Skip to main content

About EU Certification

EU Cybersecurity Certification

EU Cybersecurity Certification schemes are developed within the framework defined primarily in the Cybersecurity Act.

Nowadays voluntary, with the goal to empower the EU Digital Single Market, the future schemes are also encouraged through other regulations.

The continuously evolving context for, and of certifications will significantly impact various sectors of activity.

EU Cybersecurity Certifications will shake and shape the ICT ecosystem bringing a harmonized vision and understanding of cybersecurity assessment across Europe. The first concerned actors are:

Product Vendors & Service Providers

EU cybersecurity certification will bring new EU wide market opportunities by simplifying efforts in demonstrating cybersecurity compliance. Certified solutions will be able to stand out on the market and the work done behind will support the development of internal expertise. For those already certified with existing schemes, ENISA and Member States will provide guidance to smoothen the transition process and compare requirements from existing schemes to the EU ones to facilitate transition.

National Cybersecurity Certification Authorities (NCCAs)

As required by the Cybersecurity Act, each Member States have designated a NCCA that will be in charge of supervising, certifying and monitoring EU cybersecurity certification at national level and to exchange at EU level.

Conformity Assessment Bodies (CABs)

EU cybersecurity certification schemes are developed by ENISA with the support of experts from Member States and from the industry, including from the conformity assessment community.

These schemes are designed to meet the need of the Member States, the industry, and to match the requirements of European regulation, making them a valuable tool at the European level to promote the security of products and services. This new value represents a significant opportunity for the CABs who will be accredited to issue certificates or to perform evaluation activities (tests, audits) for these schemes.

Users of Certificates

EU Cybersecurity certificates are granted to Certified ICT products and services against EU Cybersecurity certification schemes. They demonstrate that the tested solutions are resistant to certain levels of attacks, set remediation processes while considering the latest state-of-the-art developments.

They are recognized across the Union and allow product vendors and service providers to showcase the compliance of their solution to a specific scheme, level of assurance, scope and potentially extension or security profiles.

Certificates are valid for a limited time that can be extended through a re-assessment of the solution.

EU Certification Framework

The EU certification framework foresees up to three level of assurance in schemes to tackle different levels of risk associated with the intended use of the ICT solution.

Level Basic
Level Basic

Evaluation to minimise the known basic risks of incidents and cyberattacks.

Level Substantial
Level Substantial

Evaluation to minimise the known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources.

Level High
Level High

Evaluation to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources.

How to start with Certification Explanation

The first EU Cybersecurity certification scheme, EUCC is out. Published on February 27, 2023, it gives one year to the ecosystem to get ready. While National Cybersecurity Certification Authorities will use this time to develop their certification strategy, Conformity Assessment Bodies will start the authorization and when necessary, notification process. On their side manufacturers and developers  can start planning resources and get familiar to the scheme in order to start the certification process.

ENISA will be providing support to the ecosystem to encourage the understanding and adoption of the EU Cybersecurity Certification Schemes by developing guidance documents and online content & material.