Skip to main content

EU Regulatory Context

Legislations around ICT solutions have been evolving thoroughly in the past years to cover topics such as security and trust, market harmonization or resilience. How is Certification becoming a tool for legal compliance while remaining voluntary?

EU Certification Cornerstone: The Cybersecurity Act

Regulation EU 2019/881, known as the EU Cybersecurity Act, established ENISA as a permanent EU Agency and defines the EU cybersecurity certification framework. The framework defines the stakeholders at the National and European level, rules for the establishment and operation of schemes, and tools for harmonisation across the EU through peer reviews and assessments.

Specifically on the topic of EU Cyber Certification, ENISA and the European Commission's work is detailed in the Union Rolling Work Programme (URWP), a work document stating the priorities in terms of scheme development.

Certification a voluntary tool to regulatory requirements

Certification according to the EU Cybersecurity Act is voluntary, but commonly used as requirements for critical products (e.g., passports with biometric authentication support). In addition these certificates can bring presumption of compliance to regulatory requirements, or lead to the issuance of a label. Finally, some schemes will establish mutual recognition agreements that will extend the recognition of certificates beyond the Union.

New and Upcoming EU regulations

Beyond the Cybersecurity Act, there are many projects of regulations related to cybersecurity, and in particular the Directive for a High Level of Cybersecurity across the Union (NIS2), focusing on critical infrastructure, and the Cyber Resilience Act (CRA), which adds cybersecurity to criteria for obtaining a CE marking, or the Artificial Intelligence Act. These regulations all refer to EU cybersecurity certification schemes as a means to demonstrate compliance to their requirements.