The CSA certification scheme development plans are laid out in the Union Rolling Work programme (URWP). The URWP is a strategic document under the Cybersecurity Act (CSA) that allows the industry, national authorities and standardisation bodies to prepare in advance for future European cybersecurity certification schemes.
The drafting of the URWP is a joint effort between the European Commission (EC), the European Cybersecurity Certification Group (ECCG) and the Stakeholder Cybersecurity Certification Group (SCCG). The European Commission determines and prioritizes the development of the CSA certification schemes for IT products, services and processes. With the support of the Member States in the European Cybersecurity Certification Group and the Stakeholder Group, these priorities are discussed and included in the URWP. The URWP is updated at least every 3 years.
In duly justified cases the CSA authorizes the EC to decide on the development of certification schema outside the URWP priorities.
The table below shows the URWP priorities for European schemes and their current status.
Table with URWP's priorities for European schemes and their current status
|||Certification Type||Operational from (indication)||Current status (see reference below table)|
|Common Criteria (EUCC)||Hardware products, product-related software||Q3 2023||5|
|Cloud Services (EUCS)||Services in the whole stack||Q4 2023||2|
|5G (EU5G)||Components, component-related services, secure development||No indication yet||2|
|Industrial Automated Control Systems||Expected: products, product-related services||No indication yet||Development not started|
|IoT||Expected: products, Product-related services||No indication yet||Development not started|
|Artificial Intelligence||Scope to be discussed||No indication yet||Development not started|
|Secure (Software) Development||Scope to be discussed||No indication yet||May be part of other schemes|
Scheme Development Process (current status reference)
The development of schemes follows a distinctive process with the following main milestones:
- The European Commission assigns ENISA to develop a scheme.
- ENISA makes a public call for experts in the field and scope of the scheme and asks Member States to join the development in the role of observer.
- ENISA delivers a final draft to the EC.
- The ECCG advises the European Commission (EC) on the final draft of the scheme.
- The EC transforms the final draft in an Implementing Act and follows the formal EU legislative procedures.
- The EC publishes the Implementing Act, and the scheme is put into force.