This document is an excerpt from the EUR-Lex website
Document 02019R0881-20250204
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance)
Consolidated text: Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance)
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance)
02019R0881 — EN — 04.02.2025 — 001.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
REGULATION (EU) 2019/881 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151 7.6.2019, p. 15) |
Amended by:
|
|
Official Journal |
||
No |
page |
date |
||
REGULATION (EU) 2025/37 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 19 December 2024 |
L 37 |
1 |
15.1.2025 |
REGULATION (EU) 2019/881 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 17 April 2019
on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)
(Text with EEA relevance)
TITLE I
GENERAL PROVISIONS
Article 1
Subject matter and scope
With a view to ensuring the proper functioning of the internal market while aiming to achieve a high level of cybersecurity, cyber resilience and trust within the Union, this Regulation lays down:
objectives, tasks and organisational matters relating to ENISA (the European Union Agency for Cybersecurity); and
a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services, ICT processes, and managed security services in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union.
The framework referred to in point (b) of the first subparagraph applies without prejudice to specific provisions in other Union legal acts regarding voluntary or mandatory certification.
Article 2
Definitions
For the purposes of this Regulation, the following definitions apply:
‘cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats;
‘network and information system’ means a network and information system as defined in point (1) of Article 4 of Directive (EU) 2016/1148;
‘national strategy on the security of network and information systems’ means a national strategy on the security of network and information systems as defined in point (3) of Article 4 of Directive (EU) 2016/1148;
‘operator of essential services’ means an operator of essential services as defined in point (4) of Article 4 of Directive (EU) 2016/1148;
‘digital service provider’ means a digital service provider as defined in point (6) of Article 4 of Directive (EU) 2016/1148;
‘incident’ means an incident as defined in point (7) of Article 4 of Directive (EU) 2016/1148;
‘incident handling’ means incident handling as defined in point (8) of Article 4 of Directive (EU) 2016/1148;
‘cyber threat’ means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons;
‘European cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services, ICT processes or managed security services;
‘national cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures developed and adopted by a national public authority and that apply to the certification or conformity assessment of ICT products, ICT services, ICT processes or managed security services falling under the scope of the specific scheme;
‘European cybersecurity certificate’ means a document issued by a relevant body, attesting that a given ICT product, ICT service, ICT process or managed security service has been evaluated for compliance with specific security requirements laid down in a European cybersecurity certification scheme;
‘ICT product’ means an element or a group of elements of a network or information system;
‘ICT service’ means a service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems;
‘ICT process’ means a set of activities performed to design, develop, deliver or maintain an ICT product or ICT service;
‘managed security service’ means a service provided to a third party consisting of carrying out, or providing assistance for, activities relating to cybersecurity risk management, such as incident handling, penetration testing, security audits and consulting, including expert advice, related to technical support;
‘accreditation’ means accreditation as defined in point (10) of Article 2 of Regulation (EC) No 765/2008;
‘national accreditation body’ means a national accreditation body as defined in point (11) of Article 2 of Regulation (EC) No 765/2008;
‘conformity assessment’ means a conformity assessment as defined in point (12) of Article 2 of Regulation (EC) No 765/2008;
‘conformity assessment body’ means a conformity assessment body as defined in point (13) of Article 2 of Regulation (EC) No 765/2008;
‘standard’ means a standard as defined in point (1) of Article 2 of Regulation (EU) No 1025/2012;
‘technical specification’ means a document that prescribes the technical requirements to be met by, or conformity assessment procedures relating to, an ICT product, ICT service, ICT process or managed security service;
‘assurance level’ means a basis for confidence that an ICT product, ICT service, ICT process or managed security service meets the security requirements of a specific European cybersecurity certification scheme, and indicates the level at which an ICT product, ICT service, ICT process or managed security service has been evaluated but as such does not measure the security of the ICT product, ICT service, ICT process or managed security service concerned;
‘conformity self-assessment’ means an action carried out by a manufacturer or provider of ICT products, ICT services, ICT processes or managed security services, which evaluates whether those ICT products, ICT services, ICT processes or managed security services meet the requirements of a specific European cybersecurity certification scheme.
TITLE II
ENISA (THE EUROPEAN UNION AGENCY FOR CYBERSECURITY)
CHAPTER I
Mandate and objectives
Article 3
Mandate
ENISA shall contribute to reducing the fragmentation of the internal market by carrying out the tasks assigned to it under this Regulation.
Article 4
Objectives
CHAPTER II
Tasks
Article 5
Development and implementation of Union policy and law
ENISA shall contribute to the development and implementation of Union policy and law, by:
assisting and advising on the development and review of Union policy and law in the field of cybersecurity and on sector-specific policy and law initiatives where matters related to cybersecurity are involved, in particular by providing its independent opinion and analysis as well as carrying out preparatory work;
assisting Member States to implement the Union policy and law regarding cybersecurity consistently, in particular in relation to Directive (EU) 2016/1148, including by means of issuing opinions, guidelines, providing advice and best practices on topics such as risk management, incident reporting and information sharing, as well as by facilitating the exchange of best practices between competent authorities in that regard;
assisting Member States and Union institutions, bodies, offices and agencies in developing and promoting cybersecurity policies related to sustaining the general availability or integrity of the public core of the open internet;
contributing to the work of the Cooperation Group pursuant to Article 11 of Directive (EU) 2016/1148, by providing its expertise and assistance;
supporting:
the development and implementation of Union policy in the field of electronic identity and trust services, in particular by providing advice and issuing technical guidelines, as well as by facilitating the exchange of best practices between competent authorities;
the promotion of an enhanced level of security of electronic communications, including by providing advice and expertise, as well as by facilitating the exchange of best practices between competent authorities;
Member States in the implementation of specific cybersecurity aspects of Union policy and law relating to data protection and privacy, including by providing advice to the European Data Protection Board upon request;
supporting the regular review of Union policy activities by preparing an annual report on the state of the implementation of the respective legal framework regarding:
information on Member States’ incident notifications provided by the single points of contact to the Cooperation Group pursuant to Article 10(3) of Directive (EU) 2016/1148;
summaries of notifications of breach of security or loss of integrity received from trust service providers provided by the supervisory bodies to ENISA, pursuant to Article 19(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council ( 1 );
notifications of security incidents transmitted by the providers of public electronic communications networks or of publicly available electronic communications services, provided by the competent authorities to ENISA, pursuant to Article 40 of Directive (EU) 2018/1972.
Article 6
Capacity-building
ENISA shall assist:
Member States in their efforts to improve the prevention, detection and analysis of, and the capability to respond to cyber threats and incidents by providing them with knowledge and expertise;
Member States and Union institutions, bodies, offices and agencies in establishing and implementing vulnerability disclosure policies on a voluntary basis;
Union institutions, bodies, offices and agencies in their efforts to improve the prevention, detection and analysis of cyber threats and incidents and to improve their capabilities to respond to such cyber threats and incidents, in particular through appropriate support for the CERT-EU;
Member States in developing national CSIRTs, where requested pursuant to Article 9(5) of Directive (EU) 2016/1148;
Member States in developing national strategies on the security of network and information systems, where requested pursuant to Article 7(2) of Directive (EU) 2016/1148, and promote the dissemination of those strategies and note the progress in their implementation across the Union in order to promote best practices;
Union institutions in developing and reviewing Union strategies regarding cybersecurity, promoting their dissemination and tracking the progress in their implementation;
national and Union CSIRTs in raising the level of their capabilities, including by promoting dialogue and exchanges of information, with a view to ensuring that, with regard to the state of the art, each CSIRT possesses a common set of minimum capabilities and operates according to best practices;
Member States by regularly organising the cybersecurity exercises at Union level referred to in Article 7(5) on at least a biennial basis and by making policy recommendations based on the evaluation process of the exercises and lessons learned from them;
relevant public bodies by offering trainings regarding cybersecurity, where appropriate in cooperation with stakeholders;
the Cooperation Group, in the exchange of best practices, in particular with regard to the identification by Member States of operators of essential services, pursuant to point (l) of Article 11(3) of Directive (EU) 2016/1148, including in relation to cross-border dependencies, regarding risks and incidents.
Article 7
Operational cooperation at Union level
ENISA shall cooperate at the operational level and establish synergies with Union institutions, bodies, offices and agencies, including the CERT-EU, with the services dealing with cybercrime and with supervisory authorities dealing with the protection of privacy and personal data, with a view to addressing issues of common concern, including by means of:
the exchange of know-how and best practices;
the provision of advice and issuing of guidelines on relevant matters related to cybersecurity;
the establishment of practical arrangements for the execution of specific tasks, after consulting the Commission.
ENISA shall support Member States with respect to operational cooperation within the CSIRTs network by:
advising on how to improve their capabilities to prevent, detect and respond to incidents and, at the request of one or more Member States, providing advice in relation to a specific cyber threat;
assisting, at the request of one or more Member States, in the assessment of incidents having a significant or substantial impact through the provision of expertise and facilitating the technical handling of such incidents including in particular by supporting the voluntary sharing of relevant information and technical solutions between Member States;
analysing vulnerabilities and incidents on the basis of publicly available information or information provided voluntarily by Member States for that purpose; and
at the request of one or more Member States, providing support in relation to ex-post technical inquiries regarding incidents having a significant or substantial impact within the meaning of Directive (EU) 2016/1148.
In performing those tasks, ENISA and CERT-EU shall engage in structured cooperation to benefit from synergies and to avoid the duplication of activities.
Where appropriate, ENISA shall also contribute to and help organise sectoral cybersecurity exercises together with relevant organisations that also participate in cybersecurity exercises at Union level.
ENISA shall contribute to developing a cooperative response at Union and Member States level to large-scale cross-border incidents or crises related to cybersecurity, mainly by:
aggregating and analysing reports from national sources that are in the public domain or shared on a voluntary basis with a view to contributing to the establishment of common situational awareness;
ensuring the efficient flow of information and the provision of escalation mechanisms between the CSIRTs network and the technical and political decision-makers at Union level;
upon request, facilitating the technical handling of such incidents or crises, including, in particular, by supporting the voluntary sharing of technical solutions between Member States;
supporting Union institutions, bodies, offices and agencies and, at their request, Member States, in the public communication relating to such incidents or crises;
testing the cooperation plans for responding to such incidents or crises at Union level and, at their request, supporting Member States in testing such plans at national level.
Article 8
Market, cybersecurity certification, and standardisation
ENISA shall support and promote the development and implementation of Union policy on the cybersecurity certification of ICT products, ICT services, ICT processes and managed security services, as established in Title III of this Regulation, by:
monitoring developments, on an ongoing basis, in related areas of standardisation and recommending appropriate technical specifications for use in the development of European cybersecurity certification schemes pursuant to point (c) of Article 54(1) where standards are not available;
preparing candidate European cybersecurity certification schemes (candidate schemes) for ICT products, ICT services, ICT processes and managed security services in accordance with Article 49;
evaluating adopted European cybersecurity certification schemes in accordance with Article 49(8);
participating in peer reviews pursuant to Article 59(4);
assisting the Commission in providing the secretariat of the ECCG pursuant to Article 62(5).
Article 9
Knowledge and information
ENISA shall:
perform analyses of emerging technologies and provide topic-specific assessments on the expected societal, legal, economic and regulatory impact of technological innovations on cybersecurity;
perform long-term strategic analyses of cyber threats and incidents in order to identify emerging trends and help prevent incidents;
in cooperation with experts from Member States authorities and relevant stakeholders, provide advice, guidance and best practices for the security of network and information systems, in particular for the security of the infrastructures supporting the sectors listed in Annex II to Directive (EU) 2016/1148 and those used by the providers of the digital services listed in Annex III to that Directive;
through a dedicated portal, pool, organise and make available to the public information on cybersecurity provided by the Union institutions, bodies, offices and agencies and information on cybersecurity provided on a voluntary basis by Member States and private and public stakeholders;
collect and analyse publicly available information regarding significant incidents and compile reports with a view to providing guidance to citizens, organisations and businesses across the Union.
Article 10
Awareness-raising and education
ENISA shall:
raise public awareness of cybersecurity risks, and provide guidance on good practices for individual users aimed at citizens, organisations and businesses, including cyber-hygiene and cyber-literacy;
in cooperation with the Member States, Union institutions, bodies, offices and agencies and industry, organise regular outreach campaigns to increase cybersecurity and its visibility in the Union and encourage a broad public debate;
assist Member States in their efforts to raise cybersecurity awareness and promote cybersecurity education;
support closer coordination and exchange of best practices among Member States on cybersecurity awareness and education.
Article 11
Research and innovation
In relation to research and innovation, ENISA shall:
advise the Union institutions, bodies, offices and agencies and the Member States on research needs and priorities in the field of cybersecurity, with a view to enabling effective responses to current and emerging risks and cyber threats, including with respect to new and emerging information and communications technologies, and with a view to using risk-prevention technologies effectively;
where the Commission has conferred the relevant powers on it, participate in the implementation phase of research and innovation funding programmes or as a beneficiary;
contribute to the strategic research and innovation agenda at Union level in the field of cybersecurity.
Article 12
International cooperation
ENISA shall contribute to the Union’s efforts to cooperate with third countries and international organisations as well as within relevant international cooperation frameworks to promote international cooperation on issues related to cybersecurity, by:
where appropriate, engaging as an observer in the organisation of international exercises, and analysing and reporting to the Management Board on the outcome of such exercises;
at the request of the Commission, facilitating the exchange of best practices;
at the request of the Commission, providing it with expertise;
providing advice and support to the Commission on matters concerning agreements for the mutual recognition of cybersecurity certificates with third countries, in collaboration with the ECCG established under Article 62.
CHAPTER III
Organisation of ENISA
Article 13
Structure of ENISA
The administrative and management structure of ENISA shall be composed of the following:
a Management Board;
an Executive Board;
an Executive Director;
an ENISA Advisory Group;
a National Liaison Officers Network.
Article 14
Composition of the Management Board
Article 15
Functions of the Management Board
The Management Board shall:
establish the general direction of the operation of ENISA and ensure that ENISA operates in accordance with the rules and principles laid down in this Regulation; it shall also ensure the consistency of ENISA’s work with activities conducted by the Member States as well as at Union level;
adopt ENISA’s draft single programming document referred to in Article 24, before its submission to the Commission for an opinion;
adopt ENISA’s single programming document, taking into account the Commission opinion;
supervise the implementation of the multiannual and annual programming included in the single programming document;
adopt the annual budget of ENISA and exercise other functions in respect of ENISA’s budget in accordance with Chapter IV;
assess and adopt the consolidated annual report on ENISA’s activities, including the accounts and a description of how ENISA has met its performance indicators, submit both the annual report and the assessment thereof by 1 July of the following year, to the European Parliament, to the Council, to the Commission and to the Court of Auditors, and make the annual report public;
adopt the financial rules applicable to ENISA in accordance with Article 32;
adopt an anti-fraud strategy that is proportionate to the fraud risks, having regard to a cost-benefit analysis of the measures to be implemented;
adopt rules for the prevention and management of conflicts of interest in respect of its members;
ensure adequate follow-up to the findings and recommendations resulting from investigations of the European Anti-Fraud Office (OLAF) and the various internal or external audit reports and evaluations;
adopt its rules of procedure, including rules for provisional decisions on the delegation of specific tasks, pursuant to Article 19(7);
with respect to the staff of ENISA, exercise the powers conferred by the Staff Regulations of Officials (the ‘Staff Regulations of Officials’) and the Conditions of Employment of Other Servants of the European Union (the ‘Conditions of Employment of Other Servants’), laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 ( 2 ) on the appointing authority and on the Authority Empowered to Conclude a Contract of Employment (‘appointing authority powers’) in accordance with paragraph 2 of this Article;
adopt rules implementing the Staff Regulations of Officials and the Conditions of Employment of Other Servants in accordance with the procedure provided for in Article 110 of the Staff Regulations of Officials;
appoint the Executive Director and where relevant extend his or her term of office or remove him or her from office in accordance with Article 36;
appoint an accounting officer, who may be the Commission’s accounting officer, who shall be wholly independent in the performance of his or her duties;
take all decisions concerning the establishment of ENISA’s internal structures and, where necessary, the modification of those internal structures, taking into consideration ENISA’s activity needs and having regard to sound budgetary management;
authorise the establishment of working arrangements with regard to Article 7;
authorise the establishment or conclusion of working arrangements in accordance with Article 42.
Article 16
Chairperson of the Management Board
The Management Board shall elect a Chairperson and a Deputy Chairperson from among its members, by a majority of two thirds of the members. Their terms of office shall be four years, which shall be renewable once. If, however, their membership of the Management Board ends at any time during their term of office, their term of office shall automatically expire on that date. The Deputy Chair shall replace the Chairperson ex officio if the Chairperson is unable to attend to his or her duties.
Article 17
Meetings of the Management Board
Article 18
Voting rules of the Management Board
Article 19
Executive Board
The Executive Board shall:
prepare decisions to be adopted by the Management Board;
together with the Management Board, ensure the adequate follow-up to the findings and recommendations stemming from investigations of OLAF and the various internal or external audit reports and evaluations;
without prejudice to the responsibilities of the Executive Director set out in Article 20, assist and advise the Executive Director in implementing the decisions of the Management Board on administrative and budgetary matters pursuant to Article 20.
Article 20
Duties of the Executive Director
The Executive Director shall be responsible for:
the day-to-day administration of ENISA;
implementing the decisions adopted by the Management Board;
preparing the draft single programming document and submitting it to the Management Board for approval before its submission to the Commission;
implementing the single programming document and reporting to the Management Board thereon;
preparing the consolidated annual report on ENISA’s activities, including the implementation of ENISA’s annual work programme, and presenting it to the Management Board for assessment and adoption;
preparing an action plan that follows up on the conclusions of the retrospective evaluations, and reporting on progress every two years to the Commission;
preparing an action plan that follows up on the conclusions of internal or external audit reports, as well as on investigations by OLAF and reporting on progress biannually to the Commission and regularly to the Management Board;
preparing the draft financial rules applicable to ENISA as referred to in Article 32;
preparing ENISA’s draft statement of estimates of revenue and expenditure and implementing its budget;
protecting the financial interests of the Union by the application of preventive measures against fraud, corruption and any other illegal activities, by effective checks and, if irregularities are detected, by the recovery of the amounts wrongly paid and, where appropriate, by effective, proportionate and dissuasive administrative and financial penalties;
preparing an anti-fraud strategy for ENISA and presenting it to the Management Board for approval;
developing and maintaining contact with the business community and consumers’ organisations to ensure regular dialogue with relevant stakeholders;
exchanging views and information regularly with Union institutions, bodies, offices and agencies regarding their activities relating to cybersecurity to ensure coherence in the development and the implementation of Union policy;
carrying out other tasks assigned to the Executive Director by this Regulation.
The decision establishing a local office shall specify the scope of the activities to be carried out at the local office in a manner that avoids unnecessary costs and duplication of administrative functions of ENISA.
Article 21
ENISA Advisory Group
Article 22
Stakeholder Cybersecurity Certification Group
The Stakeholder Cybersecurity Certification Group shall:
advise the Commission on strategic issues regarding the European cybersecurity certification framework;
upon request, advise ENISA on general and strategic matters concerning ENISA’s tasks relating to market, cybersecurity certification, and standardisation;
assist the Commission in the preparation of the Union rolling work programme referred to in Article 47;
issue an opinion on the Union rolling work programme pursuant to Article 47(4); and
in urgent cases, provide advice to the Commission and the ECCG on the need for additional certification schemes not included in the Union rolling work programme, as outlined in Articles 47 and 48.
Article 23
National Liaison Officers Network
Article 24
Single programming document
Article 25
Declaration of interests
Article 26
Transparency
Article 27
Confidentiality
Article 28
Access to documents
CHAPTER IV
Establishment and structure of ENISA’s budget
Article 29
Establishment of ENISA’s budget
Article 30
Structure of ENISA’s budget
Without prejudice to other resources, ENISA’s revenue shall be composed of:
a contribution from the general budget of the Union;
revenue assigned to specific items of expenditure in accordance with its financial rules referred to in Article 32;
Union funding in the form of delegation agreements or ad hoc grants in accordance with its financial rules referred to in Article 32 and with the provisions of the relevant instruments supporting the policies of the Union;
contributions from third countries participating in the work of ENISA as referred to in Article 42;
any voluntary contributions from Member States in money or in kind.
Member States that provide voluntary contributions under point (e) of the first subparagraph shall not claim any specific right or service as a result thereof.
Article 31
Implementation of ENISA’s budget
Article 32
Financial rules
The financial rules applicable to ENISA shall be adopted by the Management Board after consulting the Commission. They shall not depart from Delegated Regulation (EU) No 1271/2013 unless such a departure is specifically required for the operation of ENISA and the Commission has given its prior consent.
Article 33
Combating fraud
CHAPTER V
Staff
Article 34
General provisions
The Staff Regulations of Officials and the Conditions of Employment of Other Servants, as well as the rules adopted by agreement between the Union institutions for giving effect to the Staff Regulations of Officials and the Conditions of Employment of Other Servants shall apply to the staff of ENISA.
Article 35
Privileges and immunity
Protocol No 7 on the privileges and immunities of the European Union, annexed to the TEU and to the TFEU, shall apply to ENISA and its staff.
Article 36
Executive Director
Article 37
Seconded national experts and other staff
CHAPTER VI
General provisions concerning ENISA
Article 38
Legal status of ENISA
Article 39
Liability of ENISA
Article 40
Language arrangements
Article 41
Protection of personal data
Article 42
Cooperation with third countries and international organisations
Article 43
Security rules on the protection of sensitive non-classified information and classified information
After consulting the Commission, ENISA shall adopt security rules applying the security principles contained in the Commission’s security rules for protecting sensitive non-classified information and EUCI, as set out in Decisions (EU, Euratom) 2015/443 and 2015/444. ENISA’s security rules shall include provisions for the exchange, processing and storage of such information.
Article 44
Headquarters Agreement and operating conditions
Article 45
Administrative control
The operations of ENISA shall be supervised by the European Ombudsman in accordance with Article 228 TFEU.
TITLE III
CYBERSECURITY CERTIFICATION FRAMEWORK
Article 46
European cybersecurity certification framework
Article 47
The Union rolling work programme for European cybersecurity certification
Inclusion in the Union rolling work programme of specific ICT products, ICT services, ICT processes, or managed security services, or categories thereof, shall be justified on the basis of one or more of the following grounds:
the availability and the development of national cybersecurity certification schemes covering a specific category of ICT products, ICT services, ICT processes or managed security services and, in particular, as regards the risk of fragmentation;
relevant Union or Member State law or policy;
market demand;
technological developments and the availability and development of international cybersecurity certification schemes and international standards and standards used by the industry;
developments in the cyber threat landscape;
request for the preparation of a specific candidate scheme by the ECCG.
Article 48
Request for a European cybersecurity certification scheme
Article 49
Preparation, adoption and review of a European cybersecurity certification scheme
Article 49a
Information and consultation on the European cybersecurity certification schemes
Article 50
Website on European cybersecurity certification schemes
Article 51
Security objectives of European cybersecurity certification schemes for ICT products, ICT services and ICT processes
A European cybersecurity certification scheme for ICT products, ICT services or ICT processes shall be designed to achieve, as applicable, at least the following security objectives:
to protect stored, transmitted or otherwise processed data against accidental or unauthorised storage, processing, access or disclosure during the entire life cycle of the ICT product, ICT service or ICT process;
to protect stored, transmitted or otherwise processed data against accidental or unauthorised destruction, loss or alteration or lack of availability during the entire life cycle of the ICT product, ICT service or ICT process;
that authorised persons, programs or machines are able only to access the data, services or functions to which their access rights refer;
to identify and document known dependencies and vulnerabilities;
to record which data, services or functions have been accessed, used or otherwise processed, at what times and by whom;
to make it possible to check which data, services or functions have been accessed, used or otherwise processed, at what times and by whom;
to verify that ICT products, ICT services and ICT processes do not contain known vulnerabilities;
to restore the availability and access to data, services and functions in a timely manner in the event of a physical or technical incident;
that ICT products, ICT services and ICT processes are secure by default and by design;
that ICT products, ICT services and ICT processes are provided with up-to-date software and hardware that do not contain publicly known vulnerabilities, and are provided with mechanisms for secure updates.
Article 51a
Security objectives of European cybersecurity certification schemes for managed security services
A European cybersecurity certification scheme for managed security services shall be designed to achieve, as applicable, at least the following security objectives:
that the managed security services are provided with the requisite competence, expertise and experience, including that the staff tasked with providing those services have a sufficient and appropriate level of technical knowledge and competence in the specific field, sufficient and appropriate experience, and the highest degree of professional integrity;
that the provider has appropriate internal procedures in place to ensure that the managed security services are provided at a sufficient and appropriate level of quality at all times;
that data accessed, stored, transmitted or otherwise processed in relation to the provision of managed security services are protected against accidental or unauthorised access, storage, disclosure, destruction, other processing, or loss or alteration or lack of availability;
that the availability of, and access to, data, services and functions is restored in a timely manner in the event of a physical or technical incident;
that authorised persons, programs or machines are able to access only the data, services or functions to which their access rights refer;
that a record is kept and is available for assessment, of the data, services or functions that have been accessed, used or otherwise processed, at what times and by whom;
that the ICT products, ICT services and ICT processes deployed in the provision of the managed security services are secure by design and by default and, where applicable, include the latest security updates and do not contain publicly known vulnerabilities.
Article 52
Assurance levels of European cybersecurity certification schemes
Article 53
Conformity self-assessment
Article 54
Elements of European cybersecurity certification schemes
A European cybersecurity certification scheme shall include at least the following elements:
the subject matter and scope of the certification scheme, including the type or categories of ICT products, ICT services, ICT processes or managed security services covered;
a clear description of the purpose of the scheme and of how the selected standards, evaluation methods and assurance levels correspond to the needs of the intended users of the scheme;
references to the international, European or national standards applied in the evaluation or, where such standards are not available or appropriate, to technical specifications that meet the requirements set out in Annex II to Regulation (EU) No 1025/2012 or, if such specifications are not available, to technical specifications or other cybersecurity requirements defined in the European cybersecurity certification scheme;
where applicable, one or more assurance levels;
an indication of whether conformity self-assessment is permitted under the scheme;
where applicable, specific or additional requirements to which conformity assessment bodies are subject in order to guarantee their technical competence to evaluate the cybersecurity requirements;
the specific evaluation criteria and methods to be used, including types of evaluation, in order to demonstrate that the applicable security objectives referred to in Articles 51 and 51a are achieved;
where applicable, the information which is necessary for certification and which is to be supplied or otherwise be made available to the conformity assessment bodies by an applicant;
where the scheme provides for marks or labels, the conditions under which such marks or labels may be used;
rules for monitoring the compliance of ICT products, ICT services, ICT processes or managed security services with the requirements of the European cybersecurity certificates or the EU statements of conformity, including mechanisms to demonstrate continued compliance with the specified cybersecurity requirements;
where applicable, the conditions for issuing, maintaining, continuing and renewing the European cybersecurity certificates, as well as the conditions for extending or reducing the scope of certification;
rules concerning the consequences for ICT products, ICT services, ICT processes or managed security services that have been certified or for which an EU statement of conformity has been issued, but which do not comply with the requirements of the scheme;
rules concerning how previously undetected cybersecurity vulnerabilities in ICT products, ICT services and ICT processes are to be reported and dealt with;
where applicable, rules concerning the retention of records by conformity assessment bodies;
the identification of national or international cybersecurity certification schemes covering the same type or categories of ICT products, ICT services, ICT processes or managed security services, security requirements, evaluation criteria and methods, and assurance levels;
the content and the format of the European cybersecurity certificates and the EU statements of conformity to be issued;
the period of the availability of the EU statement of conformity, technical documentation, and all other relevant information to be made available by the manufacturer or provider of ICT products, ICT services, ICT processes or managed security services;
maximum period of validity of European cybersecurity certificates issued under the scheme;
disclosure policy for European cybersecurity certificates issued, amended or withdrawn under the scheme;
conditions for the mutual recognition of certification schemes with third countries;
where applicable, rules concerning any peer assessment mechanism established by the scheme for the authorities or bodies issuing European cybersecurity certificates for assurance level ‘high’ pursuant to Article 56(6). Such mechanism shall be without prejudice to the peer review provided for in Article 59;
format and procedures to be followed by manufacturers or providers of ICT products, ICT services or ICT processes in supplying and updating the supplementary cybersecurity information in accordance with Article 55.
Article 55
Supplementary cybersecurity information for certified ICT products, ICT services and ICT processes
The manufacturer or provider of certified ICT products, ICT services or ICT processes or of ICT products, ICT services and ICT processes for which an EU statement of conformity has been issued shall make publicly available the following supplementary cybersecurity information:
guidance and recommendations to assist end users with the secure configuration, installation, deployment, operation and maintenance of the ICT products or ICT services;
the period during which security support will be offered to end users, in particular as regards the availability of cybersecurity related updates;
contact information of the manufacturer or provider and accepted methods for receiving vulnerability information from end users and security researchers;
a reference to online repositories listing publicly disclosed vulnerabilities related to the ICT product, ICT service or ICT process and to any relevant cybersecurity advisories.
Article 56
Cybersecurity certification
As a priority, the Commission shall focus on the sectors listed in Annex II to Directive (EU) 2016/1148, which shall be assessed at the latest two years after the adoption of the first European cybersecurity certification scheme.
When preparing the assessment the Commission shall:
take into account the impact of the measures on the manufacturers or providers of such ICT products, ICT services, ICT processes or managed security services and on the users in terms of the cost of those measures and the societal or economic benefits stemming from the anticipated enhanced level of security for the targeted ICT products, ICT services, ICT processes or managed security services;
take into account the existence and implementation of relevant Member State and third country law;
carry out an open, transparent and inclusive consultation process with all relevant stakeholders and Member States;
take into account any implementation deadlines, transitional measures and periods, in particular with regard to the possible impact of the measure on the manufacturers or providers of ICT products, ICT services, ICT processes or managed security services, including the specific interests and needs of SMEs, including microenterprises;
propose the most speedy and efficient way in which the transition from a voluntary to mandatory certification schemes is to be implemented.
By way of derogation from paragraph 4, in duly justified cases a European cybersecurity certification scheme may provide that European cybersecurity certificates resulting from that scheme are to be issued only by a public body. Such body shall be one of the following:
a national cybersecurity certification authority as referred to in Article 58(1); or
a public body that is accredited as a conformity assessment body pursuant to Article 60(1).
Where a European cybersecurity certification scheme adopted pursuant to Article 49 requires an assurance level ‘high’, the European cybersecurity certificate under that scheme is to be issued only by a national cybersecurity certification authority or, in the following cases, by a conformity assessment body:
upon prior approval by the national cybersecurity certification authority for each individual European cybersecurity certificate issued by a conformity assessment body; or
on the basis of a general delegation of the task of issuing such European cybersecurity certificates to a conformity assessment body by the national cybersecurity certification authority.
Article 57
National cybersecurity certification schemes and certificates
Article 58
National cybersecurity certification authorities
National cybersecurity certification authorities shall:
supervise and enforce rules included in European cybersecurity certification schemes pursuant to Article 54(1), point (j), for the monitoring of the compliance of ICT products, ICT services, ICT processes and managed security services with the requirements of the European cybersecurity certificates that have been issued in their respective territories, in cooperation with other relevant market surveillance authorities;
monitor compliance with and enforce the obligations of the manufacturers or providers of ICT products, ICT services, ICT processes or managed security services that are established in their respective territories and that carry out conformity self-assessment, and shall, in particular, monitor compliance with and enforce the obligations of such manufacturers or providers set out in Article 53(2) and (3) and in the corresponding European cybersecurity certification scheme;
without prejudice to Article 60(3), actively assist and support the national accreditation bodies in the monitoring and supervision of the activities of conformity assessment bodies, for the purposes of this Regulation;
monitor and supervise the activities of the public bodies referred to in Article 56(5);
where applicable, authorise conformity assessment bodies in accordance with Article 60(3) and restrict, suspend or withdraw existing authorisation where conformity assessment bodies infringe the requirements of this Regulation;
handle complaints by natural or legal persons in relation to European cybersecurity certificates issued by national cybersecurity certification authorities or to European cybersecurity certificates issued by conformity assessment bodies in accordance with Article 56(6) or in relation to EU statements of conformity issued under Article 53, and shall investigate the subject matter of such complaints to the extent appropriate, and shall inform the complainant of the progress and the outcome of the investigation within a reasonable period;
provide an annual summary report on the activities conducted under points (b), (c) and (d) of this paragraph or under paragraph 8 to ENISA and the ECCG;
cooperate with other national cybersecurity certification authorities or other public authorities, including by sharing information on the possible non-compliance of ICT products, ICT services, ICT processes or managed security services with the requirements of this Regulation or with the requirements of specific European cybersecurity certification schemes; and
monitor relevant developments in the field of cybersecurity certification.
Each national cybersecurity certification authority shall have at least the following powers:
to request conformity assessment bodies, European cybersecurity certificates’ holders and issuers of EU statements of conformity to provide any information it requires for the performance of its tasks;
to carry out investigations, in the form of audits, of conformity assessment bodies, European cybersecurity certificates’ holders and issuers of EU statements of conformity, for the purpose of verifying their compliance with this Title;
to take appropriate measures, in accordance with national law, to ensure that conformity assessment bodies, European cybersecurity certificates’ holders and issuers of EU statements of conformity comply with this Regulation or with a European cybersecurity certification scheme;
to obtain access to the premises of any conformity assessment bodies or holders of European cybersecurity certificates, for the purpose of carrying out investigations in accordance with Union or Member State procedural law;
to withdraw, in accordance with national law, European cybersecurity certificates issued by the national cybersecurity certification authorities or European cybersecurity certificates issued by conformity assessment bodies in accordance with Article 56(6), where such certificates do not comply with this Regulation or with a European cybersecurity certification scheme;
to impose penalties in accordance with national law, as provided for in Article 65, and to require the immediate cessation of infringements of the obligations set out in this Regulation.
Article 59
Peer review
Peer review shall assess:
where applicable, whether the activities of the national cybersecurity certification authorities that relate to the issuance of European cybersecurity certificates referred to in point (a) of Article 56(5) and in Article 56(6) are strictly separated from their supervisory activities set out in Article 58 and whether those activities are carried out independently from each other;
the procedures for supervising and enforcing the rules for monitoring the compliance of ICT products, ICT services, ICT processes and managed security services with European cybersecurity certificates pursuant to Article 58(7), point (a);
the procedures for monitoring and enforcing the obligations of manufacturers or providers of ICT products, ICT services, ICT processes or managed security services pursuant to Article 58(7), point (b);
the procedures for monitoring, authorising and supervising the activities of the conformity assessment bodies;
where applicable, whether the staff of authorities or bodies that issue certificates for assurance level ‘high’ pursuant to Article 56(6) have the appropriate expertise.
Article 60
Conformity assessment bodies
Article 61
Notification
Article 62
European Cybersecurity Certification Group
The ECCG shall have the following tasks:
to advise and assist the Commission in its work to ensure the consistent implementation and application of this Title, in particular regarding the Union rolling work programme, cybersecurity certification policy issues, the coordination of policy approaches, and the preparation of European cybersecurity certification schemes;
to assist, advise and cooperate with ENISA in relation to the preparation of a candidate scheme pursuant to Article 49;
to adopt an opinion on candidate schemes prepared by ENISA pursuant to Article 49;
to request ENISA to prepare candidate schemes pursuant to Article 48(2);
to adopt opinions addressed to the Commission relating to the maintenance and review of existing European cybersecurity certifications schemes;
to examine relevant developments in the field of cybersecurity certification and to exchange information and good practices on cybersecurity certification schemes;
to facilitate the cooperation between national cybersecurity certification authorities under this Title through capacity-building and the exchange of information, in particular by establishing methods for the efficient exchange of information relating to issues concerning cybersecurity certification;
to support the implementation of peer assessment mechanisms in accordance with the rules established in a European cybersecurity certification scheme pursuant to point (u) of Article 54(1);
to facilitate the alignment of European cybersecurity certification schemes with internationally recognised standards, including by reviewing existing European cybersecurity certification schemes and, where appropriate, making recommendations to ENISA to engage with relevant international standardisation organisations to address insufficiencies or gaps in available internationally recognised standards.
Article 63
Right to lodge a complaint
Article 64
Right to an effective judicial remedy
Notwithstanding any administrative or other non-judicial remedies, natural and legal persons shall have the right to an effective judicial remedy with regard to:
decisions taken by the authority or body referred to in Article 63(1) including, where applicable, in relation to the improper issuing, failure to issue or recognition of a European cybersecurity certificate held by those natural and legal persons;
a failure to act on a complaint lodged with the authority or body referred to in Article 63(1).
Article 65
Penalties
Member States shall lay down the rules on penalties applicable to infringements of this Title and to infringements of European cybersecurity certification schemes, and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall without delay notify the Commission of those rules and of those measures and shall notify it of any subsequent amendment affecting them.
TITLE IV
FINAL PROVISIONS
Article 66
Committee procedure
Article 67
Evaluation and review
Article 68
Repeal and succession
Article 69
Entry into force
This Regulation shall be binding in its entirety and directly applicable in all Member States.
ANNEX
REQUIREMENTS TO BE MET BY CONFORMITY ASSESSMENT BODIES
Conformity assessment bodies that wish to be accredited shall meet the following requirements:
A conformity assessment body shall be established under national law and shall have legal personality.
A conformity assessment body shall be a third-party body that is independent of the organisation or the ICT products, ICT services, ICT processes or managed security services that it assesses.
A body that belongs to a business association or professional federation representing undertakings involved in the design, manufacturing, provision, assembly, use or maintenance of ICT products, ICT services, ICT processes or managed security services which it assesses may be considered to be a conformity assessment body, provided that its independence and the absence of any conflict of interest are demonstrated.
The conformity assessment bodies, their top level management and the persons responsible for carrying out the conformity assessment tasks shall not be the designer, manufacturer, supplier, installer, purchaser, owner, user or maintainer of the ICT product, ICT service, ICT process or managed security service which is assessed, or the authorised representative of any of those parties. That prohibition shall not preclude the use of the ICT products assessed that are necessary for the operations of the conformity assessment body or the use of such ICT products for personal purposes.
The conformity assessment bodies, their top level management and the persons responsible for carrying out the conformity assessment tasks shall not be directly involved in the design, manufacture or construction, the provision, the marketing, installation, use or maintenance of the ICT products, ICT services, ICT processes or managed security services which are assessed, or represent parties engaged in those activities. The conformity assessment bodies, their top level management and the persons responsible for carrying out the conformity assessment tasks shall not engage in any activity that may conflict with their independence of judgement or integrity in relation to their conformity assessment activities. That prohibition shall apply, in particular, to consultancy services.
If a conformity assessment body is owned or operated by a public entity or institution, the independence and absence of any conflict of interest shall be ensured between the national cybersecurity certification authority and the conformity assessment body, and shall be documented.
Conformity assessment bodies shall ensure that the activities of their subsidiaries and subcontractors do not affect the confidentiality, objectivity or impartiality of their conformity assessment activities.
Conformity assessment bodies and their staff shall carry out conformity assessment activities with the highest degree of professional integrity and the requisite technical competence in the specific field, and shall be free from all pressures and inducements which might influence their judgement or the results of their conformity assessment activities, including pressures and inducements of a financial nature, especially as regards persons or groups of persons with an interest in the results of those activities.
A conformity assessment body shall be capable of carrying out all the conformity assessment tasks assigned to it under this Regulation, regardless of whether those tasks are carried out by the conformity assessment body itself or on its behalf and under its responsibility. Any subcontracting to, or consultation of, external staff shall be properly documented, shall not involve any intermediaries and shall be subject to a written agreement covering, among other things, confidentiality and conflicts of interest. The conformity assessment body in question shall take full responsibility for the tasks performed.
At all times and for each conformity assessment procedure and each type, category or sub-category of ICT products, ICT services, ICT processes or managed security services, a conformity assessment body shall have at its disposal the necessary:
staff with technical knowledge and sufficient and appropriate experience to perform the conformity assessment tasks;
descriptions of procedures in accordance with which conformity assessment is to be carried out, to ensure the transparency of those procedures and the possibility of reproducing them. It shall have in place appropriate policies and procedures that distinguish between tasks that it carries out as a body notified pursuant to Article 61 and its other activities;
procedures for the performance of activities which take due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the technology of the ICT product, ICT service, ICT process or managed security service in question and the mass or serial nature of the production process.
A conformity assessment body shall have the means necessary to perform the technical and administrative tasks connected with the conformity assessment activities in an appropriate manner, and shall have access to all necessary equipment and facilities.
The persons responsible for carrying out conformity assessment activities shall have the following:
sound technical and vocational training covering all conformity assessment activities;
satisfactory knowledge of the requirements of the conformity assessments they carry out and adequate authority to carry out those assessments;
appropriate knowledge and understanding of the applicable requirements and testing standards;
the ability to draw up certificates, records and reports demonstrating that conformity assessments have been carried out.
The impartiality of the conformity assessment bodies, of their top-level management, of the persons responsible for carrying out conformity assessment activities, and of any subcontractors shall be guaranteed.
The remuneration of the top-level management and of the persons responsible for carrying out conformity assessment activities shall not depend on the number of conformity assessments carried out or on the results of those assessments.
Conformity assessment bodies shall take out liability insurance unless liability is assumed by the Member State in accordance with its national law, or the Member State itself is directly responsible for the conformity assessment.
The conformity assessment body and its staff, its committees, its subsidiaries, its subcontractors, and any associated body or the staff of external bodies of a conformity assessment body shall maintain confidentiality and observe professional secrecy with regard to all information obtained in carrying out their conformity assessment tasks under this Regulation or pursuant to any provision of national law giving effect to this Regulation, except where disclosure is required by Union or Member State law to which such persons are subject, and except in relation to the competent authorities of the Member States in which its activities are carried out. Intellectual property rights shall be protected. The conformity assessment body shall have documented procedures in place in respect of the requirements of this point.
With the exception of point 16, the requirements of this Annex shall not preclude exchanges of technical information and regulatory guidance between a conformity assessment body and a person who applies for certification or who is considering whether to apply for certification.
Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, taking into account the interests of SMEs in relation to fees.
Conformity assessment bodies shall meet the requirements of the relevant harmonised standard as defined in Article 2, point (9), of Regulation (EC) No 765/2008 for the accreditation of conformity assessment bodies performing the certification of ICT products, ICT services, ICT processes or managed security services.
Conformity assessment bodies shall ensure that testing laboratories used for conformity assessment purposes meet the requirements of the relevant harmonised standard as defined in Article 2, point (9), of Regulation (EC) No 765/2008 for the accreditation of laboratories that perform testing.
( 1 ) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).
( 2 ) OJ L 56, 4.3.1968, p. 1.
( 3 ) Commission Delegated Regulation (EU) No 1271/2013 of 30 September 2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (OJ L 328, 7.12.2013, p. 42).
( 4 ) Commission Decision (EU, Euratom) 2015/443 of 13 March 2015 on Security in the Commission (OJ L 72, 17.3.2015, p. 41).
( 5 ) Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information (OJ L 72, 17.3.2015, p. 53).
( 6 ) Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1).
( 7 ) Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (OJ L 248, 18.9.2013, p. 1).
( 8 ) OJ L 136, 31.5.1999, p. 15.
( 9 ) Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the Commission in order to protect the European Communities’ financial interests against fraud and other irregularities (OJ L 292, 15.11.1996, p. 2).
( 10 ) Council Regulation No 1 determining the languages to be used by the European Economic Community (OJ 17, 6.10.1958, p. 385/58).