• Industry group calls on Irish Government to seek changes for CSA 2.0 proposal as knock-on effects, through supply chains, procurement requirements, and investment decisions, are likely to be substantial.
• Few Irish businesses operating in digitally connected sectors will remain untouched.

Dublin, 7 April 2026 – Digital Business Ireland (DBI) has released a new report (prepared by BH Consulting for DBI), The Impact of the Revised EU Cybersecurity Act on Irish SMEs, warning that the European Commission’s January 2026 proposal for a revised EU Cybersecurity Act (CSA 2.0) carries complex and far-reaching implications for Irish SMEs.

This proposal represents a significant evolution of the EU’s cybersecurity regulatory framework, and its stated ambitions are commendable as they look to strengthen cyber resilience across the EU, address supply chain vulnerabilities, and streamline compliance for businesses.

However, even if a business falls directly outside of the scope, the knock-on effects, through supply chains, procurement requirements, and investment decisions, are likely to be substantial. Consequently, few Irish businesses operating in digitally connected sectors will remain unaffected.

The report examines the background to CSA 2.0, its key provisions, and the specific challenges it presents for Irish SMEs, in addition to offering practical guidance on how Irish SMEs can prepare for, and minimise the impact of, the changes ahead.

Accordingly, the report lays out six practical steps that will help SMEs both prepare for CSA 2.0 and strengthen their broader cybersecurity posture.

1. Understand Your Supply Chain Exposure
2. Conduct a Cybersecurity Risk Assessment
3. Explore EU Cybersecurity Certification
4. Align with Recognised Security Standards
5. Engage with Industry Representations
6. Seek Expert Guidance

Ultimately, for Irish SMEs, the risks are real but manageable. The supply chain framework, certification requirements, and investment uncertainty associated with CSA 2.0 will necessitate adaptation. Businesses that proactively strengthen their cybersecurity foundations now will be better positioned to compete and ensure compliance as the regulatory landscape evolves.

DP Fitzgerald, National Spokesperson for DBI, has stated that “over the coming year, DBI will actively engage in the EU legislative process, including with Irish MEPs and the Irish Government, to help ensure that the final text of CSA 2.0 achieves its security objectives without imposing disproportionate burdens on the businesses that form the backbone of the Irish economy”.

DBI is therefore calling on the Irish Government, which will play a role in shaping the proposals at EU Council of Ministers level during Ireland’s upcoming Presidency, to seek changes to the CSA 2.0 proposal. 

To this end, the report sets out five key principles to guide the development of CSA 2.0:

• Technical criteria should drive risk designations. 
• Proportionality must be preserved. Member State competence should be respected. 
• The ICT Supply Chain Security Toolbox should remain in its current voluntary form. 
• CSA 2.0 should take the form of a Directive, not a Regulation. 

To read the report in full, click here.