The EU Cybersecurity Act strengthens ENISA and establishes certification schemes for products. Learn more about the European framework.
ENISA the EU agency for cybersecurity
Under the Cybersecurity Act, ENISA has been given an expanded mandate, providing it with additional resources and new tasks. ENISA's main responsibilities are:
- Developing and maintaining the European cybersecurity certification framework: ENISA prepares the technical framework for specific certification schemes.
- Public outreach: ENISA informs the public about certification schemes and issued certificates via a dedicated website.
- Support in handling cyber incidents: ENISA promotes cooperation at EU level and supports Member States in managing cyber incidents, coordinating the response to large-scale cross-border cyberattacks and crises.
Framework for cybersecurity certifications
The framework for cybersecurity certification standardizes cybersecurity practices across the EU by setting security standards for ICT products, services and processes to ensure a common level of protection. The framework divides certification into three assurance levels and outlines ENISA's role as well as the mechanisms for market compliance. It also emphasizes stakeholder engagement, aligns with international standards and can be adapted to the evolving cybersecurity landscape.
European framework for cybersecurity certifications
The EU's cybersecurity certification framework aims to build trust and security around products, services and processes in the field of information and communication technology (ICT). This is achieved by developing certification schemes that assess the level of security and conformity of ICT products, services and processes.
Certification schemes
A certification scheme under the Cybersecurity Act is a comprehensive framework intended to ensure the cybersecurity of ICT products, services and processes. Each scheme typically includes:
Governing scope and applicability
Information on which types of ICT products, services and processes are covered.
Purpose of the scheme
How the selected standards, assessment criteria and security levels meet user needs.
References to standards
International, European or national standards used for the assessment.
Security levels
Defined assurance levels ("basic", "substantial", "high") based on risk.
Conformity assessment
The specific assessment criteria and methods used to verify the requirements.
Conditions of use
Conditions for issuing, maintaining and renewing certificates.
Monitoring
Rules for monitoring conformity as well as handling non-conformities and newly identified vulnerabilities.
By defining these elements, a certification scheme under the CSA provides a structured and reliable approach to certifying the cybersecurity of ICT products, services and processes, thereby strengthening trust and security in the digital market.
Development of certification schemes
The development of certification schemes takes place in several steps:
- Request by the EU Commission or Member States: ENISA develops draft certification schemes at the request of the EU Commission or Member States.
- Expert support: ENISA works closely with experts, ad hoc working groups (AHWGs) and relevant stakeholders to prepare the schemes.
- Public consultation: Draft schemes are released for public consultation.
- Adoption by the EU: After revision and final coordination, the scheme is adopted as an EU legal act (Implementing Act).
- Implementation by Member States: After adoption, Member States have time to take the necessary measures to implement the scheme.
Further information on the development of new certification schemes is available here: https://www.enisa.europa.eu/topics/certification/from-candidate-to-certification-scheme
Existing and future schemes
Several certification schemes have been developed or are under development under the Cybersecurity Act, each addressing different aspects of cybersecurity.
EUCC
The EUCC (European Cybersecurity Certification Scheme on Common Criteria) is intended for the certification of ICT products such as hardware, software and components.
On 31 January 2024 the European Commission published the implementing act introducing the scheme. ENISA provides the supporting documents listed in Annex 1 of the implementing act. The scheme is based on the well-established international evaluation framework SOG-IS Common Criteria, which is already applied in 17 EU Member States.
More information about the scheme is available here: https://certification.enisa.europa.eu/certification-library/eucc-certification-scheme_en
EUCS
The EUCS (European Cybersecurity Certification Scheme for Cloud Services) aims to certify the cybersecurity of cloud services. The first draft was published on 22 December 2020. The draft is currently being reviewed in the ECCG consultation process. The draft was developed with the support of an ad hoc working group and the Member States and is intended to set uniform security standards for cloud services in the EU.
EU5G
The EU5G (European Cybersecurity Certification Scheme for 5G) is intended to certify the cybersecurity of 5G networks. It is being developed in two phases. The first phase concluded in autumn 2022. ENISA, experts and the European Commission analysed existing industry assessments and certification schemes. A first draft of the scheme was expected by the end of 2023. The scheme will focus on various use cases, including the provision and deployment of identified 5G network equipment, management of subscriber identities, remote provisioning of SIM cards, 5G authentication (including roaming) and subscriber access services.
AI
In the field of artificial intelligence, ENISA is examining whether and how AI systems could be subject to a cybersecurity certification. This work is preliminary, as the European Commission has not yet made an official request to develop a certification scheme for AI. The aim is to prepare for the possible integration of AI into the existing certification framework.
Managed security services
Managed security services, which are named as a critical sector in the NIS2 Directive and mentioned in the proposed Cyber Solidarity Act, are at the core of the prevention of and response to cybersecurity threats and incidents. The EU plans to amend the Cybersecurity Act to allow for the certification of such services by ENISA. Preparatory work has already begun.