Skip to main content
Logo
English

Peer Reviews

Peer reviews are a key tool used between NCCAs within the European Union to evaluate each other in order to ensure they all maintain high standards and operate in a consistent way within the European cybersecurity certification framework.

The concept of Peer Reviews

The peer review mechanism, as established under Article 59 of the Cybersecurity Act, requires mandatory peer reviews between all NCCAs (national cybersecurity certification authorities) across the EU. The main goal is to make sure that all EU Member States follow equivalent and reliable procedures when it comes to EU cybersecurity certification of ICT products, ICT services and ICT processes. This helps create trust and promotes mutual recognition and the overall acceptance of European cybersecurity certificates and EU statements of conformity, no matter which EU country they come from.

Peer reviews check if the NCCAs: separate certification activities from supervisory responsibilities, so that assessments are independent; properly supervise and monitor the compliance of ICT products, ICT services and ICT processes and managed security services with European cybersecurity certificates; efficiently monitoring and enforcing the obligations of manufacturers or providers that claim their ICT products, ICT services or ICT processes are secure; monitor, authorise and supervise the activities of the conformity assessment bodies.

Pilot Peer review
Presentation of the pilot peer review

Peer reviews will be formally launched in 2026. The European Commission establishes the plan for peer reviews via a Commission Implementing Regulation, which is currently under adoption. 

A pilot peer review took place in May 2025, with the DE NCCA having volunteered to be peer reviewed. The Pilot Peer Review Team consisted of the NCCAs of BE, CY and EE, as well as the European Commission, with the IT NCCA and ENISA participating as observers.

The pilot peer review demonstrated the implementation of Article 59 CSA framework in practice, allowing the peer review team to exchange on all topics under Article 59 with the peer reviewed NCCA, while leading to interesting findings and follow-up actions. These findings will be used by the Commission and ENISA in order to ensure future peer reviews are organised and carried out in the best possible efficient way.   

Read the peer review pilot summary report.

Presentation of the planning

According to the planned five-year peer review schedule, six peer reviews will be conducted annually, covering six Member States (NCCAs) each year from 2026 to 2030, and every five years thereafter. In total, thirty peer reviews will take place over this period, encompassing all 27 Member States as well as 3 EEA/EFTA members. 

That way each authority is reviewed at least once within the five-year period. A rotation system ensures all NCCAs participate as peer-reviewers of at least two NCCAs during the five-year period. 

ENISA is responsible for publishing the schedule of the peer reviews, including both the peer-reviewed NCCAs per each year, as well as their corresponding peer-reviewer NCCAs. 

This information will be available on the website once officially confirmed.