Written by: Haim Ravia, Dotan Hammer
The European Data Protection Board and the European Data Protection Supervisor adopted two significant Joint Opinions in March 2026, addressing major European Commission legislative proposals that intersect with cybersecurity, health data governance, and data protection.
On March 19, the EDPB and EDPS published their Joint Opinion on the proposed Cybersecurity Act 2 (CSA2) and the proposed amendments to the NIS2 Directive. The Commission’s cybersecurity package, published on January 20, 2026, aims to further strengthen cybersecurity in Europe while simplifying compliance with cybersecurity laws for organizations. In their opinion, the EDPB and EDPS support the general objective of strengthening the role of the European Union Agency for Cybersecurity (ENISA) and facilitating the adoption of cybersecurity certification. They specifically welcome the provision that ENISA’s advice would be issued upon prior request from the EDPB, ensuring clear coordination and division of responsibilities. However, they recommend that the scope of the European Cybersecurity Certification Framework and its relationship with GDPR certification be further clarified. ENISA should consult with the EDPB before adopting any certification scheme related to the security of processing personal data. They also recommend that the European Cybersecurity Skills Framework extend beyond cybersecurity professionals to include a general workforce profile. Regarding the NIS2 amendments, the EDPB and EDPS support the establishment of a single-entry point for breach notifications—consistent with their position in the Digital Omnibus Joint Opinion—and call for greater harmonization across the EU’s various incident reporting regimes.
On March 12, the authorities adopted a Joint Opinion on the European Commission’s proposed European Biotech Act, which aims to strengthen Europe’s biotechnology and biomanufacturing sectors, particularly in health, by streamlining the regulatory framework and updating rules for clinical trials. The EDPB and EDPS support the proposal’s objectives of fostering EU competitiveness and addressing fragmentation in the application of the Clinical Trials Regulation. However, they raise data protection concerns, particularly regarding the processing of health data and special categories of personal data in the context of clinical trials, the governance of health data infrastructure, and the need to ensure that streamlined procedures do not erode the safeguards that the GDPR provides for sensitive personal data. Both opinions are advisory but carry significant weight in the legislative process, particularly as the European Parliament and Council develop their respective positions on these proposals.
Click here to read the EDPB-EDPS Joint Opinion on the Cybersecurity Act 2 and NIS2 amendments.
Click here to read the EDPB-EDPS Joint Opinion on the European Biotech Act.
