Cybersecurity Standards and Certification

Since its creation, ENISA has been active in the field of standardisation by cooperating with European and international Standards Developing Organisations (ESOs and SDOs), being ETSI, CEN, CENELEC, and stakeholders’ communities alike in the area of NIS standardisation. Pursuant to Regulation (EU) 526/2013, ENISA further contributed to the research and development of EU standards for risk management and for the security of electronic products, systems, networks and services.
The Regulation (EU) 2019/881 (Cybersecurity Act), establishes a European cybersecurity certification framework for ICT products, services and processes. ENISA participates in this new framework, by preparing candidate certification schemes on the request of the European Commission or the European Cybersecurity Coordination Group (representation of Member States).

Standardisation is playing an important role in the framework, as the Act states the following:

  • There is a need for closer international cooperation to improve cybersecurity standards, including the need for definitions of common norms of behaviour, the adoption of codes of conduct, the use of international standards, and information sharing, promoting swifter international collaboration in response to network and information security issues and promoting a common global approach to such issues.
  • The European cybersecurity certification schemes should be non-discriminatory and based on European or international standards, unless those standards are ineffective or inappropriate to fulfil the Union’s legitimate objectives in that regard.
  • The certificate or the EU statement of conformity shall refer to technical specifications, standards and procedures related thereto
  • A European cybersecurity certification scheme shall include at least the following elements:
    • [..] references to the international, European or national standards applied in the evaluation or, where such standards are not available or appropriate, to technical specifications that meet the requirements

A general concept for the role of standards in the evaluation and certification process is presented in the figure below.


We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information