Cybersecurity Certification

Work in Progress

Three schemes are under development at different stages.

ENISA, the European Commission supported by working groups (Ad-Hoc Working groups) representing the ecosystem and Member State competent authorities are working together to establish the first schemes.

EUCC

The European Cybersecurity Certification Scheme on Common Criteria, the first scheme, targets ICT products such as hardware and software products and components. ENISA with the support of an Ad-Hoc Working Group and Member States developed the candidate scheme which received a positive opinion from the Member States represented at the ECCG (The European Cybersecurity Certification Group). The scheme was passed to the European Commission to be transformed into an Implementing Act. Once done, the certification scheme enters into force.

EUCS

The European Certification Scheme for Cloud Services was drafted with the support of an Ad-Hoc Working group and the support of Member States. The text should now enter the process of the ECCG opinion.

EU5G

The European Cybersecurity Certification Scheme for 5G is developed in two phases. During a first phase which ended in Autumn 2022, ENISA, the experts gathered under an Ad-Hoc Working Group with the EU Commission and Member States analysed the existing industrial evaluations and certifications schemes and their necessary updates to comply with the Cybersecurity Act. A first draft scheme should be available for public consultation around mid-2023.

Who is Concerned

Product Vendors & Service Providers

EU cybersecurity certification will bring new EU wide market opportunities by simplifying efforts in demonstrating cybersecurity compliance. Certified solutions will be able to stand out on the market and the work done behind will support the development of internal expertise. For those already certified with existing schemes, ENISA and Member States will provide guidance to smoothen the transition process and compare requirements from existing schemes to the EU ones to facilitate transition.

National Cybersecurity Certification Authorities (NCCAs)

As required by the Cybersecurity Act, each Member States have designated a NCCA that will be in charge of supervising, certifying and monitoring EU cybersecurity certification at national level and to exchange at EU level.

Conformity Assessment Bodies (CABs)

EU cybersecurity certification schemes are developed by ENISA with the support of experts from Member States and from the industry, including from the conformity assessment community.

These schemes are designed to meet the need of the Member States, the industry, and to match the requirements of European regulation, making them a valuable tool at the European level to promote the security of products and services. This new value represents a significant opportunity for the CABs who will be accredited to issue certificates or to perform evaluation activities (tests, audits) for these schemes.

Users of Certificates

EU Cybersecurity certificates are granted to Certified ICT products and services against EU Cybersecurity certification schemes. They demonstrate that the tested solutions are resistant to certain levels of attacks, set remediation processes while considering the latest state-of-the-art developments.

They are recognized across the Union and allow product vendors and service providers to showcase the compliance of their solution to a specific scheme, level of assurance, scope and potentially extension or security profiles.

Certificates are valid for a limited time that can be extended through a re-assessment of the solution.

What are cookies ?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site.

First party cookies are cookies set by the website you're visiting. Only that website can read them. In addition, a website might potentially use external services, which also set their own cookies, known as third-party cookies.
Persistent cookies are cookies saved on your computer and that are not deleted automatically when you quit your browser, unlike a session cookie, which is deleted when you quit your browser.

Cookies can be used for various purposes, such as for "remembering" user preferences or to generate statistics. Some types of cookies are technically necessary for the functioning of the service (essential cookies).

How do we use cookies?

On this website we use first party cookies, which comprise of two categories:

Essential cookies, which are necessary for the technical functioning of the website. These cookies are always placed when you visit the website.
Analytics cookies, which support ENISA in generating anonymous website statistics. This is performed with the use of Matomo (https://matomo.org), an open source web analytics service. Matomo uses cookies to help analyse the use of the website and to compile reports about website activity. This information is not passed onto third parties.
Please note that the analytics cookies are not automatically stored in your computer when you visit our website and will only be placed if you provide your consent.

First time you visit the website, you will be prompted (via a banner) to accept allor accept only essential cookies.

If you accept all cookies, it is considered that you provide your consent for analytics cookies.

If you accept only essential cookies, a cookie will still be placed to prohibit any tracking for analytics purposes on our side.

What cookies do we use specifically?

The following cookies are used in the website:

Essential cookies:

accept_cookies (duration: 1 year) - set by the website to hide the cookie notice pop-up
cookiesession1 (duration: session) - set by ENISA WEB Application Firewall for security verification

Analytics cookies:

mtm_consent_removed (duration: forever) - set by Matomo analytics when opting-out from being tracked (choosing the "Accept only essential cookies" option) or wishes to remove his/her consent (opt-out)
_pk_* (duration: variable) - various Matomo analytics cookies set for users that allowed tracking; the full list of such cookies can be consulted on the Matomo website
accept_analytics (duration: 1 year) - set by the ENISA website to prevent the Matomo analytics from setting non-essential cookies

What type of information do we collect via the ENISA’s analytics cookies?

Cookies from Matomo enable ENISA to track the following information about visitors. We use this information to prepare aggregated, anonymous statistics reports of visitor activity:

IP address (masked)
Location: country, region, city, approximate latitude and longitude (Geolocation)
Date and time of the request (visit to the site)
Title of the page being viewed (Page Title)
URL of the page being viewed (Page URL)
URL of the page that was viewed prior to the current page (Referrer URL)
Screen resolution of user's device
Time in local visitor's time-zone
Links to an outside domain that were clicked (Outlink)
Pages generation time (the time it takes for webpages to be generated by the webserver and then downloaded by the visitor: Page speed)
Main language of the browser being used (Accept-Language header)
Browser version, browser plugins (PDF, Flash, Java, …) operating system version, device identifier (User-Agent header)

Note: Institution, city and country origin are determined from the full IP, then stored and aggregated before a mask is applied. Matomo uses an IP de-identification mechanism that automatically masks a portion of each visitor's IP, effectively making it impossible to identify a particular visitor via the sole IP address.

ENISA retains full control of the data collected through first-party cookies by storing the data in servers controlled by the Agency. Anonymised and aggregated data are stored for an indefinite period by ENISA for analysis purposes.

How can I opt out from the analytics cookies?

If you have initially consented to analytics cookies and now wish to withdraw your consent (opt-out), please untick the relevant box below. You can (re)activate the analytics cookies by ticking the box at any time.

Please note that in any case our cookies are not used to identify you personally.

Do not track preferences

Do not track is a function that allows visitors to opt out from being tracked by websites for any purpose including the use of analytics services, advertising networks and social platforms. Do not track options are available in a number of browsers including Firefox, Internet Explorer, Chrome, Safari, Opera.

On our website:

If you have enabled do not track in your web browser, we will respect your choice;
If you have enabled the do not track function, you will not be tracked. This is in addition to the approach of consent and opting out processes that we follow.

Social media cookies

ENISA is active on several social media platforms. Our presence in the Twitter, YouTube, LinkedIn, and Facebook communities strengthens our online presence and visibility.

The website does not set cookies with the display of links to our social media channels when you are browsing our website;
By clicking on the social media buttons on our website, you will be re-directed to the relevant sites, which have their own cookie and privacy policies over which we have no control.

EU Cybersecurity Certification

About

Work in Progress

Three schemes are under development at different stages.

EUCC

EUCS

EU5G

Who is Concerned

Product Vendors & Service Providers

National Cybersecurity Certification Authorities (NCCAs)

Conformity Assessment Bodies (CABs)

Users of Certificates

Get Involved!

News and Events

2023 Cybersecurity Certification Conference

Cybersecurity Standardisation Conference 2023

ENISA Cybersecurity Certification Conference 2022

Connect with ENISA