EU Certification Cornerstone: The Cybersecurity Act
Regulation EU 2019/881, known as the EU Cybersecurity Act, established ENISA as a permanent EU Agency and defines the EU cybersecurity certification framework. The framework defines the stakeholders at the National and European level, rules for the establishment and operation of schemes, and tools for harmonisation across the EU through peer reviews and assessments.
Specifically on the topic of EU Cyber Certification, ENISA and the European Commission's work is detailed in the Union Rolling Work Programme (URWP), a work document stating the priorities in terms of scheme development.
Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (Cybersecurity Act).
This targeted amendment aims to enhance EU’s cyber resilience by enabling the future adoption of European certification schemes for the so-called ‘managed security services’. The new law recognises the increasing importance of managed security services in the prevention, detection, response, and...
The Union Rolling Work Programme for European cybersecurity certification identifies strategic priorities for future European cybersecurity certification schemes.
Certification a voluntary tool to regulatory requirements
Certification according to the EU Cybersecurity Act is voluntary, but commonly used as requirements for critical products (e.g., passports with biometric authentication support). In addition these certificates can bring presumption of compliance to regulatory requirements, or lead to the issuance of a label. Finally, some schemes will establish mutual recognition agreements that will extend the recognition of certificates beyond the Union.
New and Upcoming EU regulations
Beyond the Cybersecurity Act, there are many projects of regulations related to cybersecurity, and in particular the Directive for a High Level of Cybersecurity across the Union (NIS2), focusing on critical infrastructure, and the Cyber Resilience Act (CRA), which adds cybersecurity to criteria for obtaining a CE marking, or the Artificial Intelligence Act. These regulations all refer to EU cybersecurity certification schemes as a means to demonstrate compliance to their requirements.
