Multiple European certification schemes are being developed under the Cybersecurity Act (CSA) in order to certify a wide range of products, services and processes in the field of cybersecurity. The CSA describes this EU cybersecurity certification framework. The certification framework will provide EU-wide certification schemes as a comprehensive set of rules, technical requirements, standards and procedures.
Each scheme has its own scope and its own set of certification requirements. On this page you will find a brief introduction to the schemes that are currently active or will come into effect in the near future. The page also details future certification scheme development plans.
Common Criteria certification
Based on Common Criteria, a specific certification scheme is being developed within Europe to enable Europe-wide certification based on Common Criteria: the EUCC scheme. Common Criteria are a common set of specifications and guidelines designed to evaluate and certify software, hardware and firmware in the area of cybersecurity.
Cloud certification
The 'European Union Cybersecurity Certification Scheme on Cloud Services’ (EUCS) is one of the first schemes to be developed under the CSA. This scheme enhances trust in cloud services by defining a reference set of security requirements. It is applicable to all kinds of cloud services: IaaS, PaaS, SaaS, and other cloud services including subservices.
5G certification
In order to secure 5G deployment in the European Union, the European Commission has asked ENISA to develop a certification scheme for 5G. The candidate EU 5G scheme addresses part of the 5G ecosystem that was selected by the member states.
Certification scheme development plans
The certification scheme development plans are laid out in the Union Rolling Work Programme (URWP). The URWP is a strategic document under the Cybersecurity Act (CSA) that allows the industry, national authorities and standardisation bodies to prepare for future European cybersecurity certification schemes.
The drafting of the UWRP is a joint effort between the European Commission (EC), the European Cybersecurity Certification Group (ECCG) and the Stakeholder Cybersecurity Certification Group (SCCG). The European Commission determines and prioritises the development of the CSA certification schemes for ICT-products, services and processes. With the support of the member states in the European Cybersecurity Certification Group and the Stakeholder Group, these priorities are discussed and added to the URWP. The URWP is updated every three years, if not more often.
In justified cases, the CSA authorises the European Commission to decide on the development of certification schemes outside the URWP priorities.
Table with URWP’s priorities for European schemes and their current status
| Certification Type | Operational from (indication) | Current status (see reference below table) | |
|---|---|---|---|
| Common Criteria (EUCC) | Hardware products, product-related software | Q1 2023 | 5 |
| Cloud Services (EUCS) | Services in the whole stack | Q3 2023 | 2 |
| 5G (EU5G) | Components, component-related services, secure development | Phase 1: Q1 - Q2 2023 | 2 |
| Industrial Automated Control Systems | Expected: products, product-related services | No indication yet | Development not started |
| IoT | Expected: products, Product-related services | No indication yet | Development not started |
| Artificial Intelligence | Scope to be discussed | No indication yet | Development not started |
| Secure (Software) Development | Scope to be discussed | No indication yet | May be part of other schemes |
Table last updated at 10-2-2022
Scheme Development Process (current status reference)
The development of schemes follows a specific process that includes the following milestones:
- The European Commission asks ENISA to develop a scheme.
- ENISA makes a public call for experts in the field and scope of the scheme and asks member states to join the development in the role of observer.
- ENISA delivers a final draft to the European Commission.
- The ECCG advises the European Commission on the final draft of the scheme.
- The European Commission transforms the final draft into an Implementing Act and follows the formal EU legislative procedures.
- The European Commission publishes the Implementing Act and the scheme enters into force.