EU Certification Cornerstone: The Cybersecurity Act
Regulation EU 2019/881, known as the EU Cybersecurity Act, established ENISA as a permanent EU Agency and defines the EU cybersecurity certification framework. The framework defines the stakeholders at the National and European level, rules for the establishment and operation of schemes, and tools for harmonisation across the EU through peer reviews and assessments.
Specifically on the topic of EU Cyber Certification, ENISA and the European Commission's work is detailed in the Union Rolling Work Programme (URWP), a work document stating the priorities in terms of scheme development.
Consolidated regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (Cybersecurity Act). Published on 04/02/2025..
The Union Rolling Work Programme for European cybersecurity certification identifies strategic priorities for future European cybersecurity certification schemes.
The Commission Implementing Regulation setting out the planning and implementation details of NCCAs' peer reviews
This Regulation establishes the circumstances, formats and procedures for notifications of conformity assessment bodies by national cybersecurity certification authorities (NCCAs) pursuant to the CSA.
Commission website presenting the proposal for CSA2.
This Commission Implementing Regulation lays down the rules regarding the certification of European Digital Identity Wallets.
Certification a voluntary tool to regulatory requirements
Certification according to the EU Cybersecurity Act is voluntary, but commonly used as requirements for critical products (e.g., passports with biometric authentication support). In addition these certificates can bring presumption of compliance to regulatory requirements, or lead to the issuance of a label. Finally, some schemes will establish mutual recognition agreements that will extend the recognition of certificates beyond the Union.
Other EU regulations
Beyond the Cybersecurity Act, there are many projects of regulations related to cybersecurity, and in particular the Directive for a High Level of Cybersecurity across the Union (NIS2), focusing on critical infrastructure, and the Cyber Resilience Act (CRA), which adds cybersecurity to criteria for obtaining a CE marking, or the Artificial Intelligence Act. These regulations all refer to EU cybersecurity certification schemes as a means to demonstrate compliance to their requirements.
