Learn more about EU Cybersecurity Certification

Episode 1 - EU Cybersecurity Certification - What's in for CABS

Cybersecurity certification schemes create a European market for new and experienced Conformity Assessment Bodies (CABs). They will be able to offer cybersecurity certificates that are recognised across the European Union and related assessment tools and services. On this page you can find the most frequently asked questions on this topic.

Download the full ENISA Infographic - Certification and CABs

Episode 2 - EU Cybersecurity Certification: What you should know about it

Understand the work Behind ENISA mission in the area of the EU cybersecurity certification framework:  What does “To proactively contribute to the emerging EU framework for the ICT certification of products and services and carry out the drawing up of candidate certification schemes in line with the Cybersecurity Act, and additional services and tasks” mean?

Download the full ENISA infographic - Certification landscape

What are EU cybersecurity certification schemes?

An EU cybersecurity certification scheme is a comprehensive set of rules, technical cybersecurity requirements, standards and evaluation procedures, defined at the EU level and applying to the certification of specific ICT products, services or processes. An EU cybersecurity certificate attests that an ICT product, process or service has been certified in accordance with such a scheme and that it complies with the specified cybersecurity requirements and rules.   Certification is performed by a Conformity Assessment Body (CAB), which can audit and/or test and/or certify. All certificates will be published by ENISA on a dedicated website.

Depending on the cybersecurity risk associated with the intended use of the ICT solution to be certified, a different cybersecurity level can be chosen. Each EU scheme indicates if the certification is possible for an assurance level ‘basic’, ‘substantial’ or ‘high’.

How are EU cybersecurity certification schemes developed?

The EU Agency for cybersecurity (ENISA) develops draft certification schemes, upon request of the European Commission or the EU Member States.  To do so, the Agency is supported by a group of experts (“Ad-Hoc Working Group”) and collaborates closely with the European Commission, EU countries, and relevant stakeholders.  For more information about this process, see the graphic on the Cybersecurity Certification Framework.

How can EU cybersecurity certification schemes be used in practice?

To issue certificates: Each Member State can choose to issue EU cybersecurity certifications. National Cybersecurity Certification Authorities (“NCCAs”) supervise and monitor the compliance with the scheme of the certificates issued by the CABs in its Member State.

 To be certified: certification is voluntary, unless otherwise specified by EU or Member State regulations. Providers that want their ICT solution to be certified can apply for a certificate via a CAB, according to the rules defined in the certification schemes.

To use certificates: users of ICT solutions may consider cybersecurity certificates as a demonstration that a specific solution meets defined security requirements.

What happens to national cybersecurity certification schemes covering the same area of an EU scheme?

Each EU cybersecurity certification scheme foresees a transition period after which relevant national schemes cease to have an effect.

In other words, certificates issued under these schemes are no longer valid. In order to ensure a smooth implementation, the transition from existing schemes into EU schemes is handled in close collaboration with all stakeholders, for example, guidance will be developed for CABs operating under national schemes. Therefore CABs should not stop their activities related to existing schemes!

Once a scheme is developed by ENISA, how does it become effective?

To be effective, a draft scheme has to become a piece of EU legislation called “Implementing Act. This Act has to be endorsed by all Member States. Once this Act is adopted, Member States have time to prepare the operation of the scheme before issuing certificates.

Will the EU certificates be recognised in all European countries?

Yes. EU certificates issued by authorised CABs located in the EU Member States are valid in all EU countries.

Will there be several EU cybersecurity schemes?

Yes. The European Union aims to develop a framework of cybersecurity certification schemes demonstrating that certified ICT solutions have the right level of cybersecurity protection for the European Digital Market.

In fact, effective and efficient cybersecurity certification allows for composing certificates, using different cybersecurity certificates as building blocks to certify single solutions and also (parts of) systems and specific technologies.

Currently, 3 cybersecurity certification schemes are under development:

One scheme, covering ICT products  and called “EUCC”, is almost ready. It is based on an existing international scheme called “Common Criteria”.

There is a second scheme covering cloud services (this is the “EUCS” scheme) and a third one on 5G networks (“EU5G”).

How can Conformity Assessment Bodies benefit from EU Cybersecurity Certification schemes?

The European Union is preparing cybersecurity certification schemes to harmonise both the security requirements for ICT solutions and the way to assess them.

These schemes represent a business opportunity for Conformity Assessment Bodies (CABs), as they will be able to offer a range of different certifications in the cybersecurity domain.

In addition, CABs will be able to develop and offer new combined assessment tools and new professional services related to the new schemes.

Can any Conformity Assessment Body (CAB) work with EU certification schemes?

CABs can work in EU certification schemes in 2 different ways:  as evaluators (by auditing/testing) and/or as certifiers.

They need to meet certain requirements before becoming eligible to perform such activities:

• In order to evaluate and certify in accordance with EU certification schemes, CABs will have to be accredited by their National Accreditation Body.
• Once accredited for a European cybersecurity certification scheme, the National Cybersecurity Certification Authority (NCCA) needs to notify the Commission of their accreditation.
• If a CAB wants to become eligible to certify an ICT solution under the assurance level “high”, it may need to meet additional requirements. The procedure to meet these requirements is performed by the NCCA and is called “authorisation”. This “authorisation” needs to be notified as well to the Commission.

To learn more about these procedures, CABs are invited to contact their NCCA.

How can CABs (and other interested stakeholders) contribute to the development of EU certification schemes?

It is of great importance that all relevant stakeholders have an opportunity to provide their input and contribute to the development and implementation of EU cybersecurity certification schemes:

• When developing EU cybersecurity schemes, ENISA works with a community of different cybersecurity stakeholders. For example, interested parties can become part of the “Ad-Hoc Working group” of experts that supports the Agency in the development of a certain scheme.

• Also, stakeholders may be invited to participate in pilots or “proofs of concept” to test some or more elements of an EU scheme (e.g. feasibility, possible procedures or processes or evaluation methods) before its implementation.
• When a scheme is in an advanced stage of development, there can also be public consultations, e.g. on draft schemes.

Once in place, a scheme needs to be updated and aligned according to the changes in the cybersecurity environment. Processes, procedures and evaluation methods need to be maintained, evaluated and reviewed. ENISA invites stakeholders to participate in the continuous improvement cycles of the schemes.

To be always updated on the latest news about this topic, you can follow our dedicated Topic - Cybersecurity Certification