With its Cybersecurity Act 2, the European Commission has missed an opportunity to simplify Europe’s complex regulatory landscape. While strengthening ENISA is welcome, the proposal falls short of significantly streamlining cybersecurity certification schemes. Moreover, the intention to enhance ICT supply chain resilience is generally supported, but the proposed framework requires substantial improvement to reflect industrial realities.