysis

The core of the dispute lies in the legislative text of the proposed CSA2. Article 100(4)(a) states that organizations developing the technical specifications for an EU cybersecurity certification scheme "shall not be involved in the development of international standards or technical specifications in the area covered by that scheme." The European Commission's stated intent is to prevent conflicts of interest and ensure the independence of EU certification schemes from commercial or foreign influence.

ETSI's technical analysis, based on its position paper, challenges this logic. The organization argues that the provision is overly broad and conflates two distinct roles. Developing a technical specification for a specific EU certification is a targeted, regulatory-driven activity. Participating in international standards bodies like the IETF or 3GPP is a collaborative, consensus-based process aimed at creating globally applicable technical foundations. ETSI experts, who are often employees of European companies, contribute to these global forums precisely to ensure European technological interests and security principles are embedded in worldwide standards for 5G, IoT, and network protocols. Banning this participation would, per ETSI, cut the EU off from the primary source of cutting-edge security knowledge and innovation, forcing it to rely on outdated or inferior specifications.

Threat Actor Context

This is a policy and governance issue, not a direct threat actor campaign. However, the potential consequence of the legislation is a strategic weakening of the EU's defensive posture. By isolating its technical community from global standardization, the EU risks creating a divergent, less-tested security ecosystem. This could be exploited by threat actors who would face a more fragmented defense landscape or who could focus exploitation efforts on standards developed without the scrutiny of a global expert community. Furthermore, it cedes influence in international security governance to other geopolitical blocs.

Mitigations & Recommendations

ETSI's position paper calls for the European Commission to amend the CSA2 proposal. The primary recommendation is to delete Article 100(4)(a) in its current form. ETSI suggests that existing EU rules on conflict of interest and the internal governance of standardization bodies are sufficient to manage any perceived risks without instituting a blanket ban. As an alternative, the paper proposes that the legislation could require transparency and disclosure of involvement in other standards development, rather than an outright prohibition. For EU policymakers and the cybersecurity industry, the recommended mitigation is to engage in the legislative consultation process to advocate for a model that maintains strong EU participation in global standards bodies, which are critical for interoperable and robust security.