ENISA’s New Advisory Group: Why Industry Should Pay Attention

On 14 July 2025, the European Union Agency for Cybersecurity (ENISA) announced the formation of its new Advisory Group for the 2025–2028 term, which will officially begin on 1 August, following the end of the previous group’s mandate on 31 July. The newly appointed group includes experts from academia, public bodies, and industry.  Established under Article 21 of the 2019 EU Cybersecurity Act, the Advisory Group replaced ENISA’s former Permanent Stakeholders Group with a streamlined structure. The group has a legal mandate to advise on ENISA’s work programme and strategic priorities, thus understanding how ENISA and the Advisory Group operate provides interesting insight into Europe’s future priorities on cybersecurity. The value that the group brings to industry stakeholders is also evident in the group’s publications, such as two of the most recent ones entitled “NIS2 Post Implementation”,  and “On the role of ENISA in Cybersecurity for AI” (both June 2025).  

Who makes up the Advisory Group and why does it matter? 

The Advisory Group has two components. The first is made up of the 26 independent experts. These are “ad personam” members, meaning they serve in a personal capacity, not as representatives of any specific organisation or Member State. The second is the institutional representatives; EU bodies invited by ENISA for operational coordination across the EU’s cybersecurity landscape. While the institutional presence highlights the importance of public-private cooperation, it is the composition of the independent expert group that offers the clearest insight into the Advisory Group’s likely priorities. 

The 26 experts represent roughly 12 sectors (see chart below). IT/Cyber dominates, with nearly twice as many members as the next most-represented sectors: banking/finance, telecom, and transport/logistics. This concentration ensures strong technical expertise in cybersecurity, spanning multiple industries, countries, and perspectives. It is reassuring, if expected, that many experts come from sectors most exposed to cybersecurity risks. This is further reflected by the five members noted by ENISA as having direct experience in NIS-related roles, highlighting the continued relevance of NIS2 implementation. 

Other represented sectors include academia, aerospace/defence, energy, and manufacturing, each with two experts. One expert each comes from backgrounds in public-private partnerships in cybersecurity on a range of different topics, semiconductors, and AI. This suggests that, in addition to the core cyber expertise, ENISA is also keen to bring deep knowledge of future-critical domains and not only respond to current threats but prepare for future vulnerabilities. The presence of experts in domains such as aerospace and semiconductors signals strategic interest in areas such as post-quantum cryptography, AI security, and the resilience of autonomous systems. These are likely to be topics that will therefore shape the Group’s agenda over the next two and a half years.  

Figure 1: Advisory Group Composition by Industry Expertise.   

How do the priorities align with the initiatives?  

When it comes to facilitating the EU’s evolving cybersecurity agenda, certain initiatives are likely to take precedence due to their being at the intersection of urgency, technical complexity, and legislative momentum. Foremost among these is the implementation of the NIS2 Directive, an EU law that sets new, stronger cybersecurity rules for essential services like energy, healthcare, and digital infrastructure. Following the 17 October 2024 enforcement deadline, the focus is now on how Member States implement the Directive and how organisations across critical sectors comply with its requirements, something that many of the new advisory group’s members are quite familiar with. Closely related to the NIS2 Directive is the Cyber Resilience Act (CRA). The CRA complements NIS2 by extending cybersecurity obligations from essential service operators to include manufacturers and suppliers of digital products across the EU. The Advisory Group’s expertise in CRA implementation will be essential to support ENISA’s strategic role in enforcing these new obligations, ensuring secure-by-design principles and regulatory alignment for digital products across Europe. 

Another likely area of focus is the quickly developing phenomenon of post-quantum cryptography (PQC), a future-critical domain that is quickly gaining traction across the public and private sectors. The work on this was definitively launched with the publication of the preliminary EU roadmap in June 2025 and will be followed by a more detailed one, incorporating the feedback of industry via a public consultation and possible bilateral meetings. Industry and institutions alike are now quickly waking up to the very real threat that quantum computers pose in breaking today’s encryptions, putting sensitive data and digital security at long-term risk. The solution relies on strong cooperation between the public and private sectors that the Strategic Advisory Group is well-positioned to support.  

Meanwhile, concerns over the security of the ICT supply chain, amplified by ongoing geopolitical tensions, are prompting the development of a new EU toolbox; an initiative that is likely to take centre-stage in European cybersecurity. The ICT Supply Chain Toolbox was presented by the Commission, on Monday 14th July, at the Horizontal Working Party on Cyber Issues. Whilst industry is still anxiously awaiting details, ENISA is expected to play an important role in the development of the toolbox, particularly in advising on technical guidelines and sector-specific risks. Given the Advisory Group’s mandate to align ENISA’s work with stakeholder needs and strategic challenges, members will likely focus on ensuring that industry realities, especially around supplier dependencies and operational feasibility, are reflected in the toolbox. 

What does this mean for wider industry?  

Private sector stakeholders, including small and medium sized enterprises, would do well to follow the agency’s activities as closely as they do those of the Commission. ENISA regularly organises public consultations, stakeholder workshops, and technical expert meetings, many of which are open to broader participation. This is particularly true on key policy areas like those mentioned above. Beyond these formal channels, the Advisory Group offers a more accessible interface for industry influence. Companies should proactively engage in bilateral discussions with Advisory Group members and leverage their networks through industry alliances, trade associations, and cross-sectoral platforms to ensure their views are heard and to hear the priorities of others. The importance of ENISA, and subsequently the Advisory Group, can’t be overstated when it comes to cybersecurity, nor can the opportunities for industry to help shape the priorities and direction of ENISA itself.