In this paper, OFE provides its input to the inception impact assesment on the review of ENISA Regulation and laying down an EU ICT security certification and labelling. In this document, OFE stresses that of the four options proposed by the Commission, option 2 could seriously harm the current ICT cybersecurity framework whereas option 3 presents a number of pitfalls. Option 1, instead, is worthy of further discussion. Indeed, there is a clear need for further and on-going discussion and analysis before deciding on the methods for further improving cybersecurity in a sustained and effective manner, focusing attention on furthering the voluntary adoption of a ‘risk management’ model.