Skip to main content
Logo

About EU Cyber Certification

Why an EU Cybersecurity Certification

EU Cybersecurity Certification schemes are developed within the framework defined primarily in the Cybersecurity Act. 

Nowadays voluntary, with the goal to empower the EU Digital Single Market, the future schemes are also encouraged through other regulations. New regulations hint at it and certification appears to be an adequate tool to provide evidences of compliance.

The continuously evolving context for, and of certifications will significantly impact various sectors of activity.

EU Regulatory Context

The regulatory framework around ICT products and services has been evolving thoroughly in the past years in order to cover some key topics: security and trust, market regulation and harmonisation or even resilience and sovereignty.

ENISA strives to tackle ICT hot topics in terms of cybersecurity with EU Cybersecurity Certification. The EU agency for cybersecurity is leading several projects in parallel:

European Cybersecurity Certification - All you need to know

Key EU Cyber Certification Actors

EU Cybersecurity Certifications will shake and shape the ICT ecosystem bringing a harmonized vision and understanding of cybersecurity assessment across Europe. Key actors already participating to the development of the schemes will be also those who will need to implement it.

  • Product Vendors and providers
    Product Vendors & Service Providers

    EU cybersecurity certification will bring new EU wide market opportunities by simplifying efforts in demonstrating cybersecurity compliance. Certified solutions will be able to stand out on the market and the work done behind will support the development of internal expertise. For those already certified with existing schemes, ENISA and Member States will provide guidance to smoothen the transition process and compare requirements from existing schemes to the EU ones to facilitate transition.

  • NCCAs
    National Cybersecurity Certification Authorities (NCCAs)

    As required by the Cybersecurity Act, each Member States have designated a NCCA that will be in charge of supervising, certifying and monitoring EU cybersecurity certification at national level and to exchange at EU level.

  • Accredited CAB
    Conformity Assessment Bodies (CABs)

    EU cybersecurity certification schemes are developed by ENISA with the support of experts from Member States and from the industry, including from the conformity assessment community.

    These schemes are designed to meet the need of the Member States, the industry, and to match the requirements of European regulation, making them a valuable tool at the European level to promote the security of products and services. This new value represents a significant opportunity for the CABs who will be accredited to issue certificates or to perform evaluation activities (tests, audits) for these schemes.

  • Logo stakeholders
    Users of Certificates

    EU Cybersecurity certificates are granted to Certified ICT products and services against EU Cybersecurity certification schemes. They demonstrate that the tested solutions are resistant to certain levels of attacks, set remediation processes while considering the latest state-of-the-art developments.

    They are recognized across the Union and allow product vendors and service providers to showcase the compliance of their solution to a specific scheme, level of assurance, scope and potentially extension or security profiles.

    Certificates are valid for a limited time that can be extended through a re-assessment of the solution.

EU Cyber Certification - Key actors and their role

A Risk Based Approach

The EU certification framework foresees up to three level of assurance in schemes to tackle different levels of risk associated with the intended use of the ICT solution.

Each scheme however does not have to address the three levels of assurance.

  • Level Basic
    Level Basic

    Evaluation to minimise the known basic risks of incidents and cyberattacks.

  • Level Substantial
    Level Substantial

    Evaluation to minimise the known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources.

  • Level High
    Level High

    Evaluation to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources.

Publication of the the first EU Cybersecurity Certification Scheme

How to start with Certification

The first EU Cybersecurity certification scheme, EUCC is out. Published on February 27, 2023, it gives one year to the ecosystem to get ready. While National Cybersecurity Certification Authorities will use this time to develop their certification strategy, Conformity Assessment Bodies will start the authorisation and when necessary, notification process. On their side manufacturers and developers  can start planning resources and get familiar to the scheme in order to start the certification process.

ENISA will be providing support to the ecosystem to encourage the understanding and adoption of the EU Cybersecurity Certification Schemes by developing guidance documents and online content & material.

Becoming a CAB

Information on how to becoming a EU Cyber Certification Conformity Assessment Body