EU Cybersecurity Certification

Brings trust to the market of ICT products, services and processes across the Union and beyond.


Certification is a tool that allows product vendors and service providers to demonstrate and advertise the cybersecurity of their solutions.

By developing cybersecurity certification at EU level, the goal is to harmonise the recognition of the level of cybersecurity of ICT solutions across the Union, allowing vendors and service providers to reach more customers.

EU EU5G certification schemes are developed by ENISA within the framework defined in the Cybersecurity Act and taking into account existing schemes and standards.

Voluntary with the goal to empower the EU Digital Single Market, the future schemes may also be encouraged as means to demonstrate compliance to their requirements or even mandated through other legislation.

In particular:

  • the Directive for a High Level of Cybersecurity across the Union (NIS2), focusing on critical infrastructure,
  • the proposed regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) with the Wallet regulation,
  • the proposed Cyber Resilience Act (CRA) which adds cybersecurity to criteria for obtaining a CE marking,
  • the proposed Artificial Intelligence Act.

Work in Progress


Three schemes are under development at different stages.

ENISA, the European Commission supported by working groups (Ad-Hoc Working groups) representing the ecosystem and Member State competent authorities are working together to establish the first schemes.


The European Cybersecurity Certification Scheme on Common Criteria, the first scheme, targets ICT products such as hardware and software products and components. ENISA with the support of an Ad-Hoc Working Group and Member States developed the candidate scheme which received a positive opinion from the Member States represented at the ECCG (The European Cybersecurity Certification Group). The scheme was passed to the European Commission to be transformed into an Implementing Act. Once done, the certification scheme enters into force.


The European Certification Scheme for Cloud Services was drafted with the support of an Ad-Hoc Working group and the support of Member States. The text should now enter the process of the ECCG opinion.


The European Cybersecurity Certification Scheme for 5G is developed in two phases. During a first phase which ended in Autumn 2022, ENISA, the experts gathered under an Ad-Hoc Working Group with the EU Commission and Member States analysed the existing industrial evaluations and certifications schemes and their necessary updates to comply with the Cybersecurity Act. A first draft scheme should be available for public consultation around mid-2023.

Who is Concerned

Product Vendors & Service Providers

EU cybersecurity certification will bring new EU wide market opportunities by simplifying efforts in demonstrating cybersecurity compliance. Certified solutions will be able to stand out on the market and the work done behind will support the development of internal expertise. For those already certified with existing schemes, ENISA and Member States will provide guidance to smoothen the transition process and compare requirements from existing schemes to the EU ones to facilitate transition.

National Cybersecurity Certification Authorities (NCCAs)

As required by the Cybersecurity Act, each Member States have designated a NCCA that will be in charge of supervising, certifying and monitoring EU cybersecurity certification at national level and to exchange at EU level.

Conformity Assessment Bodies (CABs)

EU cybersecurity certification schemes are developed by ENISA with the support of experts from Member States and from the industry, including from the conformity assessment community.

These schemes are designed to meet the need of the Member States, the industry, and to match the requirements of European regulation, making them a valuable tool at the European level to promote the security of products and services. This new value represents a significant opportunity for the CABs who will be accredited to issue certificates or to perform evaluation activities (tests, audits) for these schemes.

Users of Certificates

EU Cybersecurity certificates are granted to Certified ICT products and services against EU Cybersecurity certification schemes. They demonstrate that the tested solutions are resistant to certain levels of attacks, set remediation processes while considering the latest state-of-the-art developments.

They are recognized across the Union and allow product vendors and service providers to showcase the compliance of their solution to a specific scheme, level of assurance, scope and potentially extension or security profiles.

Certificates are valid for a limited time that can be extended through a re-assessment of the solution.

Get Involved!

There are many opportunities to get involved early, in particular during the development of the schemes by applying to be part of Ad Hoc Working Groups or by reading and reacting to the drafts published by ENISA. Contribution to standardisation efforts is also key. Take part to the discussion and exchange with the community at the next Cybersecurity Certification Conference!

When schemes are enacted, further opportunities will emerge, and it will be the right time for CABs to prepare for accreditation and for everyone to prepare for certification!

Follow ENISA news and events to stay updated.

News and Events

2023 Cybersecurity Certification Conference

May 25, 2023

Cybersecurity Standardisation Conference 2023

Feb 7, 2023

ENISA Cybersecurity Certification Conference 2022

Jun 02, 2022