Introduction cybersecurity certification

Multiple European certification schemes are being developed under the Cybersecurity Act (CSA) in order to certify a wide range of products, services and processes in the field of cybersecurity. The CSA describes this EU cybersecurity certification framework. The certification framework will provide EU-wide certification schemes as a comprehensive set of rules, technical requirements, standards and procedures.

Each scheme has its own scope and its own set of certification requirements. On this page you will find a brief introduction to the schemes that are currently active or will come into effect in the near future. The page also details future certification scheme development plans.

Common Criteria certification

Based on Common Criteria, a specific certification scheme is being developed within Europe to enable Europe-wide certification based on Common Criteria: the EUCC scheme. Common Criteria are a common set of specifications and guidelines designed to evaluate and certify software, hardware and firmware in the area of cybersecurity.

Cloud certification

The 'European Union Cybersecurity Certification Scheme on Cloud Services’ (EUCS) is one of the first schemes to be developed under the CSA. This scheme enhances trust in cloud services by defining a reference set of security requirements. It is applicable to all kinds of cloud services: IaaS, PaaS, SaaS, and other cloud services including subservices.

5G certification

In order to secure 5G deployment in the European Union, the European Commission has asked ENISA to develop a certification scheme for 5G. The candidate EU 5G scheme addresses part of the 5G ecosystem that was selected by the member states.

Certification scheme development plans

The certification scheme development plans are laid out in the Union Rolling Work Programme (URWP). The URWP is a strategic document under the Cybersecurity Act (CSA) that allows the industry, national authorities and standardisation bodies to prepare for future European cybersecurity certification schemes.

The drafting of the UWRP is a joint effort between the European Commission (EC), the European Cybersecurity Certification Group (ECCG) and the Stakeholder Cybersecurity Certification Group (SCCG). The European Commission determines and prioritises the development of the CSA certification schemes for ICT-products, services and processes. With the support of the member states in the European Cybersecurity Certification Group and the Stakeholder Group, these priorities are discussed and added to the URWP. The URWP is updated every three years, if not more often.

In justified cases, the CSA authorises the European Commission to decide on the development of certification schemes outside the URWP priorities.

Table with URWP’s priorities for European schemes and their current status

Table with URWP’s priorities for European schemes and their current status
Certification TypeOperational from (indication)Current status (see reference below table)
Common Criteria (EUCC)Hardware products, product-related softwareQ1 20235
Cloud Services (EUCS)Services in the whole stackQ3 20232
5G (EU5G)Components, component-related services, secure developmentPhase 1: Q1 - Q2 20232
Industrial Automated Control SystemsExpected: products, product-related servicesNo indication yetDevelopment not started
IoTExpected: products, Product-related servicesNo indication yetDevelopment not started
Artificial IntelligenceScope to be discussedNo indication yetDevelopment not started
Secure (Software) DevelopmentScope to be discussedNo indication yetMay be part of other schemes

Table last updated at 10-2-2022

Source table as .csv (733 bytes)

Scheme Development Process (current status reference)

The development of schemes follows a specific process that includes the following milestones:

  1. The European Commission asks ENISA to develop a scheme.
  2. ENISA makes a public call for experts in the field and scope of the scheme and asks member states to join the development in the role of observer.
  3. ENISA delivers a final draft to the European Commission.
  4. The ECCG advises the European Commission on the final draft of the scheme.
  5. The European Commission transforms the final draft into an Implementing Act and follows the formal EU legislative procedures.
  6. The European Commission publishes the Implementing Act and the scheme enters into force.