The Cybersecurity Act

The Cybersecurity Act (EU 881 / 2019) is a European regulation that introduces a harmonised European system for the cybersecurity certification of ICT products, services and processes.

The main objective of the Cybersecurity Act (CSA) is to improve protection against threats to cybersecurity within the EU. The CSA also enables manufacturers and service providers to use one mutually recognised certificate throughout the EU.

Over the years, many European member states have adopted national cybersecurity certification regulations. Divergence between standards in different member states and the lack of mutual recognition risked disruption to the free flow of ICT products and services within the EU. The CSA certification schemes replace the current national-level certification schemes, provided these are similar enough in scope.

The CSA requires every EU member state to identify at least one National Cybersecurity Certification Authority (NCCA). In the Netherlands, the role of NCCA is fulfilled by the Dutch Authority for Digital Infrastructure, which is part of the Ministry of Economic Affairs and Climate Policy.

This website was developed by the Dutch Authority for Digital Infrastructure to provide comprehensive information about cybersecurity certitifation to its stakeholders.

You might have already heard about EU cyber security certification. Let's now see the key actors and their role at first the European Union Agency for cyber security. ENISA develops certification schemes together with stakeholders based on a risk management approach. Each scheme can propose up to three levels of assurance. Then the European Commission transform the draft schemes into legal documents called implementing acts which are supported by guidance documents. National Cybersecurity Certification Authorities are designated in each member state and have the responsibility to supervise the implementation of the schemes and notify and authorize Conformity assessment bodies where applicable. National Cybersecurity Certification Authorities deliver certificates but they are not the only ones participating in the certification process. Private Conformity Assessment Bodies accredited by National Accreditation Bodies certify for the basic and substantial Assurance levels. National Cybersecurity Certification Authorities as well as National Accreditation Bodies are subject to peer-evaluations which allow for better harmonization of EU schemes. With all these actors in place the certificates can be delivered to providers of compliant ICT solutions. As certified solutions might reveal vulnerabilities during their life cycle ENISA is working hard on defining suitable conditions to ensure trust throughout the certificate lifetime. ENISA also makes sure that certification plays a significant role in future cyber security regulations. To stay updated or find more information about the European Cybersecurity certification follow the European Union Agency for cyber security online.

© ENISA - Creative Commons 4.0

Mandatory vs voluntary certification

CSA certification is voluntary unless otherwise specified in other EU law or national law. Several actual EU regulation proposals, such as the NIS II directive, Artificial Intelligence act and Cyber Resilience act, mandate the European Commission to define the obligations for CSA certification under these regulations.

Mandatory certification will come in different forms. Certification may become mandatory for EU market entry for certain products and services or for specific sectors. In other cases, certification may be used as a ‘presumption of compliance’ with the cybersecurity requirements with respect to a specific regulation.

The CSA states that the European Commission must evaluate the need for compulsory certification by no later than 31 December 2023.

CSA security levels Basic, Substantial and High

The CSA defines three distinct levels of security, known as assurance levels, on the basis of which products, services and processes can be certified: Basic, Substantial and High.

In essence, each CSA assurance level defines how resilient a specific product, service or process has to be against a cyberattack with a certain level of skill and resources. For example, High assurance certification means protection against advanced attacks from attackers with significant skills and resources.

The details of the CSA assurance levels will be worked out separately for every CSA certification scheme due to the need for a tailor-made security approach to products, services and processes.

Development of a CSA certification scheme

The EU Agency for Cybersecurity (ENISA) develops and maintains the CSA certification schemes. The member states are also closely involved in this process and are represented in the European Cybersecurity Certification Group (ECCG). Formally, the ECCG’s role is to advise the European Commission in the field of cybersecurity and certification, but a certification scheme will never be formalised without broad support.

The Stakeholder Cybersecurity Certification Group (SCCG) is a second advisory group of the European Commission. This group consists of stakeholders from market-oriented organisations and European institutions.

ENISA hands over each developed certification scheme to the European Commission, which turns it into a European scheme. Once a certification scheme has been published, the relevant requirements for products and services are the same throughout the EU. The schemes are then managed by ENISA in cooperation with the member states, which come together in the ECCG. ENISA will be in charge of public communication regarding the certification schemes and the certificates issued by means of a dedicated website.

CSA Union Rolling Work Programme

Member states and other stakeholders are consulted by the European Commission in order to define the priorities for the development of the certification schemes. The priorities are stated in the Union Rolling Work Programme (URWP) on certification. The URWP includes scheme plans for Common Criteria, Cloud Services, Internet of Things products, Industrial Automated Control Systems, 5G, Artificial Intelligence and Secure Development of products and software.