EU Cybersecurity Certification

Brings trust to the market of ICT products, services and processes across the Union and beyond.

About

Certification is a tool that allows product vendors and service providers to demonstrate and advertise the cybersecurity of their solutions.

By developing cybersecurity certification at EU level, the goal is to harmonise the recognition of the level of cybersecurity of ICT solutions across the Union, allowing vendors and service providers to reach more customers.

EU EU5G certification schemes are developed by ENISA within the framework defined in the Cybersecurity Act and taking into account existing schemes and standards.

Voluntary with the goal to empower the EU Digital Single Market, the future schemes may also be encouraged as means to demonstrate compliance to their requirements or even mandated through other legislation.

In particular:

  • the Directive for a High Level of Cybersecurity across the Union (NIS2), focusing on critical infrastructure,
  • the proposed regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) with the Wallet regulation,
  • the proposed Cyber Resilience Act (CRA) which adds cybersecurity to criteria for obtaining a CE marking,
  • the proposed Artificial Intelligence Act.

Work in Progress

×

Three schemes are under development at different stages.

ENISA, the European Commission supported by working groups (Ad-Hoc Working groups) representing the ecosystem and Member State competent authorities are working together to establish the first schemes.

EUCC

The European Cybersecurity Certification Scheme on Common Criteria, the first scheme, targets ICT products such as hardware and software products and components. On January 31st, 2024, the European Commission published the Implementing Act launching the certification scheme live. ENISA is publishing the state-of-the-art documents supporting the scheme as listed in its Annex 1.

EUCS

The European Certification Scheme for Cloud Services was drafted with the support of an Ad-Hoc Working group and Member States. The text should now enter the process of the ECCG opinion.

EU5G

The European Cybersecurity Certification Scheme for 5G is developed in two phases. During a first phase which ended in Autumn 2022, ENISA, the experts gathered under an Ad-Hoc Working Group with the EU Commission and Member States analysed the existing industrial evaluations and certifications schemes and their necessary updates to comply with the Cybersecurity Act. A first draft scheme will be made available for public consultation, the expected date is under discussion within the AHWG.

Artificial Intelligence

In view of the adoption of the draft EU Regulation on Artificial Intelligence, ENISA is assessing whether and how AI could be the object of cybersecurity certification, as well as how schemes under elaboration could be re-used. This work is preparatory, as ENISA has not received a request to develop a certification scheme by the European Commission

Who is Concerned

Product Vendors & Service Providers

EU cybersecurity certification will bring new EU wide market opportunities by simplifying efforts in demonstrating cybersecurity compliance. Certified solutions will be able to stand out on the market and the work done behind will support the development of internal expertise. For those already certified with existing schemes, ENISA and Member States will provide guidance to smoothen the transition process and compare requirements from existing schemes to the EU ones to facilitate transition.

National Cybersecurity Certification Authorities (NCCAs)

As required by the Cybersecurity Act, each Member States have designated a NCCA that will be in charge of supervising, certifying and monitoring EU cybersecurity certification at national level and to exchange at EU level.

Conformity Assessment Bodies (CABs)

EU cybersecurity certification schemes are developed by ENISA with the support of experts from Member States and from the industry, including from the conformity assessment community.

These schemes are designed to meet the need of the Member States, the industry, and to match the requirements of European regulation, making them a valuable tool at the European level to promote the security of products and services. This new value represents a significant opportunity for the CABs who will be accredited to issue certificates or to perform evaluation activities (tests, audits) for these schemes.

Users of Certificates

EU Cybersecurity certificates are granted to Certified ICT products and services against EU Cybersecurity certification schemes. They demonstrate that the tested solutions are resistant to certain levels of attacks, set remediation processes while considering the latest state-of-the-art developments.

They are recognized across the Union and allow product vendors and service providers to showcase the compliance of their solution to a specific scheme, level of assurance, scope and potentially extension or security profiles.

Certificates are valid for a limited time that can be extended through a re-assessment of the solution.

Get Involved!

There are many opportunities to get involved early, in particular during the development of the schemes by applying to be part of Ad Hoc Working Groups or by reading and reacting to the drafts published by ENISA. Contribution to standardisation efforts is also key. Take part to the discussion and exchange with the community at the next Cybersecurity Certification Conference!
#EUCyberCertification

When schemes are enacted, further opportunities will emerge, and it will be the right time for CABs to prepare for accreditation and for everyone to prepare for certification!

Follow ENISA news and events to stay updated.

European Cybersecurity Certification Scheme on Common Criteria, EUCC

EUCC Scheme dedicated to certifying ICT products such as hardware and software products and components is published!

The European Commission adopted the implementing regulation concerning the EU cybersecurity certification scheme on Common Criteria (EUCC).

Voluntary-based, the new EUCC scheme allows ICT suppliers who wish to showcase proof of assurance to go through an EU commonly understood assessment process to certify ICT products such as technological components (chips, smartcards), hardware and software.

The scheme is based on the time-proven SOG-IS Common Criteria evaluation framework already used across 17 EU Member States. It proposes two levels of assurance based on the level of risk associated with the intended use of the product, service or process, in terms of probability and impact of an accident.

Documentation

Union Rolling Work Programme (URWP)

The Union Rolling Work Programmme published by the European Commission on February 7, 2024 sets out ENISA's work programme for the EU cybersecurity certification framework. It indicates priority topics and foresees requests for candidate certification schemes on which the European Cybersecurity Agency would be invited to work.

Implementing Act for the Common Criteria-based cybersecurity certification scheme (EUCC)

The Commission published on October 3, 2023 the draft Implementing Act on EUCC and its annexes for public consultation. After the public consultation ended on October 31, 2023, the Commission published the final reworked Implementing Act (EUCC Implementing Act) on January 31, 2024.

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union and shall apply from 12 months after entry into force.

Chapter IV and Annex V shall apply from the date of the entry into force of this Regulation.

State-of-the-Art documents for the Common Criteria-based cybersecurity certification scheme (EUCC)

To support the Implementing Act on the European Cybersecurity Certification Scheme on Common Criteria, EUCC, ENISA is publishing the related state-of-the-art documents listed in its Annex I to clarify the understanding of requirements on specific scopes of assessment. As mentioned in the Implementing Act, a ‘state-of-the-art document’ is a document which specifies evaluation methods, techniques and tools that apply to the certification of ICT products or security requirements of a generic ICT product category in order to harmonize evaluation in technical domains or of protection profiles.

This documentation has been discussed with the members of the ECCG, the group gathering the EU representatives of the National Cybersecurity Certification Authorities. Some of the following documents are updated versions of the SOG-IS Supporting documents, in this case the document refers to the SOG-IS one.

These documents are currently subject to the committee procedure and a final vote by the European Cybersecurity Certification Committee and they may be revised in the future at the discretion of the EUCC scheme owners.

State-of-the-art documents related to the harmonised accreditation of conformity assessment bodies:

State-of-the-art documents related to the Technical Domain Smart cards and similar devices:

State-of-the-art documents related to the Technical Domain Hardware devices with security boxes state-of-the-art documents:

Register of State-of-the-Art documents defining protection profiles: