Skip to main content
Logo
English

Peer Reviews

Peer reviews are a key tool used between NCCAs within the European Union to evaluate each other in order to ensure they all maintain high standards and operate in a consistent way within the European cybersecurity certification framework.

The concept of Peer Reviews

The peer review mechanism, as established under Article 59 of the Cybersecurity Act, requires mandatory peer reviews between all NCCAs (national cybersecurity certification authorities) across the EU. The main goal is to make sure that all EU Member States follow equivalent and reliable procedures when it comes to EU cybersecurity certification of ICT products, ICT services and ICT processes and managed security services. This helps create trust and promotes mutual recognition and the overall acceptance of European cybersecurity certificates and EU statements of conformity, no matter which EU country they come from.

Peer reviews check if the NCCAs: separate certification activities from supervisory responsibilities, so that assessments are independent; properly supervise and monitor the compliance of ICT products, ICT services and ICT processes and managed security services with European cybersecurity certificates; efficiently monitor and enforce the obligations of manufacturers or providers that claim their ICT products, ICT services or ICT processes are secure; monitor, authorise and supervise the activities of the conformity assessment bodies.

Pilot Peer review
Presentation of the pilot peer review

Peer reviews will be formally launched in 2026. The European Commission set out the plan for peer reviews in a Commission Implementing Regulation, formally adopted a few months after the pilot peer review (see below). 

The pilot peer review took place in May 2025, with the DE NCCA having volunteered to be peer reviewed. The Pilot Peer Review Team consisted of the NCCAs of BE, CY and EE, as well as the European Commission, with the IT NCCA and ENISA participating as observers.

The pilot peer review demonstrated the implementation of Article 59 CSA framework in practice, allowing the peer review team to exchange on all topics under Article 59 with the peer reviewed NCCA, while leading to interesting findings and follow-up actions. These findings will be used by the Commission and ENISA in order to ensure future peer reviews are organised and carried out in the best possible efficient way.   

Read the peer review pilot summary report.

Implementing Act for Peer Reviews

The Implementing Regulation on peer reviews was adopted and subsequently published in the Official Journal of the European Union on the 12th of December. 

Full text available here 

Complementing the provisions of Article 59 of the Cybersecurity Act (CSA), the Implementing Regulation sets out the planning and implementation details of the peer review mechanism for NCCAs, including the composition of the peer review team, the methodology to be used in peer review, the schedule and the frequency and other tasks related to it.

Presentation of the planning

According to the planned five-year peer review schedule, six peer reviews will be conducted annually, covering six Member States (NCCAs) each year from 2026 to 2030, and every five years thereafter. In total, thirty peer reviews will take place over this period, encompassing all 27 Member States as well as 3 EEA/EFTA members. 

A rotation system ensures that each authority is reviewed at least once within the five-year period, while all NCCAs need to participate as peer-reviewers of at least two NCCAs during the five-year period. 

ENISA is responsible for publishing the schedule of the peer reviews, including both the peer-reviewed NCCAs per each year, as well as their corresponding peer-reviewer NCCAs (see table below). 

Five-year peer review schedule

As set out in Annex I of the Implementing Regulation on peer reviews, this is the schedule of NCCAs that are subject to peer review:

  1. 2026

    Sweden, Belgium, Slovakia, Germany, Malta, Czechia

  2. 2027

    Hungary, Greece, Estonia, Slovenia, Netherlands, Italy

  3. 2028

    Croatia, Denmark, Lithuania, Spain, Bulgaria, Ireland

  4. 2029

    Finland, Austria, Romania, Luxembourg, Latvia, Poland

  5. 2030

    Cyprus, France, Portugal, Lichtenstein, Norway, Iceland 

Planning of Peer Reviews for 2026

According to the schedule set out in Annex I of the Implementing Regulation on peer reviews, the NCCAs of the following six Member States shall be peer-reviewed by 31 December 2026:

Sweden, Belgium, Slovakia, Germany, Malta, and Czechia. 

Following coordination among the concerned NCCAs, ENISA, and the Commission within the framework of the ECCG Subgroup on Peer Reviews, the peer review plan for 2026 is being progressively developed. The table below outlines the planning for the peer reviews of NCCAs scheduled for 2026, insofar as the necessary information is currently available. Any missing information will be completed gradually as it becomes available. The schedule may be subject to adjustments in response to operational or organisational needs.

Peer review IDPeer-reviewed NCCAMember StatePeer review date/ windowPeer-reviewer NCCAsObservers Status
PR-2026-1NCCA-SK (NBU)Slovakia17-18 March 2026 

NCCA-BE   

NCCA-PL

NCCA-MT

NCCA-HR

Confirmed 
PR-2026-2NCCA-DE (BSI)Germany4–8 May 2026

NCCA-MT

NCCA-ES 

TBD

Planned/ Confirmed

 

PR-2026-3NCCA- MT (MDIA)Malta22–26 June 2026 (TBC)  

Planned

 

PR-2026-4NCCA- BE (CCB)Belgium7–11 September 2026 (TBC)  

Planned

 

PR-2026-5NCCA- CZ (NÚKIB)Czechia5–9 October 2026 (TBC)  

Planned

 

PR-2026-6NCCA- SE (FMV)Sweden7-11 December 2026 (TBC)  

Planned