EU Certification Cornerstone: The Cybersecurity Act
Regulation EU 2019/881, known as the EU Cybersecurity Act, established ENISA as a permanent EU Agency and defines the EU cybersecurity certification framework. The framework defines the stakeholders at the National and European level, rules for the establishment and operation of schemes, and tools for harmonisation across the EU through peer reviews and assessments.
Specifically on the topic of EU Cyber Certification, ENISA and the European Commission's work is detailed in the Union Rolling Work Programme (URWP), a work document stating the priorities in terms of scheme development.
Certification a voluntary tool to regulatory requirements
Certification according to the EU Cybersecurity Act is voluntary, but commonly used as requirements for critical products (e.g., passports with biometric authentication support). In addition these certificates can bring presumption of compliance to regulatory requirements, or lead to the issuance of a label. Finally, some schemes will establish mutual recognition agreements that will extend the recognition of certificates beyond the Union.
New and Upcoming EU regulations
Beyond the Cybersecurity Act, there are many projects of regulations related to cybersecurity, and in particular the Directive for a High Level of Cybersecurity across the Union (NIS2), focusing on critical infrastructure, and the Cyber Resilience Act (CRA), which adds cybersecurity to criteria for obtaining a CE marking, or the Artificial Intelligence Act. These regulations all refer to EU cybersecurity certification schemes as a means to demonstrate compliance to their requirements.
