ENISA is entrusted with developing and maintaining cybersecurity certification schemes. This task is provided for by the Cybersecurity Act (EU 881/2019).
To deliver on this provision of the mandate, ENISA works closely with Member States, of the Commission and of the broad certification ecosystem (industry, experts, standardisation bodies, etc.) whose contribution is paramount to the successful delivery of the schemes.
While it remains voluntary, cybersecurity certification plays a key role in the harmonisation and resilience of the Common Market.
Because of the extended types of Information and Communication technology (ICT) products and services present on the market, different scopes and requirements need to be identified according to the scheme applicable. Each scheme will provide for three levels of assurance to be assigned: basic, substantial and high, each level being based on the requirements of the solution to be certified.
Once adopted by Member States, the EU Certification schemes can lead to:
The creation of labels (e.g. under the European Cybersecurity Scheme on Common Criteria - EUCC);
Mutual recognition agreements with authorities outside the Common Market;
The capacity of specific products to demonstrate the presumption of conformity against regulatory requirements.
Cyber Resilience Act
The purpose of the Cyber Resilience Act (CRA) is to ensure that internet-connected hardware and software products will remain secure throughout their lifecycle in order to foster trust by consumers and businesses. The regulation provides for products with digital elements (PDEs) to meet a high level of cybersecurity requirements and also mandates the transparency of their security properties.
With the entry into force of the CRA on 10 December 2024, PDEs will have to be compliant before being placed on the Common Market. The main obligations introduced by the CRA will apply from 11 December 2027, to give time for manufacturers to align with the new regulation. They will be required to carry out a self-conformity assessment. However, for important and critical products, a third-party conformity assessment will be necessary. PDEs can be presumed to conform with essential requirements, if they comply with harmonised technical standards.
To achieve those goals, the EU Commission and EU standards bodies work together to identify technical cybersecurity standards. To this end, ENISA issued a report in April 2024 which maps existing standards against the CRA requirements.
The ENISA report supports standardisation in the following ways:
1. Current cybersecurity standards are aggregated corresponding to each requirement.
2. Level of coverage is assessed against the intended scope of the requirement.
3. Possible gaps are highlighted.
Manufacturers will need to comply with the harmonised standards the cybersecurity requirements will translate into.
The adoption of cybersecurity certification schemes therefore complements other regulatory tools such as the CRA.
By blending voluntary and mandatory measures, the EU aims to uphold digital security in a structured and cohesive manner across the Union. Certification schemes developed by ENISA operate in conjunction and complementarity with regulations, making digital products safer for consumers.
And by certifying their products to a commonly agreed degree of trust, stakeholders ensure regulatory compliance while also upholding European resilience to cyber threats.
