EUROPEAN COMMISSION

Strasbourg, 20.1.2026

COM(2026) 11 final

2026/0011(COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security and repealing Regulation (EU) 2019/881 (The Cybersecurity Act 2)

(Text with EEA relevance)

{SEC(2026) 11 final} - {SWD(2026) 11 final} - {SWD(2026) 12 final}

EXPLANATORY MEMORANDUM

1.CONTEXT OF THE PROPOSAL

•Reasons for and objectives of the proposal

Against this background, there are four main problems that this proposed revision of the CSA aims to tackle: (i) the misalignment between the Union’s cybersecurity policy framework and stakeholders’ needs in an increasingly hostile threat landscape; (ii) the stalled implementation of the European cybersecurity certification framework (ECCF); (iii) the complexity and diversity of the cybersecurity-related policies impacting the Union’s cyber posture; and (iv) increasing ICT supply chains security risks.

Based on the main problems identified, the two general objectives of the intervention are to increase cybersecurity capabilities and resilience and prevent fragmentation across the single market by:

·contributing to strengthening the Union’s cybersecurity governance and helping to ensure that relevant institutions, authorities and other stakeholders are better prepared to prevent, detect and respond to cybersecurity threats in a coordinated and effective manner; and

·supporting the development, implementation and uptake of common Union cybersecurity instruments, such as certification schemes, and providing harmonised frameworks that build trust and interoperability across Member States.

These general objectives respond to the key challenges identified in the problem definition. They reflect the overarching policy aim of strengthening cybersecurity governance in the Union and supporting the development of a secure, resilient and competitive digital single market.

To help achieve the general objectives listed above, this intervention pursues the following specific objectives (SPOs):

·to address the misalignment between the Union cybersecurity policy framework and stakeholders’ needs:

·SPO1: create the capacity to effectively implement Union cybersecurity policies and continuous operational cooperation enabling more structured cooperation between Member States;

·SPO2: develop and implement means and mechanisms to effectively support and address the needs of Member States, industry and other stakeholders;

·to address the limited uptake and effectiveness of the ECCF:

·SPO3: create the prerequisites for faster delivery of cybersecurity certification schemes driven by market needs by broadening the scope of the ECCF, ensuring effective maintenance and agile procedures and increasing transparency;

·to address the fragmented compliance landscape and complexity of horizontal and sectoral frameworks:

·SPO4: create mechanisms and conditions to facilitate compliance with cybersecurity requirements, thereby making their implementation more coherent and effective.

·to address cybersecurity risks in the supply chain:

·SPO5: De-risk critical ICT supply chains from entities established in or controlled by entities from third countries posing cybersecurity concerns (high-risk suppliers) and reduce critical dependencies by developing a coherent and effective framework at EU level to address ICT supply chain security risks.

The revision of the CSA falls within the remit of the regulatory fitness and performance programme (REFIT). It strongly contributes to improving clarity, removing inefficiencies and aligning procedures across legal frameworks. The revision of the CSA contributes to the proper functioning of the internal market while ensuring the security and strategic autonomy of the Union.

More concretely, it proposes a full reform of the mandate of the European Union Agency for Cybersecurity (ENISA) providing effective support for policy implementation and added value in terms of supporting operational cooperation among Member States.

Given the increasing cybersecurity risks and challenges the Union is facing, the proposal aims to increase ENISA’s financial and human resources to reflect its enhanced role, tasks, and its critical position in defending the digital ecosystem of the Union, allowing ENISA to effectively carry out the tasks conferred on it by this proposal.

The revision will also help eliminate fragmented practices, improving coordination while lowering compliance and operational costs in the long term. By repealing the current CSA and introducing a reformed ECCF, the proposal delivers a more effective and efficient tool that both promotes trust among businesses, the general public and public authorities and eases compliance with relevant Union legislation. It increases efficiency by revising the governance model and supporting more predictable, coherent and agile certification procedures to enable faster scheme development and implementation.

Greater synergies with relevant existing Union legal frameworks will promote certification as a compliance tool for businesses and reduce the administrative burden on conformity assessment bodies active under multiple pieces of cybersecurity legislation. Furthermore, by extending the scope of the ECCF and enabling the development of a scheme on the cyber posture of entities, the proposal reduces compliance costs for entities subject to relevant Union cybersecurity legislation, starting with entities in scope of the NIS 2 Directive. This approach will significantly simplify regulatory obligations for entities subject to multiple compliance requirements and ensure a more effective use of resources across national authorities. In addition to this revision, a proposal for a directive introducing targeted amendments to the NIS 2 Directive aims at simplifying compliance with and ensuring streamlined and coherent implementation of specific aspects of the cybersecurity framework, including with regard to scope, definitions, ransomware reporting and supervision of entities providing cross-border services.

The new regulation also creates a harmonised framework to tackle non-technical risks affecting ICT supply chains, reducing the current fragmentation of approaches across Member States. Together, these aspects represent a substantial simplification and modernisation of the Union’s cybersecurity legal framework, fully aligned with the REFIT principles of clarity, efficiency and digital readiness.

•Consistency with existing policy provisions in the policy area

The Union has expanded its legal and policy tools with the adoption of a number of legal instruments and policy measures: (i) the NIS2 Directive serves to strengthen cybersecurity for critical infrastructure; (ii) physical security measures are defined in its ‘sister directive’, the Critical Entities Resilience (CER) Directive; (iii) the Cyber Resilience Act (CRA) enhances the cybersecurity of products; (iv) the Cyber Solidarity Act (CSoA) builds EU-wide response capabilities; (v) the EU Cyber Blueprint 7  supports EU-level crisis management cooperation in which the Commission and High Representative have key roles in preparing for and responding to large-scale cybersecurity incidents; (vi) the 5G Cybersecurity Toolbox (5G Toolbox) supports cybersecurity in 5G networks; (vii) the European action plan on the cybersecurity of hospitals and healthcare providers 8  helps improve their cybersecurity; and (viii) the Cybersecurity Skills Academy 9  addresses the growing challenge of the cybersecurity talent gap. 

•Consistency with other Union policies

2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

•Legal basis

•Subsidiarity (for non-exclusive competence)

The actions covered by the proposed regulation offer clear added value by supporting harmonisation, legal clarity and coordinated responses to cybersecurity challenges.

•Proportionality

•Choice of the instrument

3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

•Ex-post evaluations/fitness checks of existing legislation

·Relevance: ENISA’s relevance in the cybersecurity domain is underscored by its responsiveness to evolving stakeholder needs and adaptability to a changing landscape. Although stakeholder satisfaction is generally positive, there are opportunities to increase ENISA’s impact. This can be achieved by improving support and visibility for diverse sectors, particularly small to medium-sized enterprises (SMEs), which often struggle with cybersecurity requirements. Better resource organisation and clearer coordination with national authorities are essential. Reprioritising activities and optimising existing resources will better align ENISA with the dynamic needs of the European cybersecurity landscape.

Regarding the ECCF, despite its promising premise, the framework is still considered to have more potential than practical impact, as only one certification scheme has recently become operational. The framework is designed to seamlessly integrate with other Union legal acts to streamline procedures and facilitate cross-border trade. Its significance is highlighted in high-assurance areas like cloud services and 5G infrastructures.

·Effectiveness: ENISA has successfully met its mandate by delivering nearly all planned outputs, showcasing flexibility and resilience during crises like the COVID-19 pandemic and Russia’s war of aggression against Ukraine. However, improved prioritisation, clear focus, and strategic resource allocation are needed to increase efficiency. A more agile approach to internal governance is essential to adapt to evolving cybersecurity demands and minimise delays.

The ECCF aimed to harmonise cybersecurity certification across the Union but encountered significant challenges, including procedural limitations and fragmentation, which led to delays and inefficiencies, such as the delay in adopting the European Common Criteria-based cybersecurity certification scheme (EUCC). External factors, like geopolitical tensions and the COVID-19 pandemic, further complicated the achievement of the ECCF’s objectives, highlighting the need for adaptable measures and consistent resource allocation among stakeholders to achieve uniformity and effectiveness in cybersecurity certification. Despite these hurdles, there have been positive outcomes - particularly in raising awareness among Member States of the importance and intricacies of cybersecurity certification.

·Efficiency: ENISA operated efficiently under its matrix-based organisational framework, promoting cooperation and task prioritisation. However, ENISA faced challenges in meeting increasing demands and filling specialised positions, exacerbated by a global shortage of IT specialists, leading to delays and heavy workload. To address these issues, ENISA could optimise its internal workforce and reallocate resources effectively, as demonstrated by strategic adjustments like the 2022 shift in resources towards the Cybersecurity Support Action. Additionally, improving budget management and reducing administrative expenditure would further improve the Agency’s operational efficiency.

The efficiency of the ECCF has been criticised due to extended timelines for adopting cybersecurity certification schemes and the complexities involved, with the first scheme only adopted in early 2024 nearly five years after the adoption of the CSA. Political and technical challenges, such as debates about data sovereignty and difficulties in translating drafts into legal acts, contributed to delays. Political challenges and technical demands have impeded progress, as seen with the EU Cloud Certification Scheme (EUCS) and the EU5G Scheme. Despite these inefficiencies, the framework gave rise to several positive aspects. However, there remains a need for improvements in stakeholder engagement and internal governance to ensure optimal functioning and strategic input.

·Coherence: ENISA's coherence is supported by significant stakeholder engagement and alignment with recent legislative frameworks. However, to enhance coherence and resource allocation, it is essential to improve synergies with other Union bodies, such as the European Cybersecurity Industrial, Technology and Research Competence Centre (ECCC), and national authorities. Moreover, internal communication and resource management within ENISA, along with transparent interaction with private stakeholders, must be refined. Clear delineation of ENISA’s tasks, consistent with the CRA and the NIS2 Directive, will improve both efficiency and regulatory consistency.

Regarding the ECCF, full consistency with other Union legislative instruments, including the NIS2 Directive and the CRA, is crucial for ensuring a unified cybersecurity approach. While the ECCF shows theoretical alignment with these legislative measures, real-world integration remains complex and requires diligent oversight. The implementation of the adopted EUCC scheme within the CRA framework will be a significant test in this regard.

·EU added value: ENISA has made substantial contributions to the Union’s cybersecurity ecosystem by promoting cooperation and aligning practices. Its role in facilitating national efforts and providing insights into emerging threats has been vital. However, criticism from private-sector stakeholders about the need for more tailored support indicates a need for improved stakeholder engagement and industry collaboration. Strategically reassessing resource management would enable ENISA to better adapt to evolving cybersecurity challenges and serve diverse stakeholders more effectively. The ECCF aimed to introduce harmonised certification processes but faced implementation challenges due to prolonged timelines and fragmentation. The added value of the ECCF has been limited due to its shortcomings in reaching its objectives and its lack of efficiency. Despite those challenges, the ECCF did improve harmonisation among Member States and established better cooperation opportunities, particularly by creating stakeholder cooperation fora such as the European Cybersecurity Certification Group (ECCG).

•Stakeholder consultations

Between 2023 and 2025, several stakeholder consultations were carried out both in the context of the evaluation of the CSA and the revision of the CSA as follows below.

–In 2023, 65 interviews were conducted (52 of which focused more on ENISA and 13 mainly on the ECCF), a survey programme was carried out, which received 209 responses (of which 70 were on the ECCF), a public consultation was concluded, and two workshops were organised on SWOT (strengths, weaknesses, opportunities and threats) analysis and recommendations with 26 and 70 participants respectively. These activities specifically aimed to gather stakeholders’ views to evaluate the impact, effectiveness and efficiency of ENISA. The final report of the Study to Support the Evaluation of the European Union Agency for Cybersecurity (ENISA) and the European Cybersecurity Certification Framework carried out for the Commission by PwC, Intellera Consulting and PPMI (2024) was completed in December 2024. 

–In 2025, the Commission launched a call for evidence. In particular, stakeholders were invited to submit written contributions, including position papers, technical reports, or comments on specific reform proposals.  A total of 184 individual contributions were received from a broad range of stakeholder categories, including industry associations, cybersecurity firms, SMEs, academic institutions, and public interest organisations.

–Between April and June 2025, the Commission organised a public consultation as part of the revision of the CSA and received 193 replies. The consultation consisted of 38 questions, both closed and open-ended, covering ENISA’s mandate, the ECCF, ICT supply chain security and simplification.

–Targeted consultation (interviews): A series of semi-structured interviews were conducted with selected stakeholders. These included ENISA’s representatives as well as national public authorities that have developed or manage national reporting platforms. Interviews focused on ENISA’s role and capacity, the operational functioning of the ECCF, practical challenges in aligning national and Union-level certification processes, reporting burdens, and implementation obstacles. These discussions provided qualitative insights that enriched the interpretation of the results of the public consultation and supported the refinement of policy options.

–Consultation of Member State representatives within the framework of the Council working party 19 and in bilateral discussions, where Member States could express their views on the review of the CSA.   

–Targeted consultation (ECCF groups – ECCG, Stakeholder Cybersecurity Certification Group (SCCG)): The Commission in its capacity as the chair of both groups, presented the state of play on the CSA revision at the ECCG meetings on 12 March and 3 July 2025, and the SCCG meeting on 17 March 2025. In addition, supplementary expert opinions from ECCG members were collected through questionnaires.

·ENISA’s mandate and operational role, including support for Member States and expertise in emerging technologies; 

·effectiveness of the European Cybersecurity Certification Framework, including governance and development processes; 

·complexity and fragmentation of cybersecurity obligations, with attention to reporting burdens and potential simplification; 

·proportionality of requirements for SMEs and the potential for differentiated compliance paths; and

·societal and economic impacts of harmonised cybersecurity rules, including effects on consumers, rights, innovation, and competitiveness.

•Impact assessment

The final policy proposal does not deviate from the options assessed in the impact assessment.

Options to address the misalignment of the Union’s cybersecurity policy framework and stakeholders’ needs in an increasingly hostile environment

Options for the ECCF

Option B.1: Clarifying the ECCF’s scope, elements and objectives and introducing a maintenance mechanism – This option would provide for a new maintenance mechanism for the schemes, after their adoption, to be implemented by ENISA.

Option B.2: Reforming the ECCF by revising its procedures and extending the scope to facilitate simplification of regulatory compliance – This option would repeal the CSA and replace it by a new regulation. In addition to option B.1, the procedures related to the request, development and adoption of schemes would be revised to improve accountability and efficiency.

Option B.3: Reforming the ECCF as envisaged under option B.2 and introducing mandatory certification for cyber posture – This option would build on option B.2, but aims to further increase the impact of the framework by introducing mandatory certification of essential entities considering specific risk scenarios, instead of relying solely on voluntary certification of entities.

Options for simplification

Option C.1: Taking a soft law and non-legislative instruments approach, including the use of existing empowerments (adoption of implementing acts under Article 21(5) and Article 23(11) of the NIS 2 Directive) – This option envisages the adoption of implementing acts using the existing empowerments under the NIS 2 Directive to ensure a higher degree of harmonisation of cybersecurity risk-management measures, incident reporting thresholds, as well as type of information, the formats and the procedure of notifications. It also envisages the adoption of a set of guidelines to enhance legal certainty and harmonised implementation.

Option C.2: Targeted intervention – further simplification of compliance with the relevant Union cybersecurity legislative framework – This option involves limited intervention through changes to the CSA and the NIS 2 Directive with an aim to simplify specific aspects of the cybersecurity framework, including scope adaptations, maximum harmonisation for implementing acts, compliance proof through certification, and adoption of the set of guidelines as envisaged under option C.1.  

Option D.1: Taking a soft law approach to address cybersecurity risks for ICT supply chains - This option would not provide for regulatory intervention at EU level. Instead, the Commission would increase the number of coordinated risk assessments and voluntary toolboxes.

Option D.2: Ad hoc regulatory intervention codifying the 5G Toolbox - This option would codify the 5G Toolbox measures. It would introduce an obligation for Member States to ensure that components from high-risk suppliers are not used in key assets of the network.

This combination offers a well-balanced response to identified policy challenges, significantly enhancing effectiveness, efficiency and coherence across the Union.

At the same time, streamlined and reduced compliance obligations are expected to generate cost savings of up to EUR 15.3 billion for businesses over five years. Furthermore, improving the Union’s overall cyber posture and technological sovereignty and stimulating innovation and competitiveness would yield significant benefits for the general public, public authorities and businesses. This is expected to largely offset initial expenditures in the long term.

By reducing market fragmentation and harmonising regulatory requirements, the preferred options enhance competitive equality across the Union, providing businesses with clearer paths to compliance and innovation.

•Regulatory fitness and simplification

•Fundamental rights

The legislative proposal was assessed based on its potential to enhance or put at risk fundamental rights and promote equality and trust, with a particular focus on societal impacts and rights, including privacy, data protection and the ability of individuals to understand, exercise and enforce their rights.

Extending ENISA’s mandate will contribute to more cyber resilience across the economy and society in general, leading to better protection of people’s privacy and personal data. The proposal will also support education and training on cybersecurity as it clarifies ENISA’s role in the development of skills for the cybersecurity workforce.

Furthermore, the ECCF will improve trust among the general public and businesses in the Union in certified ICT solutions that support everyday life. Putting in place additional schemes would increase this impact.

4.BUDGETARY IMPLICATIONS

5.OTHER ELEMENTS

•Implementation plans and monitoring, evaluation and reporting arrangements

•Explanatory documents (for directives)

•Detailed explanation of the specific provisions of the proposal

Title II: ENISA (THE EUROPEAN UNION AGENCY FOR CYBERSECURITY)

The Commission can identify, through implementing acts, key ICT assets used for the manufacturing of products, provision of services by the types of entity referred to Annex I and Annex II to Directive (EU) 2022/2555. Article 102 further details the elements to be taken account for the identification of key ICT assets. Article 103 establishes potential mitigation measures in the ICT supply chain. The Commission, through implementing acts, can decide that entities operating in sectors of high criticality and other critical sectors have to be subject to specific mitigating measures, further detailed in the Article.

The Commission, by way of implementing acts, shall establish lists of high-risk suppliers relevant for the prohibitions laid down in the implementing acts adopted in accordance with Article 103(1), Article 103(7) or the prohibition referred to in Article 110(1), after conducting an assessment of establishment and ownership and control. It should consult suppliers concerned and competent authorities (Article 104).

An entity established in or controlled by entities from a third country posing cybersecurity concerns designated in accordance with Article 100, may request to be allowed to provide ICT components in key ICT assets of entities of the type referred in Annexes I and II to Directive (EU) 2022/2555 and to participate in public procurement in relation to the provision of such ICT components. Article 105 specifies what the request should contain and what is the procedure for such an exemption. Article 106 specifies the rights of defence for an entity in question. The Commission shall maintain a publicly accessible register of the decisions regarding exemptions (Article 107). Articles 108 and 109 specifies confidentiality rules and fees related to the exemption procedure.

Chapter II provides for an application of the trusted ICT supply chain framework to mobile, fixed and satellite electronic communications networks, ensuring alignment with the proposed Digital Networks Act.

The key ICT assets for mobile, fixed and satellite electronic communications networks are set out in Annex II. The transition period of phasing out ICT components from high-risk suppliers for the key ICT assets of the mobile electronic communications network shall not exceed 36 months from the entry into force of this Regulation. Transition periods for fixed and satellite electronic communications networks shall be specified by the Commission by virtue of implementing acts. The Commission is empowered to adopt delegated act to amend designated key ICT assets and transition periods, including for the future mobile generations (Article 110). Article 111 stipulates that providers of mobile, fixed and satellite electronic communications networks cannot not use, install or integrate, in any form, ICT components from high-risk suppliers and cannot be granted general or individual authorisation.

Competent authorities, supervision and enforcement, jurisdiction, rights of defence (Chapter III)

Chapter III further lays down the rules on competent authorities, supervision and enforcement and jurisdiction. 

Articles 112-114 specify the powers, means and responsibilities of Member States in ensuring the implementation and enforcement of the provisions in Title IV. Member States have to designate one or more competent authorities, to be notified to the Commission. Article 113 provides for the Commission to set up a network for cooperation of competent authorities of Member States and the Commission to facilitate compliance, while Article 114 specifies the supervisory and enforcement measures that competent authorities are entitled to take. Penalties in case of infringement of the provisions of Title IV are specified in Article 115. Article 116 details the possibility for Member States to mutually assist each other when entities are having cross-border activities or when their key ICT assets are located in several Member States. Article 117 provides for the rules on jurisdiction and territoriality.

2026/0011 (COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security and repealing Regulation (EU) 2019/881 (The Cybersecurity Act 2)

(Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee 24 ,

Having regard to the opinion of the Committee of the Regions 25 ,

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1) Since the adoption of Regulation (EU) 2019/881 of the European Parliament and of the Council 26 , the geopolitical, technological and policy landscapes have undergone significant transformations. Cybersecurity incidents, whether caused by system failures, human error, malicious acts or natural phenomena, have surged and cyberattacks have become more sophisticated, affecting essential entities, businesses, and the general public. The cybercrime ecosystem has proliferated, with ransomware activity at its core. Supply chain incidents, whether caused by criminals for financial gain or by State actors for disruption, espionage, disinformation or warfare have intensified. As part of a wider hybrid strategy, incidents resulting from malicious cyber activities and system failures ripple outward, disrupting essential services, undermining trust in institutions, and affecting the Union’s societal and defence readiness. Such incidents have proved their potential to impact economic activity, financial stability and people’s lives. At the same time, vulnerability of critical civilian infrastructure and systems pose a risk to defence capabilities where they rely on them.

(2)In parallel, emerging technologies such as artificial intelligence and quantum computing have a disruptive effect on cybersecurity and cyber defence. They are reshaping the tools of defence and the tactics of adversaries, posing threats to cybersecurity and cyber defence while also offering avenues for technological advancements. Although they may contribute to cybersecurity through enhanced threat detection or automated incident response, they are also increasing the overall attack surface for organisations, are potential targets for manipulation, and can undermine the long-term viability of security measures such as encryption.

(3)To address those developments, the Union has enhanced its legal and policy tools. Directive (EU) 2022/2555 of the European Parliament and of the Council 27 strengthens cybersecurity for critical infrastructure, complemented by Directive (EU) 2022/2557 of the European Parliament and of the Council 28 for physical security. Regulation (EU) 2024/2847 of the European Parliament and of the Council 29 enhances the cybersecurity of products with digital elements. Regulation (EU) 2025/38 of the European Parliament and of the Council 30 builds Union-wide response capabilities, and the Council Recommendation of 6 June 2025 on an EU blueprint for cyber crisis management 31 (‘Recommendation on the Cyber Blueprint’) supports Union-level crisis management cooperation. The 5G Cybersecurity Toolbox 32  constitutes a first step towards a coordinated approach at Union level to secure 5G networks. The Commission communication on the Cybersecurity Skills Academy 33 addresses the growing challenge of the cybersecurity talent gap. Additionally, the cybersecurity framework has been enhanced by sector-specific legislation, in particular Regulation (EU) 2022/2554 of the European Parliament and of the Council 34 for the financial sector, Commission Delegated Regulation (EU) 2024/1366 35 for the electricity subsector, Commission Delegated Regulation (EU) 2022/1645 36  and Commission Implementing Regulation (EU) 2023/203 37 (PART-IS) as well as relevant aviation security rules set out in Commission Regulation (EU) 2019/1583 38 for the air transport sub-sector, and other policy documents such as the Commission communication on an EU action plan on the cybersecurity of hospitals and healthcare providers 39 . Union entities are also strengthened with Regulation (EU, Euratom) 2023/2841 of the European Parliament and of the Council 40 , which lays down measures that aim to achieve a high common level of cybersecurity within Union institutions, bodies, offices and agencies. This enhanced legal framework for cybersecurity has further specified ENISA’s tasks.

(4)In this context, and as stated in the ProtectEU: European Internal Security Strategy 41 , Preparedness Union Strategy 42 , ensuring the preparedness, security and resilience of the Union’s society and economy requires strong European coordination, trust and information sharing between stakeholders, robust frameworks to ensure the security of ICT products, services, processes and managed security services, as well as growing and strengthening the cybersecurity workforce. It further calls for bolstering ICT supply chains by ensuring European technological sovereignty over key assets, which would increase the Union’s resilience and could benefit cyber defence efforts. In addition, the Communication on Strengthening EU economic security 43 identifies as priority objectives the needs to prevent access to sensitive information and data that could undermine the EU’s economic security and to prevent and mitigate disruptions to EU critical infrastructure affecting the EU economy. It acknowledges the essential role effective cybersecurity measures play in this regard.

(5)Large-scale cybersecurity incidents affecting critical infrastructure, digital services or essential societal functions may have impacts on the population requiring coordinated civil protection and crisis management action at Union level. In line with the  all-hazards approach of the European Preparedness Union Strategy and Decision No 1313/2013/EU on the Union Civil Protection Mechanism, arrangements for situational awareness, incident response and exercises under this Regulation should feed in Union crisis management, notably though the Emergency Response Coordination Centre (ERCC).

(6)This proposal is consistent with and complemented by the [Proposal for a Directive complementing [the revision of Regulation (EU) 2019/881] and amending Directive (EU) 2022/2555 as regards the simplification of the implementation of measures for a high common level of cybersecurity across the Union], as well as with the [Proposal for Regulation on simplification of the digital legislation (Digital Omnibus) 44 which provides the obligation on ENISA to develop a single entry-point for incident reporting through which entities can simultaneously fulfil their incident reporting obligations under multiple legal acts. 

(7)Regulation (EC) No 460/2004 of the European Parliament and of the Council 45 established ENISA with the aim of contributing to ensuring a high and effective level of network and information security within the Union, and developing a culture of network and information security for the benefit of citizens, consumers, enterprises and public administrations. ENISA’s mandate was extended three times before Regulation (EU) 2019/881 granted it a permanent mandate. In order to better address the needs created by the evolving threat and technological landscapes, in particular with regards to operational cooperation and the increased need for cybersecurity professionals, ENISA’s mandate should be further reinforced. In the interest of legal certainty, Regulation (EU) 2019/881 should be replaced.

(8)In an evolving threat landscape where cybersecurity incidents become increasingly more significant, delivering trust for individuals, public authorities and businesses in their daily use of technologies is even more important than ever. An increase in trust can be facilitated by a reinforced Union-wide certification of the ECCF providing for common cybersecurity requirements and evaluation criteria across national markets and sectors. The new framework should lay down the main horizontal requirements for European cybersecurity certification schemes and allow for European cybersecurity certificates and EU statements of conformity to be recognised and used in all Member States. In doing so, it should establish a procedure and governance framework that allows for the timely and predictable development and maintenance of European cybersecurity certification schemes. The European cybersecurity certification schemes should be applied uniformly in all Member States to ensure a harmonised implementation of cybersecurity requirements, level the playing field and prevent ‘certification shopping’ based on different levels of stringency in different Member States. ENISA should have a key role in providing for the development of the schemes through technical specifications and ensuring that such schemes remain technically up to date. Furthermore, to meet the market needs effectively, the framework should provide for the possibility for certification of cybersecurity risk management measures addressed to entities and facilitate compliance with other applicable Union legislation in the field of cybersecurity. Alignment with existing Union law, such as Regulation (EU) 2024/2847 and Directive (EU) 2022/2555, is essential for European cybersecurity certification schemes to contribute to reducing compliance burden on businesses, increase their attractiveness and strengthen the cyber resilience of the Union.

(9)The mission of ENISA should be to support Member States and Union entities to achieve a high level of cybersecurity, resilience and trust in the Union. To that end, ENISA should act as a reference point for advice and expertise on cybersecurity, and its work should primarily revolve around four key areas of cybersecurity at Union level. First, ENISA should support Member States in the consistent implementation of Union policy and legislation regarding cybersecurity and assist Member States through capacity-building activities to continuously improve their capacities in terms of preparedness, resilience and response. Second, ENISA should contribute to operational cooperation at Union level, amongst Member States, and to enhanced shared situational awareness of cyber threats and incidents among Member States and Union entities. The third key area should be cybersecurity certification and standardisation, while the fourth should be the implementation of the Cybersecurity Skills Academy, which should contribute to the development of a thriving European cybersecurity workforce with skills that should be portable across Member States.

(10)Regulation (EU, Euratom) 2023/2841 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union and provides for the mandate of CERT-EU, establishing it as the Cybersecurity Service for Union institutions, bodies, offices and agencies to contribute to the security of the unclassified ICT environment of Union entities by advising them on cybersecurity, supporting them to prevent, detect, handle, mitigate, respond to and recover from incidents and acting as their cybersecurity information exchange and incident response coordination hub. Furthermore, CERT-EU is tasked with offering relevant cybersecurity services to Union entities. As part of its mission, ENISA should support also Union entities. In particular, it should do so by engaging through structured cooperation with CERT-EU on capacity building, operational cooperation and long-term strategic analyses of cyber threats. When relevant, ENISA may leverage the structured cooperation with CERT-EU for ENISA cybersecurity services or support that can be of added value to Union entities, in a coordinated manner to ensure synergies of efforts of CERT-EU.

(11)One of the core tasks of ENISA should be to support Member States in implementing Union policy and law regarding cybersecurity consistently, in particular as regards Directive (EU) 2022/2555, Regulation (EU) 2024/2847, and Regulation (EU) 2025/38. To help achieve consistent and effective implementation of the Union cybersecurity acquis, ENISA should issue technical guidance and reports, provide advice and best practices, and facilitate the exchange of best practices between competent authorities to this end. Furthermore, ENISA is assessing the state of cybersecurity in the Union and adopts a report to that end in accordance with Article 18 of Directive (EU) 2022/2555. ENISA should also be able to respond to requests for advice and assistance by Member States and, where applicable, Union entities, on matters falling within ENISA’s mandate.

(12)With a view to stimulating cooperation between the public and private sectors and within the private sector, in particular to support the protection of critical infrastructure, ENISA should support information sharing within and among sectors, in particular the sectors listed in Annexes I and II to Directive (EU) 2022/2555, and information regarding products with digital elements falling within the scope of Regulation (EU) 2024/2847. Such support may take the form of providing best practices and guidance on available tools and procedures, as well as providing guidance on how to address regulatory issues related to information sharing, for example through facilitating the establishment of sectoral Information Sharing and Analysis Centres (ISACs).

(13)In view of supporting and facilitating the strategic cooperation and the exchange of information, ENISA should contribute to the work of the Cooperation Group established by Directive (EU) 2022/2555 (‘NIS Cooperation Group’), in particular by providing expertise, advice and by facilitating the exchange of best practices, among others, in relation to cross-border dependencies, regarding risks and incidents. ENISA should also contribute to the work of the European Digital Identity Cooperation Group established by Regulation (EU) No 910/2014 of the European Parliament and of the Council 46 , the European Cybersecurity Certification Group, and the administrative cooperation group (ADCO) established by Regulation (EU) 2024/2847.

(14)The public core of the open internet, namely its main protocols and infrastructure, which are a global public good, provides the essential functionality of the internet as a whole and underpins its normal operation. Within its mandate, ENISA should support the security and resilience of the public core of the open internet and the stability of its functioning, including, but not limited to, the secure deployment and operation of key protocols (in particular Domain Name System, Border Gateway Protocol, and Internet Protocol version 6) and the operation of the domain name system (such as the operation of all top-level domains), by promoting best practices, guidance, and cooperation, in accordance with established global, multistakeholder Internet governance arrangements and the respective roles and responsibilities of relevant international technical and operational bodies.

(15)ENISA acts as a reference point for advice and expertise on cybersecurity. Therefore, at the Commission’s request, ENISA should assist it by means of expertise, technical advice, information, analyses, including feasibility studies, opinions and preparatory work regarding any specific matter in the field of cybersecurity with a view to informing the Commission’s policymaking and facilitating the Commission’s monitoring of the implementation of Union legislation regarding cybersecurity.

(16)Similarly, taking into account its expertise, ENISA should assist Member States in their efforts to build and enhance capabilities and preparedness to prevent, detect and respond to cyber threats and incidents and in relation to the security of network and information systems. In particular, ENISA should support the development and enhancement of computer security incident response teams (‘CSIRTs’) provided for in Directive (EU) 2022/2555, with a view to achieving a high common level of maturity of CSIRTs in the Union.

(17)ENISA has supported and should continue supporting Member States in developing and implementing guidelines for their national cybersecurity strategies contributing to the adoption and implementation of cybersecurity strategies by all Member States ENISA should promote the dissemination of such strategies through the National Cybersecurity Strategies (NCSS) Interactive Map and should further follow the progress of their implementation, including by providing support in the development of key performance indicators in this context.

(18)Regulation (EU, Euratom) 2023/2841 has tasked the Interinstitutional Cybersecurity Board with supporting Union entities in elevating their respective cybersecurity postures, and CERT-EU with contributing to the security of the unclassified ICT environment of all Union entities. ENISA, based on its experience in cybersecurity, should support the Interinstitutional Cybersecurity Board and CERT-EU in their tasks in accordance with Regulation (EU, Euratom) 2023/2841, including by contributing to cyber threat analysis, situational awareness, cybersecurity exercises, coordination on incident response and the exchange of know-how and best practices.

(19)Based on ENISA’s expertise and to complement the capabilities of national and Union public authorities, ENISA should deliver training using the European Cybersecurity Skills Framework (ECSF) as a basis, in particular to support effective policy implementation, operational cooperation, and awareness-raising.

(20)To ensure synergies with the European Cybersecurity Industrial, Technology and Research Competence Centre (ECCC) and the Network of National Coordination Centres established pursuant to Regulation (EU) 2021/887 of the European Parliament and of the Council 47 , ENISA should support them by sharing information about current and emerging risks and cyber threats, including risks and threats regarding information and communications technologies.

(21)The Preparedness Strategy highlights that digital literacy, which relies on acquiring basic digital skills, is essential to empower more resilient citizens in the face of potential crises. However, as highlighted in the Commission Communication on the Union of Skills 48 , almost half the adult population does not have basic digital skills despite more than 90% of jobs requiring them. In order to ensure that the current and potential future workforce have the required skills in a rapidly evolving digital environment, and to contribute to the development of the European cybersecurity talent pipeline, ENISA should support cybersecurity awareness-raising activities that aim to attract talent and help informing about the education and skills needed in the area of cybersecurity, such as the European Cybersecurity Challenge. In this regard, ENISA should coordinate cybersecurity competitions, capture-the-flag events and similar practical exercises, as a means of developing cybersecurity skills and fostering capacity building across the Union. When carrying out awareness-raising activities, ENISA should ensure that these address the needs of national public authorities and Union entities, as well as the needs of businesses, in particular SMEs, and education and training institutions, by maintaining practical frameworks and trainings such as awareness-raising-in-a-box. ENISA should further develop practical and actionable guidance to support the implementation of Union cybersecurity policy and legislation. ENISA should also strive to provide relevant information on applicable certification schemes, for example by providing guidelines and recommendations.

(22)To support businesses operating in the cybersecurity sector, users of cybersecurity solutions, and to ensure effective the implementation of Title III of this Regulation, ENISA should develop and maintain a ‘market observatory’ by performing regular analyses and disseminating information on the main trends in the cybersecurity market, on both the demand and supply sides. Furthermore, to support the users of the EU Cybersecurity Reserve established pursuant to Regulation (EU) 2025/38, ENISA should prepare the mapping of the services needed by such users, and of availability of such services, pursuant to that Regulation.

(23)Cyber threats are a global issue. Closer international cooperation is necessary to improve cybersecurity, including to define common norms of behaviour and common approaches. To that end, ENISA should support Union’s cooperation with third countries, with a focus on countries that are candidates for accession to the Union, and international organisations, such as NATO, by providing the necessary expertise and analysis to the Commission and relevant Union entities, where appropriate. ENISA’s activities in the international area should always be in line with the priorities of the Union.

(24)To help achieve a high level of cybersecurity in the Union, ENISA should support operational cooperation among Member States, in cooperation with CERT-EU, among Union entities, and between stakeholders. To that end, ENISA’s role should be strengthened. ENISA should become a member of the CSIRTs network, contributing to the network information exchange and analysis. ENISA should further promote and support cooperation between the relevant CSIRTs in the event of incidents, attacks or disruptions of networks or infrastructure managed or protected by the CSIRTs. ENISA’s active support for the work of the CSIRTs network and the European cyber crisis liaison organisation network (EU-CyCLONe) should enable those networks to continue strengthening their maturity level. ENISA’s role in supporting such cooperation includes combating threats to the security and integrity of democratic institutions, elections and other processes, and the critical infrastructure on which they depend, in line with the European Democracy Shield: Empowering Strong and Resilient Democracies 49 . 

(25)To support capacity-building, operational cooperation, and long-term strategic analyses of cyber threats, ENISA should make use of the available technical and operational expertise of CERT-EU through structured cooperation, for example through dedicated arrangements.

(26)In order to  strengthen cybersecurity across the Union and ensure a rapid and effective response to cyber threats, ENISA should support Member States at their request, including by providing advice on the improvement of their capabilities to prevent, detect, respond to and recover from incidents, by facilitating the technical handling of significant incidents within the meaning of Directive (EU) 2022/2555, in particular through supporting the voluntary sharing of technical solutions between Member States, or by ensuring that cyber threats and incidents are analysed. ENISA should also assist EU-CyCLONe in preparing reports to the Union’s and Member States’ political level.

(27)To reduce exposure to foreign interference, supply-chain manipulation, and strategic data exfiltration, ENISA should use within the CSIRTs network and EU-CyCLONe secure communications tools. Building on the Recommendation on the Cyber Blueprint, such tools should be provided by legal entities established or deemed to be established in the Union and controlled by Member States or by nationals of Member States.

(28)To contribute to Union-level preparedness and response in the case of large-scale cybersecurity incidents and crises, ENISA should carry out cybersecurity situational awareness activities.

(29) Access to real-time, verified, reliable cyber threat intelligence (CTI) is crucial for building shared situational awareness in the Union. ENISA, the Commission, CERT-EU and the European Cybercrime Centre (EC3) at Europol have already developed repositories of cyber threat intelligence that are tailored to their specific needs. ENISA and other relevant Union entities should cooperate, voluntarily, to develop repositories of real-time, verified, reliable CTI, and seek synergies to ensure economies of scale and reinforce sound financial management. This work should also include sectoral Union entities such as the EU agency for the Space Programme. They should share only derived analysis, trends, and tactics, techniques and procedures (TTPs), not raw sources, and should respect the independence of entities to manage their own CTI lifecycle in line with their mandates and need-to-know rules.

(30)In order to contribute to a timely and coordinated response, ENISA should be able to issue early alerts of a potential or ongoing significant or large-scale incident, or a cyber threat of a potential cross-border nature to the CSIRT or CSIRTs concerned, and, where appropriate, to the CSIRTs network and EU-CyCLONe, in particular in relation to entities listed in Annexes I and II to Directive (EU) 2022/2555. Information in such early alerts may include publicly known vulnerabilities and whether they affect products with digital elements covered by Regulation (EU) 2024/2847, as well as techniques and procedures, indicators of compromise, adversarial tactics, threat-actor-specific information and recommendations on mitigation measures.

(31) In order to maintain trust and not jeopardise information-sharing, it is important for ENISA to apply visible markings indicating the extent to which a document or information it has produced or received may be shared further. Similarly, ENISA should use documents or information it receives for the purposes of carrying out its activities, subject to any limitations by means of a visible marking on further distribution of that information.

(32)To help increase awareness of cyber threat indicators and recommendations on mitigation measures, ENISA should make an early alert service available to entities operating in sectors listed in Annexes I and II to Directive (EU) 2022/2555. Such generic, voluntary early alerts should benefit in particular SMEs, and should be provided in a machine-readable format made publicly available. In any case, such voluntary service is separate from and not related to any public-private partnerships that ENISA may establish or has already established.

(33)To support Union shared cybersecurity situational awareness, ENISA, in close cooperation with the Member States, should prepare a regular in-depth EU Cybersecurity Technical Situation Report on incidents and cyber threats, based on publicly available information, its own analysis and reports shared with it by Member States’ CSIRTs or the national single points of contact on the security of network and information systems (‘single points of contact’) provided for in Directive (EU) 2022/2555, both on a voluntary basis, Europol and CERT-EU. That report should be made available to the Council, the European External Action Service, EU-CyCLONe, the CSIRTs network, the Commission and Europol. 

(34)In order to enhance the shared situational awareness of the cyber threat and incident landscape among stakeholders, ENISA should analyse trends in cyber threats and incidents. This should include a regular analysis addressing the sectors of high criticality and other critical sectors listed in Annexes I and II to Directive (EU) 2022/2555, including the healthcare, energy and transport sectors. Such analysis should include maturity levels of sectors and identify, among others, possible challenges specific to a given sector. Where relevant, and in order to identify supply chain effects, the analysis should evidence cyber threats and trends related to product categories covered by Regulation (EU) 2024/2847. ENISA should develop expertise in the field of cybersecurity of infrastructures and their critical supply chain dependencies, in particular to support the sectors listed in Annexes I and II to Directive (EU) 2022/2555 and the implementation of Regulation (EU) 2024/2847. To this end, ENISA should also cooperate, where appropriate, with other relevant Union entities.

(35)Further, to understand better the challenges in the area of cybersecurity, ENISA needs to analyse current and emerging technologies and provide topic-specific assessments on the expected societal, legal, economic and regulatory impact of technological innovations on cybersecurity. In order to ensure easier access of the public to information on cybersecurity risks and possible remedies, ENISA may provide relevant information on its website, in a user-friendly and well-structured manner.

(36)ENISA’s strengthened role in fostering situational awareness, analysing threats and providing technical advice will contribute to enhance collective cybersecurity efforts concerning products with digital elements and support the implementation of Regulation (EU) 2024/2847. In accordance with Regulation (EU) 2024/2847, ENISA may propose joint activities to market surveillance authorities for checking compliance of products with digital elements and identify categories of products with digital elements for which sweeps may be organised. Information stemming from cyber threat analysis and early alerts should strengthen the support that ENISA provides to those authorities and contribute to an effective enforcement of Regulation (EU) 2024/2847 to prevent supply chain effects of cyber attacks across the internal market and enhance the overall Union’s preparedness.

(37)Ransomware attacks are a prominent cybersecurity threat to the Union. To boost the Union’s cybersecurity and combat ransomware, ENISA should develop capabilities for situational awareness and support for incident response and recovery. When assisting individual essential and important entities in responding to and recovering from a ransomware attack, ENISA should closely cooperate with Europol and with CSIRTs or competent authorities as applicable, thereby drawing from Europol’s established experience in fighting ransomware crime. Such assistance should complement CSIRTs’ activities supporting incident response. To achieve synergies in its work against ransomware, ENISA should establish a helpdesk and, for that purpose, it could pool relevant capabilities and counter-ransomware services and make easily available information, guidance, and tools that can help essential and important entities respond to and recover from a ransomware incident.

(38)ENISA should provide technical expertise and support to the Commission in preparing an annual rolling programme of Union-level cybersecurity exercises in accordance with the Recommendation on the Cyber Blueprint to prepare for cyber crises, to test the level of cybersecurity of entities participating in such exercises, and to minimise duplication of effort. ENISA should, for example, advise on the appropriate types of exercise, such as tabletop, hybrid or full live, as well as objectives, scenarios and participation.

(39)Access to correct and timely information about vulnerabilities and a robust vulnerability management are imperative for ensuring a high level of cybersecurity in the internal market. For that reason, ENISA should maintain a European vulnerability database pursuant to Directive (EU) 2022/2555 and create a common Union vulnerability management service capacity, ensuring a resilient and sustainable service level and reducing the risk of disruptions. To that end, ENISA should explore possibilities to deepen structured cooperation with programmes, registries or databases similar to the European vulnerability database, in order to avoid a duplication of efforts and to seek complementarity on an international level, where appropriate. Furthermore, ENISA should support multi-party coordinated vulnerability disclosure at Union level and provide value added services, such as vulnerability advisories, severity scoring and product lists, as well as providing an enhanced European known exploited vulnerabilities catalogue to help entities in their vulnerability management.

(40)The role of ENISA in the development of the ECCF should be a key aspect of its mandate. ENISA should provide its technical expertise throughout the lifecycle of European cybersecurity certification schemes. In view of a future scheme, ENISA should identify existing standards or technical specifications that can underlie such as a scheme and, where relevant, draft technical specifications itself that can be referenced in a scheme. ENISA should be in charge of preparing candidate scheme following a Commission request. For schemes already in place, ENISA should be responsible for their maintenance. In doing so, ENISA should contribute to building and developing a certification ecosystem where the feedback of Member States and private stakeholders is sought and their certification capacities are reinforced. This should also include operating a dedicated certification website where relevant information related to adopted schemes, including certificates and statements of conformity, is freely and publicly accessible.

(41)To support the implementation of relevant Union legislation, ENISA should shape the state of the art in cybersecurity by delivering technical specifications to support the implementation of relevant Union legislation, including in view of their potential referencing in European cybersecurity certification schemes. ENISA should also monitor the creation and evolution of standards by relevant standardisation bodies with a view to following standardisation trends at European and global level, and whenever needed, shape such standards by participating to, including through drafting contributions, and leading in the activities of standardisation organisations. In doing so, ENISA should remain impartial. For instance, there might be situations, where ENISA should withdraw from relevant activities in standardisation bodies if ENISA is asked to assess European standards that were requested by the Commission in support of Union legislation. ENISA should not contribute to the drafting of the standards that it is in charge of assessing.

(42)To support the implementation of Union policies and preparation of potential standardisation activities, ENISA should contribute to the development and evaluation of cryptographic algorithms, in particular in the area of post-quantum cryptography. In that context, upon request by the Commission and subject to a contribution agreement as defined in Regulation (EU, Euratom) 2024/2509 of the European Parliament and of the Council 50 , ENISA may establish a process to solicit and evaluate algorithms for cryptographic algorithms by relevant stakeholders, in particular the cryptographic, academic and research communities, as well as manufacturers, CSIRTs, national cybersecurity certification authorities and competent authorities pursuant to Directive (EU) 2022/2555. Where ENISA contributes to establishing such processes, it should promote collaboration between the relevant stakeholders and implement the organisational aspects. The process should be formal, open, transparent and inclusive, including consultation of relevant stakeholders on draft minimum requirements and the evaluation process and evaluation criteria, notably for security and performance of evaluations.

(43)To support the implementation of conformity assessment activities under European cybersecurity certification schemes and other relevant Union legislation, ENISA may provide relevant technical testing tools to support Member States, businesses and conformity assessment bodies in evaluation activities. Such tools should aim to create synergies at Union level and an efficient operation of conformity assessment procedures to meet the needs of Member States and market needs. Such needs may arise for instance in the area of security by design to support businesses, including small and medium-sized enterprises, in their implementation efforts in the context of Regulation 2024/2847. In this context, ENISA should levy fees to cover relevant costs related to establishing, designing, developing, maintaining and updating needed software and hardware capabilities for such testing tools.

(44)To support Member States in their efforts to address the shortage of cybersecurity professionals and the growing need for a skilled, diverse, including with regards to gender balance, and agile workforce, and to enable labour mobility and preparedness across Member States, ENISA should build on the principles and work initiated under the Cybersecurity Skills Academy. In particular, ENISA should establish the European Cybersecurity Skills Framework (‘ECSF’) as a common framework on cybersecurity professional role profiles. ENISA should further support Member States in addressing gender disparities in cybersecurity roles. This approach is consistent with the vision outlined in the Commission Communication on the Union of Skills and would contribute to its objectives. A quality label for European individual cybersecurity skills attestations should further be explored.

(45)The ECSF should be a practical and flexible tool to be used on a voluntary basis that provides a common understanding and terminology of the relevant roles and associated tasks, skills and knowledge mostly required in cybersecurity roles, with a view to supporting the identification of critical skill sets, including transversal skills, required for the workforce, and enabling learning providers, including companies, higher education institutions or vocational education and training providers, to design programmes, and help policymakers to develop initiatives to address skills gaps. Having the potential to be used as a reference framework for skills recognition, it should also be interoperable with the European classification of skills and occupations (ESCO) in order to support human resources departments to understand the requirements for resource planning, recruitment, and career development in support of cybersecurity needs. Whereas DigComp 3.0 describes knowledge, skills and attitudes that are needed to be digitally competent for daily life, participation in society, working and learning, and can be used by both adults and children, the ECSF offer a simple framework identifying cybersecurity roles and associated tasks, knowledge, skills needed to perform them. In this regard, it addresses a specialised audience in cybersecurity, ranging from actually or potential cybersecurity professionals, education institutions to employers. The ECSF should also support the development of European individual cybersecurity skills attestations by being the key instrument used to develop the schemes, allowing the emergence of new market players and supporting market competition within a common framework. The ECSF should be evaluated and updated on a regular basis to ensure that it adequately reflects the cybersecurity labour market’s needs, technological and policy developments. ENISA should support the uptake of the ECSF by and within Member States and Union entities, and provide adequate support where such assistance is required.

(46)Cybersecurity skills and qualifications should be made comparable, transparent and trusted across the internal market. To this end, European individual cybersecurity skills attestations 51 should support employers, including SMEs and startups, to recruit actual or potential cybersecurity professionals in an effective manner within and across Member States, in line with the objectives set out in the Communication on the Union of Skills. To ensure consistent implementation across Member States, European individual cybersecurity skills attestations should be based on a common understanding, at Union level, of the skills needed to meet those objectives and should be delivered by providers authorised by ENISA against a common set of criteria. This approach should be consistent with and contribute to the objectives of the future Skills Portability Initiative.

(47)The development of European individual cybersecurity skills attestation schemes should aim to supplement Member States’ actions by offering the possibility to public authorities and economic actors to make use of a European attestation mechanism, in line with the supporting competence of the Union in the area of education and vocational training, as referred to in Article 6, point (e) and Articles 165(1) and 166(1) TFEU. The schemes, together with the work of the Cybersecurity Skills Academy, can also represent the basis for the higher education programmes, such as sectoral European degrees and for the development of micro-credentials. Therefore, the European individual cybersecurity attestation schemes should not aim to harmonise law and regulations in Member States, but rather be considered as an enabler and an opportunity which Member States and economic actors may wish to take up and promote.

(48)ENISA should ensure that European individual cybersecurity skills attestation schemes remain close to market needs and build on experience from both public and private providers of individual certifications, including Member States, higher education institutions, vocational education and training institutions and businesses. ENISA should consult the Commission on prioritisation of the European individual cybersecurity skills attestation schemes, taking into due consideration policy implementation and market needs.

(49)To ensure alignment between the ECSF and the schemes, revision of an ECSF role profile should automatically trigger an evaluation of fitness of the associated European individual cybersecurity skills attestation scheme or schemes, which may lead to their review.

(50)Taking into consideration the diversity of cybersecurity role profiles and associated tasks, skills and knowledge, the assessment of individuals and assessment methods may have to be adapted in each European individual cybersecurity skills attestation scheme. Each scheme should ensure that the assessment of an individual’s required skills in terms of learning outcomes, including, where relevant, the evaluation of the level of proficiency, is systematically evaluated against an ECSF role profile or subset thereof. Assessment methods may include elements such as testing theoretical knowledge, practical examination, prerequisites and peer assessment. Experience of individuals should be duly taken into consideration.

(51)In order to ensure a consistent implementation of European individual cybersecurity skills attestation schemes, in particular with regard to the assessment of individuals, ENISA should provide obligatory training to personnel in charge of carrying out the assessment of individuals. Such personnel should have experience in the field of cybersecurity which could be demonstrated by holding a European individual cybersecurity skills attestation for the role profile they are conducting the assessment for and at a proficiency level at least equivalent to that of the individuals they are assessing. 

(52)The role of the authorised attestation providers is to attest the knowledge and competences of an individual to be able to perform one of the ECSF roles and to give assurance to the employers across the Union. As also employers operating Unions critical infrastructure would look at the assurance of the quality of skills and competences of individuals acquiring European individual cybersecurity skills attestation, the authorised providers attesting the level of skills and competences should be trustworthy from the cybersecurity point of view and should not be subject of the undue influence by a third country that may pose cybersecurity concerns. Therefore, entities established in a third country posing cybersecurity concerns designated in accordance with this Regulation or controlled by such third country, by an entity established in such third country, or by a national of such third country (high-risk suppliers) in accordance with this Regulation should not be eligible to become authorised attestation providers of any European individual cybersecurity skills attestations pursuant to Title II, Section 4.

(53) To ensure that individuals that hold a European cybersecurity skills attestation can easily use and share it, and that such an attestation can be used across Member States, authorised attestation providers should ensure that electronic attestations of the European individual cybersecurity skills attestations are issued to the European Digital Identity Wallet (EUDI wallet) established by Regulation (EU) No 910/2014 at the request of the individual. Authorised attestation providers should be considered as trust service providers and subject to the supervisory and liability regime laid down in Regulation (EU) No 910/2014. The scheme for the attestation of attributes used pursuant to Commission Implementing Regulation (EU) 2025/1569 52 should be registered in the catalogue of schemes for the attestation of attributes provided for in that Implementing Regulation. 

(54)To contribute to the development of the cybersecurity workforce and the portability of skills across the Union, ENISA should make the European individual cybersecurity skills attestation schemes and the list of authorised attestation providers available to the public via a dedicated website.

(55)ENISA should be governed and operated taking into account the principles of the Common Approach on Union decentralised agencies adopted on 19 July 2012 by the European Parliament, the Council and the Commission 53 . The recommendations in the Common Approach should also be reflected, as appropriate, in ENISA’s work programmes, evaluations of ENISA, and ENISA’s reporting and administrative practice.

(56)In order for the Management Board to perform its functions effectively, particularly in guiding the overall direction of ENISA’s activities and setting its strategic priorities, it is essential for the Board to consist of high-level representatives from Member States and the Commission. To that end, each Member State should appoint the head of a national competent authority of that Member State responsible for cybersecurity designated pursuant to Article 8(1) of Directive (EU) 2022/2555 as a member of the Management Board.

(57)To ensure that alternates in the Management Board can fulfil their roles adequately, Member States should appoint alternates that have appropriate professional expertise and experience. The Commission and the Member States, as regards alternates, should make efforts to achieve a balanced representation between men and women on the Management Board and should limit their turnover in order to ensure continuity of the Management Board’s work.

(58)To enable ENISA to fulfil its mission effectively, the Management Board, composed of the representatives of the Member States and of the Commission, should establish the general direction of ENISA’s operations, including its strategic priorities, and ensure that it carries out its tasks in accordance with this Regulation. The Management Board should be entrusted with the powers necessary to establish and verify the execution of the budget, adopt appropriate financial rules, establish transparent working procedures for decision making by ENISA, adopt ENISA’s single programming document, adopt its own rules of procedure, appoint the Executive Director, decide on the extension and termination of the Executive Director’s term of office, and decide whether to create a function of Deputy Executive Director and, if such a function is created, on their appointment, and the extension and termination of their term of office. Any person exercising an executive function within ENISA should therefore be appointed by the Management Board. The Management Board should also be responsible for appointing or dismissing members of the Board of Appeal, as well as establishing rules to prevent or manage conflicts of interest in this respect.

(59)To help ensure that ENISA establishes its strategic priorities and maintains them up to date, the Management Board should hold at least one meeting per year dedicated to the strategic priorities of ENISA. To ensure that meetings of the Management Board are effective and well-informed, the Management Board may invite to its meetings any person whose opinion could be pertinent and of interest to the topics discussed to provide insights, expertise or advice. Such a person would be an ad hoc observer without voting rights.

(60)The Management Board should adopt decisions by an absolute majority of its members with voting rights, unless otherwise provided for in this Regulation. Due to the importance of budgetary and human resources matters, in particular matters on the annual budget, annual activity report, the anti-fraud strategy, implementing rules giving effect to Staff Regulations, the appointment of the Executive Director, the Deputy Executive Director and the accounting officer, follow-up to findings of the European Anti-Fraud Office (OLAF) and of the European Public Prosecutor’s Office (EPPO), and the adoption of the financial rules of ENISA, the Management Board should adopt such decisions only if the representative of the Commission casts a positive vote. For the purposes of taking a decision on adopting a final single programming document after taking into account Commission’s opinion, a positive vote of the representative of the Commission should only be required on the elements of the decision not related to the annual and multiannual work programme of ENISA.

(61)The Executive Board should contribute to the effective functioning of the Management Board. As part of its preparatory work related to Management Board decisions, the Executive Board should examine relevant information in detail, explore available options and offer advice and solutions to prepare the decisions of the Management Board. It should also assist and advise the Executive Director in implementing Management Board decisions.

(62)The smooth functioning of ENISA requires that its Executive Director be appointed on grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant to cybersecurity. The duties of the Executive Director should be carried out with complete independence. The Management Board should appoint the Executive Director from the list of candidates prepared by the Commission, following an open and transparent procedure that respects the principle of gender balance.

(63) The Executive Director should prepare a proposal for ENISA’s single programming document, after prior consultation with the Commission, and should take all steps necessary to ensure the proper implementation of that single programming document. The Executive Director should prepare an annual report to be submitted to the Management Board, covering the implementation of ENISA’s annual work programme, draw up a draft statement of estimates of revenue and expenditure for ENISA, and implement the budget. Furthermore, the Executive Director should have the option of setting up ad hoc working groups to address specific matters, in particular matters of a scientific, technical, legal or socio-economic nature. In particular, in relation to the preparation of a specific candidate European cybersecurity certification scheme (‘candidate scheme’), the setting up of an ad hoc working group is considered to be necessary. Setting up of an ad hoc working group might also be necessary for maintenance activities in relation to specific adopted European cybersecurity certification schemes. Ad hoc working groups should also be set up to develop and maintain European individual cybersecurity skills attestation schemes and assist the Agency in the governance, implementation and evolution of the ECSF. The Executive Director should ensure that the members of ad hoc working groups are selected according to the highest standards of expertise, aiming to ensure gender balance and an appropriate balance, according to the specific issues in question, between the public administrations of the Member States, the Union entities and the private sector, including industry, users, and academic experts in network and information security, as well as academic experts in products with digital elements.

(64)The Management Board may decide to create a function of a Deputy Executive Director to assist the Executive Director, where the Management Board considers that such a function is necessary to ensure or maintain the smooth functioning of ENISA. When deciding on whether to create that function, the Management Board may take into account the opinion of the Executive Director.

(65)ENISA should have an Advisory Group to ensure regular dialogue with the private sector, consumers’ organisations and other relevant stakeholders. The ENISA Advisory Group, established by the Management Board on a proposal from the Executive Director, should focus on issues relevant to stakeholders and should bring them to the attention of ENISA. The ENISA Advisory Group should be consulted in particular with regard to ENISA’s draft annual work programme. The composition of the ENISA Advisory Group and the tasks assigned to it should ensure sufficient representation of stakeholders in the work of ENISA. Representatives of national and Union law enforcement, data protection and market surveillance authorities should be eligible to be represented in the ENISA Advisory Group.

(66)Applicants to become authorised attestation providers or to renew their authorisation should have access to the necessary remedies where they are affected by decisions taken by ENISA. Therefore, an appropriate appeal mechanism should be set up so that related decisions of ENISA can be challenged before a Board of Appeal, the decisions of which can be subject to judicial review by the Court of Justice of the European Union in accordance with the Treaties. The requirement to exhaust the appeal procedure within ENISA before bringing an action before the Court of Justice of the European Union is only applicable to the persons that have standing before the Board of Appeals.

(67)In order to guarantee the full autonomy and independence of ENISA and to enable it to perform its tasks, ENISA should be granted a sufficient and autonomous budget primarily funded from a contribution from the Union, but also from contributions from third countries participating in ENISA’s work, and from fees paid by authorised attestation providers and by conformity assessment bodies participating in schemes and issuing European cybersecurity certificates and EU statements of conformity. The host Member State, and any other Member State, should be allowed to make voluntary contributions to ENISA’s budget. No contribution, whether financial or in kind, received by ENISA from Member States, third countries, or other entities or persons should compromise its independence and impartiality. The Union budgetary procedure should be applicable as far as the Union contribution and any other subsidies chargeable to the general budget of the Union are concerned. The Court of Auditors should audit ENISA’s accounts to ensure transparency and accountability. In order to enable the Agency to participate in all relevant future projects, it should be given the possibility to receive grants.

(68)To ensure ENISA’s capacity to respond to demand for the activities it carries out, in particular as regards decisions to authorise providers to deliver European individual cybersecurity skills attestations, and as regards the maintenance of the European cybersecurity certification schemes and of testing tools, ENISA should be given the power to levy fees. Fees associated with processing of applications to become an authorised attestation provider should be appropriately determined to sufficiently contribute to covering the estimated costs of developing and maintaining the European individual cybersecurity skills attestation schemes and evaluating whether requirements and obligations to become and remain an authorised attestation provider are and continue to be met. Fees associated to the costs of issuing and renewing authorisations to authorised attestation providers should include costs associated to evaluations performed by or under the supervision of ENISA. Fees associated with the participation in European cybersecurity certifications schemes and for the issuance of certificates under such schemes should be appropriately determined to sufficiently contribute to covering the estimated costs of maintaining such schemes. The payment of such fees should enable notified conformity assessment bodies and, where applicable, certificate holders under a scheme to take part in such activities as well as relevant capacity building and promotional activities to promote the exchange of best practices and foster the uptake of schemes and certified solutions. 

(69)To ensure proportionality, transparency and legal certainty, fees should be set in a transparent and fair manner. All expenditure of ENISA attributed to staff involved in activities subject to fees, in particular the employer's pro-rata contribution to the pension scheme, and costs related to the Board of Appeal, should be reflected in that cost. Fees must not lead to the imposition of unnecessary financial or administrative burdens on applicants. Reasonable deadlines should be set for the payment of fees. 

(70)It is necessary to put in place a set of indicators to measure the Agency’s workload, effectiveness and efficiency in relation to activities financed through fees. Having regard to these indicators, the Agency should adapt its staff planning and management of resources related to fees to be able to adequately respond to such demand and to any fluctuations in revenue from fees.

(71)To identify and correctly manage the risk of actual or perceived conflict of interests, ENISA should have rules in place regarding the prevention and the management of conflicts of interest. ENISA should also apply the rules on access to documents set out in Regulation (EC) No 1049/2001 of the European Parliament and of the Council 54 . The processing of personal data by ENISA should be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council 55 . ENISA should comply with the provisions applicable to the Union entities, and with national legislation regarding the handling of information, in particular sensitive non-classified information and European Union classified information (EUCI).

(72)When performing its tasks, ENISA may have access to sensitive information, such as information regarding cyber threats and incidents. Therefore, it is essential for ENISA to preserve the confidentiality of information it handles. In particular, in line with Article 339 of the Treaty on the Functioning of the European Union (TFEU), officials and other servants of ENISA should not disclose any information of the kind covered by the obligation of professional secrecy, in particular information about undertakings, their business relations or their cost components, even after their duties have ceased.

(73)To ensure that it fully achieves its objectives, ENISA should liaise with the relevant Union supervisory authorities and with other competent authorities in the Union, relevant Union entities, including CERT-EU, EC3 at Europol, the ECCC, the European Defence Agency (EDA), the European Union Agency for the Space Programme (EUSPA), the Body of European Regulators for Electronic Communications (BEREC), the European Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), the European Central Bank (ECB), the European Banking Authority (EBA), the European Data Protection Board, the Agency for the Cooperation of Energy Regulators (ACER), the European Union Aviation Safety Agency (EASA), and any other Union entity involved in cybersecurity. ENISA should also liaise with competent authorities under Directive (EU) 2022/2555, market surveillance authorities and authorities that deal with data protection in order to exchange know-how and best practices and should provide advice on cybersecurity issues that might have an impact on their work.

(74)Europol has an important role in preventing and combating cybercrime, including cybercrime related to network and information security incidents. To create synergies between the respective tasks of each Agency, ENISA should cooperate with Europol, in particular by sharing information regarding trends in techniques, demands and impacts of ransomware attacks. Such cooperation may also consist in identifying the most common ransomware strains targeting entities listed in Annexes I and II to Directive (EU) 2022/2555 to support essential and important entities in incident response and recovery.

(75)To support operational cooperation and shared situational awareness of cyber threats and incidents, it is essential for ENISA to cooperate with stakeholders and in particular companies and organisations from the private sector, with which ENISA may establish public-private partnerships.

(76)To effectively meet the goals outlined in this Regulation, ENISA may collaborate in particular with academic institutions that have research initiatives in relevant fields, and develop appropriate channels for input from consumer organisations and other organisations.

(77)Given the borderless nature of cyber threats and incidents, the level of cybersecurity and preparedness of third countries may impact entities in the Union. Therefore, ENISA should be able to provide capacity-building activities, including training, capacity-building, twinning activities in third countries, and in particular tailored capacity-building activities for countries that are candidates for accession to the Union or other partner countries in accordance with the Union priorities. Such activities should be conducted following a specific request to provide adequate support, taking into account the priorities of the Union, and be implemented through special arrangements, including through contribution agreements as referred to in Regulation (EU, Euratom) 2024/2509. The European cybersecurity certification framework aims to protect against cyber threats such as maliciously exploited cybersecurity vulnerabilities or cybersecurity incidents affecting the functionality (design and operation) of ICT products, ICT services, ICT processes, managed security services, or cyber posture of entities. By focusing on technical risks related to ICT products, ICT services, ICT processes, managed security services or cyber posture of entities, the ECCF should complement the security of ICT supply chains framework, which aims to ensure a harmonised approach at Union level to address non-technical risks in sectors of high criticality and other critical sectors.

(78)It should be possible for Member States to have recourse to European cybersecurity certification in the context of public procurement in accordance with Directive 2014/24/EU of the European Parliament and of the Council 56 .

(79)To facilitate simplification of compliance for entities, the ECCF should provide for the possibility to certify their cyber posture. Entities, notably those providing multiple types of services across several Member States, may face different cybersecurity and data security-related obligations under horizontal instruments, such as Regulation (EU) 2016/679 of the European Parliament and of the Council 57  and Directive (EU) 2022/2555 of the European Parliament and of the Council 58 , as well as sector-specific instruments. In order to streamline the implementation of the overall cybersecurity regulatory framework and facilitate compliance therewith, it should be possible for Union legislation to provide for the possibility of entities to demonstrate their compliance with cybersecurity risk-management requirements through a European cybersecurity certification certificate. A relevant scheme could contribute to streamlining compliance requirements arising from different regulatory instruments, without prejudice to their specific certification requirements. Such simplification measures have the potential to reduce administrative burden, unlocking resources to strengthen the operational cybersecurity preparedness of entities in critical sectors of the Union.

(80)European certification of cybersecurity risk-management requirements developed within the ECCF should enable entities to demonstrate compliance with relevant Union legislation where a scheme covers the respective legal requirements laid down in such an act and where it provides so. On that basis, a Union legal act may also provide for a presumption of conformity with those requirements. Such schemes could contribute to improving the coherent implementation of cybersecurity requirements of Union legislation to level the playing field across Member States and ease the compliance burden.

(81)The European cybersecurity certification framework should provide for the possibility to certify ICT processes, defined as a set of activities performed to design, develop, deliver or maintain an ICT product or ICT service. A protection profile is an example of an ICT process, as specified under Commission Implementing Regulation (EU) 2024/482 59 . Another example of an ICT process is the set of activities undertaken by a manufacturer to securely design and develop an ICT product, including the physical, logical, procedural, personnel, and other security measures that are necessary to protect the confidentiality and integrity of the design and implementation of an ICT product in its development environment. The certification of such activities is often referred to as ‘site certification’ in the context of a certification process under Commission Implementing Regulation (EU) 2024/482.

(82)The definition of managed security services in this Regulation should be consistent with that of managed security service providers in Directive (EU) 2022/2555. Those services consist of carrying out, or providing assistance for, activities relating to their customers’ cybersecurity risk management, and have gained increasing importance in the prevention and mitigation of incidents. Accordingly, the providers of those services are considered to be essential or important entities belonging to a sector of high criticality pursuant to Directive (EU) 2022/2555. Managed security service providers in areas such as incident response, penetration testing, security audits and consultancy, play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. However, managed security service providers have themselves also been the target of cyberattacks and pose a particular risk because of their close integration in the operations of their customers. It is therefore necessary that essential and important entities within the meaning of Directive (EU) 2022/2555 exercise increased diligence in selecting managed security service providers.

(83)European cybersecurity certification schemes are relevant to a wide community of stakeholders, such as providers of ICT solutions, conformity assessment bodies and users. To promote wide stakeholder engagement, the European Cybersecurity Certification Assembly (“the Assembly”) should be organised at least once a year with the aim to foster collaboration between the Commission, ENISA, Member States and relevant stakeholders. It will play a pivotal role in identifying and addressing new cybersecurity challenges and strategic priorities for certification, and ensuring that certification schemes facilitate the secure integration of digital technologies and are fit for users’ needs. The Assembly should foster Union leadership in certification activities and uphold the certification framework’s ability to deliver trust for businesses, public authorities, and the public.

(84)The Commission should maintain a dedicated website to ensure transparency by publishing up to date information on the implementation progress of the ECCF. The website should include information related to certification schemes under preparation, strategic priorities for upcoming certification schemes, requests to ENISA to prepare candidate certification schemes and information on adoption of certification schemes. The Commission website will complement ENISA’s website on European cybersecurity certification schemes, which should offer comprehensive details on the technical preparation of candidate schemes and of the maintenance of schemes, focusing on issued European cybersecurity certificates and EU statements of conformity.

(85)In order to enhance the dialogue between the Union institutions and to contribute to a formal, open, transparent and inclusive consultation process, the Commission should take into account elements arising from the views expressed by the European Parliament and by the Council and the European Cybersecurity Certification Assembly when evaluating this Regulation.

(86)Feasibility studies conducted by ENISA should help to prepare for the planning and development of cybersecurity certification schemes. The studies should incorporate the perspectives of relevant stakeholders and align the future certification schemes with ongoing research, development, and technological assessment activities, recognising, in particular, the contributions of Union and Member State research initiatives. Such studies can help to identify available standards and technical specifications. They should be carried out upon request from the Commission, or in accordance with the Union strategic priorities to ensure that the evolving technological landscape and cybersecurity needs are adequately addressed and reflected when requesting and developing schemes.

(87)The design of the candidate scheme and its coverage of security objectives and elements should be commensurate to the subject matter and scope of the certification object. For example, a certification scheme of cloud services might therefore address security objectives which are relevant for ICT services and organisational security. As another example, a security objective related to not including known exploitable vulnerabilities will likely not be relevant to certification of ICT processes.

(88)In order to ensure that European cybersecurity certification schemes are implemented in a harmonised manner across Member States, it is necessary to provide for rules on the maintenance of the schemes. Maintenance activities are also necessary to ensure that the schemes and their supporting documentation remain up-to-date, especially in a cybersecurity field where the threat landscape and technologies constantly evolve. Certification schemes should therefore be designed and maintained in a way that avoids the risk that they are quickly outdated. Maintenance activities should typically involve drafting and updating supporting documentation, including technical specifications and guidelines, as well as identifying standards or technical specifications that are relevant to the scheme. The analysis of the functioning of the scheme, its potential shortcomings and necessary improvement, should also be part of the maintenance activities. In addition, maintenance activities should include information sharing between Member States with regard to on the implementation of the schemes and contributions to peer review and peer assessment mechanisms.

(89)Due to the technical nature of the maintenance activities, ENISA should manage such activities, in cooperation with the Commission and with the support of the European Cybersecurity Certification Group (ECCG) and its relevant sub-group on maintenance. The establishment of the ECCG sub-group on maintenance allows gathering technical contributions and insights from Member States with a view to harmonising approaches.

(90)Maintenance activities should entail interactions with relevant stakeholder groups to ensure that schemes remain market-relevant and up to date, including by sharing and receiving technical contributions. Such stakeholder groups can be standardisation organisations, conformity assessment bodies, vendors, users, public authorities, or trade associations. The specificities of each scheme, including their corresponding technical forums and industries, imply that it should be possible for technical contributions to be gathered in different ways from one scheme to the other. For some schemes, ENISA should be able to rely on an ad hoc working group that gathers experts from the public administrations of the Member States, Union entities, and the private sector. Technical contributions could also come from ISACs or standardisation organisations. ENISA should analyse which format is most suitable for each scheme and include a maintenance strategy in each candidate scheme.

(91)European cybersecurity certification schemes should rely on standards or technical specifications, notably for the definition of security requirements and evaluation methodologies. ENISA should be given the possibility to draft technical specifications to support the preparation and maintenance of schemes, in particular where deliverables from standardisation organisations are missing or not suitable to fulfil the objectives of the scheme. As part of the drafting process, ENISA should be supported by the ECCG and, where applicable, the ad hoc working group set up for the relevant scheme. ENISA should also seek contributions from stakeholder groups. Additionally, ENISA should consider market acceptance, as well as European and international standards. Taking into account the quality of the technical specifications and the objectives of the scheme, it should be possible for the Commission to reference technical specifications drafted by ENISA in a European cybersecurity certification scheme.

(92)Technical specifications developed by ENISA and referenced in a scheme should be made available on the ENISA website on European cybersecurity certification schemes so that all interested parties can access them. However, in some specific cases, publication on the website could pose a risk to the cybersecurity of certified ICT products, ICT services, ICT processes, managed security services or cyber posture of entities and by extension to public safety. For example, technical specifications could contain precise information on new attack paths whose public availability would make it possible for malicious actors to use them. This type of information should be distributed in a restricted manner on a need-to-know basis to relevant stakeholders, such as national cybersecurity certification authorities, conformity assessment bodies and vendors being certified. Due to their restricted distribution, such technical specifications should not be referenced in European cybersecurity certification schemes and, therefore, should be of non-binding nature.

(93)The cyber posture certification schemes should be designed in a modular way, with a view to allowing demonstration of compliance and the presumption of conformity with relevant cybersecurity requirements set out in other Union legislation, where that legislation provides for that possibility. The presumption of conformity with the requirements of these legal acts will therefore only take effect as a possible avenue to demonstrate compliance if the respective legal acts enable such presumption of conformity. The details of such a scheme, namely purpose, objectives or elements will therefore likely differ from those of other schemes. In particular, schemes for the certification of cyber posture of entities should be developed to provide for assessment of continuous conformity of an entity with Union legislation. It is therefore not necessary that cyber posture certification schemes cover all elements of the European cybersecurity certification schemes, such as assurance levels, and this should be reflected in the rules for the schemes.

(94)A framework for cyber posture certification in the ECCF, allows for developing a scheme that enables entities providing services across several Member States to demonstrate compliance with the cybersecurity risk-management obligations laid down in Directive 2022/2555 of the European Parliament and of the Council. On that basis, with the ability to demonstrate compliance, entities can benefit from more coherent and less burdensome supervisory approaches across the internal market. The development of such a certification scheme should be facilitated by the adoption of implementing acts under Directive (EU) 2022/2555. Through extension profiles, a cyber posture certification scheme may demonstrate compliance with requirements where a Member State adopted or maintained provisions ensuring a higher level of cybersecurity in line with Directive (EU) 2022/2555. On this basis, an entity providing services across several Member States can demonstrate compliance with all relevant extension profiles through a single European cybersecurity certificate.

(95)The security objectives and the security requirements set out in European cybersecurity certification schemes for what pertains to product security should be consistent with the essential cybersecurity requirements set out in Annex I to Regulation (EU) 2024/2847. This coherence is necessary to ensure that manufacturers whose products fall within the scope of Regulation (EU) 2024/2847 do not face contradictory requirements when certifying their products under a European cybersecurity certification scheme. Furthermore, consistency of requirements facilitates the presumption of conformity by Article 27 of Regulation (EU) 2024/2847 whereby manufacturers of products with digital elements that have been certified under a European cybersecurity certification scheme can benefit under certain conditions from presumption of conformity with the essential cybersecurity requirements set out in Annex I to that Regulation.

(96)Within the European cybersecurity certification scheme, it should be possible to specify an extension profile, by setting out additional or specific requirements for use cases, including additional capabilities such as enhanced product features, specialised service offerings or assets, optimised processes, and advanced security measures. Since extension profiles do not correspond to a specific assurance level, they should describe their purpose in detail, including the security threats addressed. Extension profiles are intended in particular to demonstrate compliance with specific standards and regulatory requirements, including, where applicable, requirements as regards additional cybersecurity risk-management measures laid down by a Member State following the minimum harmonisation principle in line with Directive (EU) 2022/2555.

(97)Without prejudice to the general peer review system to be put in place across all national cybersecurity certification authorities within the ECCF, it should be possible to include in the European cybersecurity certification schemes a peer-assessment mechanism for the bodies that issue European cybersecurity certificates for ICT products, ICT services, ICT processes, managed security services and cyber posture of entities, in particular for those bodies that issue certificates with an assurance level ‘high’ under such schemes. Such bodies should also include certification bodies of the national cybersecurity certification authorities issuing certificates at assurance level ‘high’. The ECCG should support the implementation of such peer-assessment mechanisms. The peer assessments should assess in particular whether the bodies concerned carry out their tasks in a harmonised way and may include appeal mechanisms.

(98)Crises such as wars, natural disasters, and pandemics might negatively impact certification activities. In crisis scenarios of this nature, it might not be feasible, for example, to ensure site security due to infrastructure destruction, cyberattacks, personnel unavailability, and the inaccessibility of the site. A European cybersecurity certification scheme should therefore specify temporary rules on continuity of certification activities during such scenarios.

(99)Translating technical candidate schemes into implementing acts requires complex technical and legal knowledge and can create significant administrative burden. Moreover, certain elements of European cybersecurity certification schemes, such as vulnerability management or the conditions under which such marks or labels may be used, are cross-sectoral and may benefit from harmonised reference provisions. To ensure the quality of adopted European cybersecurity certification schemes and reduce compliance burden for businesses, the Commission should be empowered to adopt model provisions covering certain elements of European cybersecurity certification schemes.

(100)In order to ensure the consistency of the European cybersecurity certification framework, it should be possible within a European cybersecurity certification scheme to specify assurance levels for European cybersecurity certificates and EU statements of conformity issued under that scheme. A European cybersecurity certificate should refer to one of the assurance levels: ‘basic’, ‘substantial’ or ‘high’, while the EU statement of conformity should only refer to the assurance level ‘basic’. The assurance levels should provide the corresponding rigour and depth of the evaluation of the ICT product, ICT service, ICT process, managed security service or cyber posture of an entity and should be characterised by reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to mitigate or prevent incidents. Each assurance level should be consistent among the different sectorial domains where certification is applied.

(101)The choice of the appropriate certification and associated security requirements by the users of European cybersecurity certificates should be based on an analysis of the risks associated with the use of the ICT products, ICT services, ICT processes, managed security services or the context of the certification of entities. Accordingly, the assurance level should be commensurate with the level of risk associated with the intended use of the ICT product, ICT service, ICT process, managed security services, or the operational environment and nature of the entity the cyber posture of which is subject to certification. 

(102)For assurance level ‘basic’, the evaluation should be guided at least by the following assurance components: the evaluation should at least include a review of the technical documentation of the ICT product, ICT service, ICT process, managed security service or cyber posture of an entity by the conformity assessment body. Where the certification includes ICT processes, the process used to design, develop and maintain an ICT product, ICT service, managed security service or cyber posture of an entity should also be subject to the technical review. Where a European cybersecurity certification scheme provides for a conformity self-assessment, it should be sufficient that the manufacturer or provider of ICT products, ICT services, ICT processes or managed security services, or the entity whose cyber posture of which is subject to certification, has carried out a self-assessment of the compliance of the ICT product, ICT service, ICT process, managed security service or cyber posture of an entity with the certification scheme.

(103)For assurance level ‘substantial’, the evaluation, in addition to the requirements for assurance level ‘basic’, should be guided at least by the verification of the compliance of the security functionalities of the ICT product, ICT service, ICT process, managed security service or cyber posture of an entity with its technical documentation.

(104)For assurance level ‘high’, the evaluation, in addition to the requirements for assurance level ‘substantial’, should be guided at least by an efficiency testing which assesses the resistance of the security functionalities against elaborate cyberattacks performed by persons who have significant skills and resources. Conformity assessment activities should be performed in the European Economic Area for assurance level ‘high’ or where a scheme is designed to demonstrate compliance and provide for presumption of conformity with other Union legislation. This requirement is justified by the fact that assessment activities taking place outside the European Economic Area give rise to additional threats to cybersecurity, in particular the intellectual property of the evaluated ICT products, ICT services, ICT processes, managed security services or entities. For instance, the source code of an ICT product could be scrutinised when crossing the border of a third country, which constitutes a risk to intellectual property. Additionally, testing laboratories established in third countries do not operate in an environment that is concerned by the cybersecurity measures mandated by EU legislation, such as Directive (EU) 2022/2555 or Regulation (EU) 2024/2847. For instance, a testing laboratory may rely on a third-party cloud service provider which do not abide to the cybersecurity requirements of Directive (EU) 2022/2555. Nevertheless, a certification scheme should be allowed to provide for derogation mechanisms for instance related to site certification or in other instances where conformity assessment activities cannot be reasonably performed in the European Economic Area.

(105)In some cases, different approaches to meet security objectives of a given assurance level might be required to address specifics of an ICT product, ICT service, ICT process, managed security services or cyber posture of entities. To allow for a more granular approach, it should be possible in a European cybersecurity certification scheme to specify one or several evaluation levels corresponding to one of the assurance levels. This will enable development of schemes where multiple evaluation levels designed for a different purpose will correspond to the level of security associated with a specific assurance level.

(106)European cybersecurity certification schemes should be allowed to provide for a conformity assessment to be carried out under the sole responsibility of the manufacturer or provider of ICT products, ICT services, ICT processes or managed security services, or the entity the cyber posture of which is certified (‘conformity self-assessment’). In such cases, it should be sufficient that the manufacturer, provider or entity the cyber posture of which is certified, carries out all of the checks itself to ensure that the ICT products, ICT services, ICT processes, managed security service or cyber posture of an entity conform with the European cybersecurity certification scheme. Conformity self-assessment should be considered to be appropriate for ICT products, ICT services, ICT processes, managed security service or cyber posture of entity that are of low complexity, that present a low risk to the public and that have a simple design or simple production mechanisms.

(107)Where a European cybersecurity certification scheme allows for both conformity self-assessments and certifications of ICT products, ICT services, ICT processes, managed security services or cyber posture of entities, in such a case, the certification scheme should provide for clear and understandable means for consumers or other users to differentiate between self-assessed and third-party certified ICT products, ICT services, ICT processes, managed security services or cyber posture of entities.

(108)The manufacturer or provider of ICT products, ICT services, ICT processes or managed security services, or the entities the cyber posture of which is certified, should be able to issue and sign the EU statement of conformity as part of the conformity assessment procedure. An EU statement of conformity is a document that states that a specific ICT product, ICT service, ICT process, managed security service or the cyber posture of an entity complies with the requirements of the European cybersecurity certification scheme. By issuing and signing the EU statement of conformity, the manufacturer or provider of ICT products, ICT services, ICT processes or managed security services, or the entity the cyber posture of which is certified, assumes responsibility for the compliance of the ICT product, ICT service, ICT process, managed security service or the cyber posture of the entity with the security requirements of the European cybersecurity certification scheme. A copy of the EU statement of conformity should be submitted to the national cybersecurity certification authority and to ENISA.

(109)Manufacturers or providers of ICT products, ICT services, ICT processes or managed security services, or entities the cyber posture of which is certified, should make the EU statement of conformity, technical documentation, and all other relevant information relating to the conformity with a European cybersecurity certification scheme available to the competent national cybersecurity certification authority for a period provided for in the relevant European cybersecurity certification scheme and in line with applicable Union legislation. The technical documentation should specify the requirements applicable under the scheme to the extent relevant to the conformity self-assessment. The technical documentation should be so compiled as to enable the assessment of whether an ICT product, ICT service, ICT process or managed security service, or cyber posture of the entity complies with the requirements applicable under the scheme.

(110)European cybersecurity certificates and EU statements of conformity should help users make informed choices. Therefore, relevant information should be published on a website maintained by ENISA. Furthermore, ICT products, ICT services, and ICT processes that have been certified or for which an EU statement of conformity has been issued should be accompanied by structured information that is adapted to the expected technical level of the intended user. All users should have access to information regarding the reference number of the certification scheme, the issuing authority or body, and, where applicable, the assurance level, or should be able to obtain a copy of the European cybersecurity certificate. That information should be regularly updated and made available on a dedicated website on European cybersecurity certification schemes. Furthermore, in order to ensure continuous accessibility, manufacturers and providers should be required to notify the relevant certification body if the location of the online or, where relevant, physical information changes.

(111)A conformity assessment is a procedure for evaluating whether specified requirements relating to an ICT product, ICT service, ICT process, managed security service or entity have been fulfilled. That procedure is carried out by an independent third party that is not the manufacturer or provider of the ICT products, ICT services, ICT processes or managed security services that are being certified, nor the entity the cyber posture of which is being assessed. A European cybersecurity certificate should be issued following the successful evaluation of an ICT product, ICT service, ICT process, managed security service or cyber posture of the entity. A European cybersecurity certificate should be considered to be a confirmation that the evaluation has been properly carried out.

(112)The strict separation of the supervisory and certification activities is important to avoid distortions and interferences that may be caused in situations where the entity supervising the market is also competing in the same market. Consequently, activities where the national cybersecurity certification authorities merely carry out their supervisory role, such as by providing prior approval to the issuance of a certificate, should not require further internal separation from other supervisory activities. This includes, for example, a situation where the national cybersecurity certification authority actively gathers information throughout the certification process carried out by private conformity assessment bodies and then gives its opinion on the issuance of the certificate by those bodies (‘prior approval model’).

(113)European cybersecurity certification schemes should specify the conditions under which ICT products, ICT services, ICT processes, managed security services or cyber posture of an entity may need to be recertified or under which the scope of a specific European cybersecurity certificate may need to be reduced. Furthermore, European cybersecurity certification schemes should take into account any possible adverse effects of any subsequently detected vulnerabilities or nonconformities concerning the certified ICT product, ICT service, ICT process, managed security service or cyber posture of an entity with regard to conformity with the security requirements of that certificate.

(114)Harmonisation plays a crucial role in ensuring robust cybersecurity and enhancing market access for businesses. In contrast, fragmentation and the lack of mutual recognition of certificates pose significant barriers to the seamless flow of data, thereby increasing operational costs for Union industry. To mitigate those challenges, it is essential to avoid fragmentation both in the scope of the security controls and in the conformity assessment methods throughout the Union.

(115)Member States should inform the Commission and the ECCG sufficiently in advance before adopting new national cybersecurity certification schemes for ICT products, ICT services, ICT processes, managed security services or cyber posture of entities in order to help the Commission and the ECCG evaluate the impact of the new national cybersecurity certification scheme on the proper functioning of the internal market, and in light of any strategic interest in requesting a European cybersecurity certification scheme.

(116)References in national legislation to national standards which have ceased to be effective due to the entry into force of a European cybersecurity certification scheme can be a source of confusion. Therefore, where relevant, Member States should reflect the adoption of a European cybersecurity certification scheme in their national legislation.

(117)With a view to facilitating the growth of a reliable internal market, while also creating partnerships with third countries, the certification process established within the ECCF should be implemented in a manner that facilitates international recognition, mutual recognition and alignment with international standards.

(118)In order to further facilitate trade, and recognising that ICT supply chains are international, mutual recognition agreements concerning European cybersecurity certificates may be concluded by the Union in accordance with Article 218 TFEU. The Commission should be empowered to adopt implementing acts to unilaterally recognise the equivalence of third country certificates with European cybersecurity certificates. It should be possible to provide specific conditions for such recognition of third country certificates.

(119)In order to achieve equivalent implementation of the framework throughout the Union, to facilitate mutual recognition and to promote the overall acceptance of European cybersecurity certificates and EU statements of conformity, it is necessary to put in place a system of peer review between national cybersecurity certification authorities. Peer review should cover procedures for supervising the compliance of ICT products, ICT services, ICT processes, managed security services and cyber posture of entities with European cybersecurity certificates, for monitoring the obligations of manufacturers or providers of ICT products, ICT services, ICT processes, managed security services and certified entities who carry out the conformity self-assessment, for monitoring conformity assessment bodies, as well as the appropriateness of the expertise of the staff of bodies issuing certificates for assurance level ‘high’. ENISA should participate in the peer reviews as observer and support the organisation of the peer review mechanism and peer reviews, including by developing relevant guidance documents and templates, in cooperation with the Commission and the ECCG. ENISA should also make publicly available on their website on European cybersecurity certification schemes the information on the schedule of peer reviews and the list of peer-reviewed national cybersecurity certification authorities that are to carry out the schedule. Commission Implementing Regulation (EU) 2025/2540 60 , adopted under Regulation (EU) 2019/881 establishes the plan for peer reviews which is being utilised by the adopted European cybersecurity certification schemes. It is necessary to ensure the continuation of the peer reviews. Nevertheless, the Commission should be able, by means of implementing acts, where needed, to establish a new plan for peer reviews of at least five years, as well as to lay down criteria and methodologies for the operation of the peer review system.

(120) Once a European cybersecurity certification scheme is adopted, manufacturers or providers of ICT products, ICT services, ICT processes, managed security services or the entities the cyber posture of which is the subject of certification, should be able to submit applications for certification of their ICT products, ICT services, ICT processes, managed security services or cyber posture to the conformity assessment body of their choice anywhere in the Union. Conformity assessment bodies should be accredited by a national accreditation body if they comply with the requirements set out in this Regulation, and, where applicable, with the requirements specified by the Commission in accordance with this Regulation. The system set out in this Regulation should be complemented by the accreditation system provided for in Regulation (EC) No 765/2008 of the European Parliament and of the Council 61 .

(121) Conformity assessment bodies that have been accredited or notified under existing Union legislation, in particular Regulation (EU) 2024/2847 or Implementing Regulation (EU) 2024/482, might possess competencies that are relevant to newly adopted European cybersecurity certification schemes. To avoid unnecessary financial and administrative burden, it is appropriate to create synergies for the accreditation of conformity assessment bodies under this Regulation. For this reason, the accreditation requirements of the schemes should be established in such a way that there is as much alignment as possible with requirements relating to notified bodies set out in Regulation (EU) 2024/2847 and accreditation requirements under Implementing Regulation (EU) 2024/482. In addition, conformity assessment bodies that undergo an accreditation process under this Regulation should be able to rely on previous results of evaluation of their competences under other Union legislation, whenever there is an overlap in the accreditation requirements.

(122)With a view to facilitating harmonised conformity assessment services across the Union, it should be possible to set out in a European cybersecurity certification scheme additional or specific requirements for conformity assessment bodies. In the context of certification, an authorisation should be understood as a decision by a national cybersecurity certification authority that a conformity assessment body meets the specific or additional requirements set out in a European cybersecurity certification scheme, to carry out a specific conformity assessment activity.

(123)Where a European cybersecurity certification scheme sets out additional or specific requirements in accordance with this Regulation, the conformity assessment bodies should be authorised by the national cybersecurity certification authorities to carry out tasks under such scheme. In order to avoid multiple authorisation, to enhance acceptance and recognition of authorisation decisions and to carry out effective monitoring of authorised conformity assessment bodies, conformity assessment bodies should request authorisation by the national cybersecurity certification authority of the Member State in which they are established. Nevertheless, it is necessary to ensure that a conformity assessment body is able to request authorisation in another Member State in the event that there is no national cybersecurity certification authority in its own Member State or where the national cybersecurity certification authority does not have the competence to provide the authorisation services requested. In such cases, appropriate cooperation and exchange of information between national cybersecurity certification authorities should be ensured. The Commission should be empowered to adopt implementing acts establishing the procedures for authorisation, including for cross-border cooperation with regard to authorisation.

(124)In order to safeguard the level of protection required for an ICT product, ICT service, ICT process, managed security service or cyber posture of an entity, it is essential that conformity assessment subcontractors and subsidiaries are required to meet the same requirements as the notified conformity assessment bodies in relation to the performance of conformity assessment tasks. Accordingly, a conformity assessment body should have the appropriate competence and be able to verify that the applicable requirements are met by its subcontractors.

(125)The extent to which the conformity assessment body intends to rely on subcontractors established outside the Union, or have access to personnel or facilities outside the Member State of notification should be appropriately assessed by the notifying authority. The public authority of a Member State should have the possibility to decide that it cannot take the overall responsibility as a national cybersecurity certification authority for such an arrangement, and to withdraw or limit the scope of the notification.

(126)In order to evaluate the cybersecurity requirements for ICT products, ICT services, ICT processes, managed security services or the cyber posture of entities, accredited conformity assessment bodies should be notified by the national cybersecurity certification authorities to the Commission and the other Member States. Notification of accredited and, where applicable, authorised conformity assessment bodies indicates that those bodies can be trusted in performing evaluation and certification activities in accordance with this Regulation and the European cybersecurity certification scheme, contributing to the overall reputation of European cybersecurity certification. It is therefore essential to ensure that conformity assessment bodies that have been notified meet their requirements and fulfil their obligations over time, and that the list of notified conformity assessment bodies is kept up to date.

(127)Commission Implementing Regulation (EU) 2024/3143 62 adopted under Regulation (EU) 2019/881 establishes the circumstances, formats and procedures for notifications of conformity assessment bodies which are being utilised by the adopted European cybersecurity certification schemes. It is therefore necessary to ensure the continuation of the notification activities. Nevertheless, the Commission should be empowered to adopt implementing acts to adjust those circumstances, procedures and formats for the notification of conformity assessment bodies. In this context, the Commission should draw on the experience gained in the context of existing schemes, and seek alignment with other relevant Union legislation and frameworks, in particular Regulation (EU) 2024/2847 and the new legislative framework, in view of reducing compliance burden for conformity assessment bodies active under different legal instruments.

(128) Information and communication technology (ICT) supply chains are composed of a linked set of resources and processes between economic operators. ICT supply chains play a crucial role in sustaining societal stability and driving economic activity across the Union. They also play a critical role in enabling the digital infrastructure in the Union and underpin the functioning of Union society and economy. ICT supply chains enable the manufacture, production, distribution, and maintenance of ICT services, ICT systems and ICT products that underpin various critical and highly critical sectors, including healthcare, finance, transportation, telecommunication, energy and customs. The security of the ICT supply chains of those critical sectors may also have impact on the security of defence and military infrastructure, where this infrastructure relies on civilian critical sectors and their ICT supply chains. However, according to the report on the status of the cybersecurity threats issued by ENISA (ENISA Threat Landscape 2025) 63 , attacks against supply chains are amongst the five prime threats to cybersecurity showing that attackers actively leveraging indirect pathways through third-party providers and dependencies. Disruption of ICT supply chains can impede the pursuit of economic activities in the internal market, generate financial loss, undermine user confidence and cause major damage to the Union’s economy and society. Cybersecurity preparedness and effectiveness are therefore more essential than ever to the proper functioning of the internal market.

(129)Beyond technical risks which are addressed by Directive (EU) 2022/55 of the European Parliament and of the Council 64 , Regulation (EU) 2024/2847 of the European Parliament and of the Council 65 and the European cybersecurity certification Framework established by Regulation (EU) 2019/881, ICT supply chains are increasingly exposed to risks of a non-technical nature. Such non-technical risks may be linked, but not limited, to the jurisdiction to which a supplier of certain components is subject, in particular where a third country or threat actors controlled from that country engage in economic espionage, carry out malicious cyber activities or campaigns against the Union or its Member States, or engages in irresponsible State behaviour in cyberspace. Non-technical risks can also be linked to concealed vulnerabilities or backdoors or potential systemic supply disruptions, in particular in the case of technological lock-in or supplier dependency. For instance, kill switches could be used to negatively impact the availability of communication networks and electricity grids.

(130)The Joint Communication on Strengthening EU economic security 66 underlined the risk of third countries gaining access to sensitive information and data in the Union or its Member States, either as a result of industrial espionage, their supply of hardware or software used in certain products or due to their ownership and control of certain businesses possessing sensitive information and data. It also underlined the risk of the Union’s critical infrastructure - including critical transport, space systems, energy and communications infrastructure, in particular those that are identified as strategic to military mobility - being disrupted by foreign actors, which could lead to cascade effects on the Union economy. Disruptions could occur through physical, cyber or hybrid attacks, including the sabotage of entire facilities or their parts or subcomponents. They could also be linked to ICT supply chains, which underly critical components or services to critical infrastructures.

(131)In response to challenges to ICT supply chain security posed by non-technical risks, some Member States have taken regulatory measures, including designation of high-risk suppliers, whilst other Member States are likely to do so. This could lead to further divergence in national approaches, and ultimately to higher vulnerability of some Member States, with potential spill-over effects across the Union. Therefore, it is necessary to harmonise certain aspects related to the non-technical cybersecurity risks to the ICT supply chain. Such intervention at Union level is also justified in view of the need to ensure a high level of cybersecurity across the Union. The provisions on the ICT supply chain security aim to remove such wide divergences among Member States, in particular by setting out rules for risk assessment mechanisms of ICT supply chain security risks at Union level and minimum standards of protection from ICT supply chain risks.

(132)To reduce critical dependencies and vulnerabilities, it is necessary to establish a trusted ICT supply chain framework which should address non-technical risks related to high-risk suppliers and dependencies in sectors of high criticality and other critical sectors. Therefore, it is necessary to provide an objective, risk-based, future-proof and technology-neutral framework at Union level, to identify key ICT assets and provide for a set of proportionate mitigating measures to address the risks.

(133)Cybersecurity risks, including risks related to dependency on high-risk suppliers may be observed in several critical ICT supply chains in the Union, including detection equipment, connected and automated vehicles, electricity supply systems and electricity storage, water supply systems, drones and counter-drones systems, cloud computing services, medical devices, surveillance equipment, space services and semiconductors. For example, vulnerabilities in security detection equipment could grant access to ICT systems allowing malicious actors to manipulate scanners in such a way that prohibited items could be brought through the security checkpoint without being detected, with possibly catastrophic consequences.

(134)This Regulation should not preclude Member States from adopting or maintaining provisions ensuring a higher level of cybersecurity for what concerns ICT supply chain security, provided that such provisions are consistent with Member States’ obligations laid down in Union law. Such provisions may for instance include imposing stricter mitigation measures as regards the key ICT assets.

(135)In order to identify potential cybersecurity risks affecting specific ICT supply chains, the Cooperation Group established by Article 14 of Directive (EU) 2022/2555 (‘NIS Cooperation Group’) may assess specific ICT supply chains by means of Union-level coordinated security risk assessments. The Union-level coordinated security risk assessments should look, among others, at the main threat actors, the main threats and vulnerabilities affecting the key ICT assets. The Union-level coordinated security risk assessments should develop a list of risk scenarios and a list of measures to mitigate the risks. Union-level coordinated security risk assessments should be completed within six months. In case of specific urgency, it should be possible to shorten the deadlines.

(136)In cases where the Commission has sufficient reason to believe that there is a significant cyber threat for the security of the Union related to critical ICT supply chains and an action might be necessary to preserve the proper functioning of the internal market, it should without delay consult Member States on the need for mitigating measures and carry out a security risk assessment, taking into account the consultation of the Member States.

(137)Where, as a result of a security risk assessment conducted by the NIS Cooperation Group or the Commission, it appears that a specific third country poses serious and structural non-technical cybersecurity risks to ICT supply chains, the Commission should verify the threat posed by that country. The Commission may initiate such verification also on the basis of other sources such as a public statement on behalf of the Union or a Member States in response to, instances of irresponsible state behaviour in cyberspace that has led to a cybersecurity incident. In order to assess the level of threat, the Commission should take into account elements such as the existence of laws or practices in the third country which require entities under their jurisdiction to report information on software or hardware vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited. Another relevant element is the absence of effective judicial remedies, and independent and democratic control mechanisms, that can correct security concerns, including about existing practices, the substantiated information about incidents of threat actors operating out of the territory of that country carrying out malicious cyber activities or campaigns, and the lack of ability or willingness of the third country to cooperate with the Commission or Member States to address the risk stemming from the operation of such threat actors. The Commission should also take into account information stemming from Union-level coordinated security risk assessments or reports issued by Member States or international organisations such as NATO.

(138)For the purpose of this Regulation, the notion of control should be understood as the ability to exercise a decisive influence on a legal entity directly, or indirectly through one or more intermediate legal entities The control of entities from a third country posing cybersecurity concerns should also be established in situations where such entity is having executive management structures in that country.

(139)The Union should not fund projects involving high-risk suppliers, which would jeopardise the Union’s security and undermine the Union’s interests and credibility. High-risk suppliers identified under this Regulation should therefore not be entitled to participate in any Union funding programmes and instruments implemented in direct and indirect management in accordance with the Article 136 of the Regulation (EU/Eurotom) 2024/2509 and Union sector specific rules as well as in any Union funding activities implemented in shared management, including under the next Multiannual Financial Framework in relation to the provision of ICT components or components that include ICT components to be used in identified key ICT assets. Union implementing partners, such as European Investment Bank Group and national promotional banks and institutions should refrain from supporting projects that contradict the above, including in operations at own risk.  

(140)Public procurement can be a strong tool for public authorities to contribute to a more innovative, sustainable and competitive economy and for spending public money in a strategic manner. Public procurement related to ICT supply chains should not be used to benefit suppliers that threaten the security of the Union’s critical infrastructure. High-risk suppliers identified under this Regulation should therefore not be entitled to participate in public procurement concerning the provision of ICT components or components that include ICT components to be used in identified key ICT assets.

(141)Cybersecurity certification plays a role in strengthening overall security and countering cyber threats, serving as benchmark of trust. This trust could be eroded if cybersecurity skills attestations were delivered by high-risk suppliers that should therefore not be entitled to apply to become authorised providers of any Union individual cybersecurity skills attestations. In a similar vein, it is also appropriate to exclude high-risk suppliers from obtaining cybersecurity certification under the ECCF, and becoming accredited conformity assessment bodies to deliver such certificates.

(142)Cybersecurity standards play a critical role in the security and trustworthiness of digital infrastructures. It is necessary to take appropriate measures to ensure standardisation in the field of cybersecurity. The involvement of entities established in or controlled from countries which have been identified as posing cybersecurity concerns to the ICT supply chain in line with this Regulation may lead to influencing cybersecurity standards in a way that undermines their security and trustworthiness.

(143)Based on the results of the security risk assessments, the Commission may identify, by means of implementing acts, which ICT assets should be regarded as key ICT assets due to their criticality and subject to specific mitigating measures. The mere existence of the possibility of connectivity of the asset should be sufficient to consider their cybersecurity risk.

(144)Where necessary to ensure a high level of cybersecurity, cyber resilience and trust within the Union, the mitigating measures may be applied to entities in relation to their ICT supply chain and in particular to key ICT assets identified. The proposed mitigating measures should be based on the assessment of potential risks and dependencies, including the potential economic and societal impact of such measures on the entities concerned operating in highly critical or other critical sectors and in particular SMEs. The economic impact should look at the costs of the implementation of the mitigation measures, including the duration of the lifecycle of the relevant components in the key ICT assets in case where the measures include the replacement of suppliers. The availability of alternative suppliers on the market should also be assessed in order to ensure continued provision of the services.

(145)As mitigating measures could potentially have a restrictive effect on international trade in goods and services, they should be proportionate and targeted to pursue the legitimate objective to ensure the cybersecurity of ICT supply chains in relation to entities of the type referred to in Annexes I and II to Directive (EU) 2022/2555, in line with the Union’s international obligations.

(146)Use, installation or any other kind of integration of components provided by high-risk suppliers in the operation of key ICT assets may be related to risks of subsequent transfers of data to a third country. In particular, risks may be posed by an insufficient level of protection offered to the data in the third country, such as for the protection of fundamental rights, intellectual property or trade secrets, or unlawful access and exploitation of that data for possible future supply chain disruptions and espionage purposes. To mitigate such risks, restrictions in relation to transfer of specific types of data to third countries may be applied.

(147)Important vulnerabilities stem from a lack of diversity in equipment used by entities of the type referred to in Annexes I and II to Directive (EU) 2022/2555. A reliance on a single supplier creates a dependency on specific equipment or solutions. A lack of diversity of suppliers increases the overall vulnerability of critical infrastructure, in particular if entities source their ICT components used in sensitive ICT assets from a supplier presenting a high degree of risk. Dependency also significantly affects national and Union-wide resilience and creates single points of failure. To mitigate such risks, requirements to have more than one supplier for specific key ICT assets may be applied.

(148)Union entities may also be using key assets as defined by this Regulation. Therefore, the rules laid down in this Regulation concerning ICT supply chain security should also be applicable to them. To ensure that the specificity of Union entities is taken into account, it is important to consider non-technical risks stemming from ICT supply chains in regard to Union entities when conducting Union-level coordinated security risk assessments.

(149)In exceptional circumstances justifying an immediate intervention to preserve the proper functioning of the internal market and where there is a clear evidence giving the Commission sufficient reason to consider that the use of ICT components or components that include ICT components from a specific supplier represents a significant cybersecurity threat for the economic or societal activities of at least three Member States, the Commission may propose, in close consultation with Member States, to prohibit the use, installation or integration of such components from this supplier by type of entities referred to in Annexes I and II to Directive (EU) 2022/2555.

(150)In order to ensure proportionality of measures applied, entities established in a third country posing cybersecurity concerns designated in accordance with this Regulation, or controlled by such third country, by an entity established in such third country, or by a national of such third country can apply to be exempted from the prohibition to provide to entities of a type referred to in Annexes I and II to Directive (EU) 2022/2555 ICT components or components that include ICT components for their use, installation or integration in key ICT assets of that entity and participate in public procurement procedures organised in accordance with legislation transposing Directives 2014/24/EU 67 and 2014/25/EU of the European Parliament and of the Council 68  procedures in relation to the provision of ICT components or components that include ICT components to be used in identified key ICT assets.  For that purpose, the entity should demonstrate with clear evidence that it applies effective measures addressing the non-technical risks and ensuring the absence of any possible undue interference by a third country posing cybersecurity concerns.

(151)Electronic communications networks form the backbone for a wide range of services that are essential for the functioning of the internal market and the maintenance and operation of vital societal and economic functions – such as energy, transport, banking, health, defence, as well as industrial control systems. Therefore, those highly critical networks are attractive targets for all types of cyberattacks and hybrid threats, for disruptions, espionage, intelligence gathering, as well as for fraud and financial crime. The risk assessment of the NIS Cooperation Group on the cybersecurity and resiliency of Europe’s communications infrastructures and networks identified a number of risks and threats of strategic importance from a Union perspective, such as wiper/ransomware, attacks, supply chain attacks, network intrusions, and Distributed denial-of-service (DDoS) attacks.

(152)In view of the interconnection and interdependence between the different national electronic communications networks, it is necessary that all Member States take appropriate measures to ensure the security of their networks. For the same reasons, there is a need to have in place an effective legal framework at Union level addressing also non-technical risks and ensuring the security of interconnected electronic communications networks in a comprehensive way.

(153)In particular, the cybersecurity of 5G networks is a matter of strategic importance for the Union as those networks form the backbone for a wide range of services of essential importance for the functioning of the internal market and are also key in setting up our defence readiness, including in relation to military mobility. 5G networks are capable of providing reliable ultra-fast connectivity, for example for data and information sharing, detection of drones and real-time battlefield coordination.

(154)5G deployment consists primarily in non-standalone networks, where only the radio access network is upgraded to 5G technology, while the rest of the network still relies on an existing 4G core network. 5G non-standalone networks builds primarily on infrastructure already in place, meaning that the security of future 5G networks is, to a certain extent, determined by network equipment already in place and the configuration of such equipment. Therefore, mitigating measures should also cover 4G networks on which the 5G deployment relies.

(155)In order to address important security challenges in 5G networks, Member States within the NIS Cooperation Group, together with the Commission and ENISA, carried out a Union-level coordinated security risk assessment of 5G networks, examining both technical and non-technical risks. This assessment identified several risks, including potential interference from third countries or third country actors via the supply chain, and categorised assets according to their criticality. This assessment should be taken as a basis for defining the key ICT assets for 5G communications networks.

(156)To mitigate the risks identified in the Union-level coordinated security risk assessment of 5G networks, the NIS Cooperation Group adopted the EU Toolbox on 5G cybersecurity, setting out strategic and technical measures. Even though a majority of the Member States have legal frameworks that allow for restrictions or exclusions of high-risk suppliers as recommended in the 5G Toolbox, the implementation of those frameworks has not been uniform. This results in an important number of 5G sites across the Union being supplied by high-risk suppliers as referred to in the Commission’s communication on the implementation of the 5G Toolbox 69 . This situation creates vulnerabilities, including strategic dependency and potential exposure to third-country interference, which could also affect future 6G infrastructure built on existing 5G networks. The fragmented implementation of the 5G Toolbox recommended measures, particularly regarding the scope of restrictions on high-risk suppliers, has led to divergences between Member States, which results in an unlevelled playing field that divides the internal market and weakens overall network security. The European Court of Auditors has highlighted these disparities, warning that the absence of a coordinated approach undermines the functioning of the internal market. Persistent dependency on high-risk suppliers poses serious risks to the security of critical infrastructure in the Union and could erode trust in the internal market, as inconsistent security levels may discourage consumers and businesses from relying on 5G-based products and services across the Union. It is therefore essential to have Union-level measures to ensure a harmonised approach to the security of 5G networks.

(157)For the purpose of setting up a phasing out period for the key ICT assets of fixed and satellite electronic communications networks, the Commission should carry out an assessment taking due account of the degree of the security risks related to each specific ICT key assets of the fixed and satellite networks, the lifetime of relevant components and the economic impact that the removal of those components would have on the operators concerned. Based on the results of that assessment, the Commission may consider setting up different phasing out periods for the particular key ICT assets and their integral elements.

(158)For the purposes of effective supervision and enforcement of obligations concerning the providers of mobile, fixed and satellite electronic communication networks, the relevant competent authorities under this Regulation should ensure close cooperation with the competent authorities under the [DNA proposal]. Upon request from a competent authority designated under this Regulation, national regulatory authorities or other competent authorities for radio spectrum, where appropriate, should withdraw the rights referred to in Article 9 and Article 20 [DNA Proposal] if the provider of public electronic communications networks is not complying with the obligations under this Regulation, including if the provider does not phase out ICT components or components that include ICT components from high-risk suppliers in the operation of key ICT assets within the period specified in accordance with this Regulation.

(159)In view of the differences in national governance structures, Member States should designate or establish one or more competent authorities responsible for the supervisory and enforcement measures under this Regulation.

(160)The competent authorities should provide support to entities of the type referred to in Annexes I and II o Directive (EU) 2022/2555 for the compliance with their obligations under this Regulation. For that purpose, the Commission should assess whether suppliers that may be affected by specific prohibitions are established in third country posing cybersecurity concerns or controlled by such third country or by an entity established in such third country or by a national of such third country. Competent authorities should cooperate closely with the Commission and other competent authorities within the Network established under this Regulation. Based on the assessment by the Commission, the competent authorities should share relevant information concerning high-risk suppliers with relevant entities of the type referred to in Annexes I and II to Directive (EU) 2022/2555. Entities are not expected to verify whether a supplier is under foreign control but may rely fully on information received from competent authorities. The competent authorities should ensure that no unnecessary administrative burden is imposed on those entities.

(161)In order to ensure effective compliance, this Regulation should provide for supervisory and enforcement measures through which the competent authorities can supervise entities of the type referred to in Annexes I and II to Directive (EU) 2022/2555. Where the competent authorities execute their supervisory and enforcement tasks in relation to those entities, they should not go beyond what is necessary and be proportionate to the identified risks.

(162)In order to make enforcement effective and consistent across the Union, it is necessary to provide enforcement powers that competent authorities can exercise for breach of the obligations laid down in this Regulation. When exercising those enforcement powers, the competent authorities should have due regard to a number of factors, including the nature, gravity and duration of the infringement, the material or non-material damage caused, whether the infringement was intentional or negligent, actions taken to prevent or mitigate the material or non-material damage, the degree of responsibility or any relevant previous infringements, the degree of cooperation with the competent authority and any other aggravating or mitigating factor. The enforcement measures, including penalties, should be proportionate and their imposition should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including the right to an effective remedy and to a fair trial, the presumption of innocence and the rights of defence.

(163)It is important to also provide for the power to impose periodic penalty payments, in order to compel an entity of the type referred to in Annexes I or II to Directive (EU) 2022/2555 to cease an infringement of this Regulation in accordance with a prior decision of the competent authority.

(164) In order to ensure effective enforcement of the obligations laid down in this Regulation, each competent authority should have the power to impose or request the imposition of penalties.

(165)For the purpose of imposing penalties on an entity of the type referred to in Annexes I and II to Directive (EU) 2022/2555 that is an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU. Where a fine is imposed on a person that is not an undertaking, the competent authority should take account of the general level of income in the Member State as well as the economic situation of the person when considering the appropriate amount of the penalties. It should be for the Member States to determine whether and to what extent public authorities should be subject to penalties. Imposing a penalty should not affect the application of other powers of the competent authorities.

(166)In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission in respect of the adoption of implementing acts laying down detailed rules relating to fees levied by ENISA, implementing acts providing for a European cybersecurity certification scheme for ICT products, ICT services, ICT processes, managed security services or cyber posture of entities, implementing acts laying down common principles and reference provisions intended to provide for elements across European cybersecurity certification schemes, implementing acts specifying procedures for prior approval or general delegation models, implementing acts on recognising a third country or international organisation cybersecurity certificates as equivalent to European cybersecurity certificates, implementing acts establishing a plan for peer review, implementing acts to establish the procedures, including on cross-border cooperation, for authorisation of the conformity assessment bodies, implementing acts to establish the circumstances, formats and procedures for notifications of conformity assessment bodies, implementing acts designating a third country as a country posing cybersecurity concerns to ICT supply chains, implementing acts identifying key ICT assets used for the manufacturing of products or the provision of services by entities of the type referred to Annexes I and II to Directive (EU) 2022/2555, implementing acts establishing that entities operating in sectors of high criticality and other critical sectors are subject to specific mitigating measures and specifying the time periods for the phasing out of ICT components or components that include ICT components provided by high-risk suppliers, implementing acts further specifying conditions regarding the exemption for entities established in or controlled by entities from a third country posing cybersecurity concerns, as well as the adoption of implementing acts laying down detailed rules relating to fees levied by the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council, and the examination procedure should be used. In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should also be conferred on the Commission in respect of establishing a list of high-risk suppliers relevant for certain measures provided for in this Regulation.

(167)It is necessary that European cybersecurity certification schemes reflect the latest technological developments, new related threats, and the adoption of new Union legislation setting out the demonstration of compliance and the presumption of conformity through European cybersecurity certification with relevant cybersecurity requirements of that legislation. For these reasons, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in order to add or modify the security objectives that European cybersecurity certification schemes pursue. Similarly, in the interests of a trusted ICT supply chain framework, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to amend Annex II to this Regulation in order to adapt it to technological developments. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member States’ experts, and their experts should systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(168)ENISA’s operations should be subject to regular and independent evaluation. That evaluation should have regard to ENISA’s objectives, and the relevance of its tasks, in particular its tasks relating to the operational cooperation at Union level. In the event of a review, the Commission should evaluate how ENISA’s role as a reference point for advice and expertise can be reinforced.

(169)Commission Implementing Regulation (EU) 2024/482 lays down rules as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC). The EUCC is the first and only European cybersecurity certification scheme adopted under Regulation (EU) 2019/881. It concerns the certification of ICT products, including products belonging to the technical domains ‘smart cards and similar devices’ and ‘hardware devices with security boxes’, and protection profiles (as ICT processes). It is therefore necessary to ensure the continuation of certification activities as well as of the Agency’s activities.

(170)The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42(2) of Regulation (EU) 2018/1725 70 and delivered a joint opinion [date].

(171)Regulation (EU) 2019/881 should be repealed.

(172)Since the objectives of this Regulation cannot be sufficiently achieved by the Member States but can rather, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives,

HAVE ADOPTED THIS REGULATION:

TITLE I
GENERAL PROVISIONS

Article 1
Subject matter and scope

1.This Regulation lays down:

(a)the mission, objectives, tasks and organisational matters relating to the European Union Agency for Cybersecurity (ENISA);

(b)a framework for establishing European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services, ICT processes, managed security services or the cybersecurity posture of entities in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union; and

(c)a trusted ICT supply chain framework.

2.The framework referred to in paragraph 1, point (b) applies without prejudice to specific provisions in other Union legal acts regarding voluntary or mandatory certification.

3.The framework referred to in the first subparagraph point (c) shall apply to public or private entities of a type referred to in Annex I or II to Directive (EU) 2022/2555 which provide their services or carry out their activities within the Union.

4.This Regulation is without prejudice to the Member States’ essential State functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State.

Article 2
Definitions

For the purposes of this Regulation, the following definitions apply:

(1)‘cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats;

(2)‘Union entities’ means Union entities as defined in Article 3, point (1), of Regulation (EU, Euratom) 2023/2841;

(3)‘authorised attestation provider’ means an entity, public or private, for which ENISA has adopted a decision authorising that entity to award European individual cybersecurity skills attestations as laid down in a European individual cybersecurity skills attestation scheme;

(4)‘European individual cybersecurity skills attestation’ means a record, in digital or physical form, attesting that an individual knows, understands and is able to perform the tasks associated to a role profile or a subset of a role profile of the European Cybersecurity Skills Framework (‘ECSF’), following an assessment as laid down in a European individual cybersecurity skills attestation scheme;

(5)‘European individual cybersecurity skills attestation scheme’ means a comprehensive set of rules, requirements, standards and procedures established by ENISA and associated to a role profile of the ECSF or a subset thereof, and that apply to and are applied by authorised attestation providers;

(6)‘network and information system’ means a network and information system as defined in Article 6, point (1), of Directive (EU) 2022/2555;

(7)‘national cybersecurity strategy’ means a national cybersecurity strategy as defined in Article 6, point (4), of Directive (EU) 2022/2555;

(8)‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;

(9)‘large-scale cybersecurity incident’ means a large-scale cybersecurity incident as defined in Article 6, point (7), of Directive (EU) 2022/2555;

(10)‘incident handling’ means incident handling as defined in Article 6, point (8), of Directive (EU) 2022/2555;

(11)‘cyber threat’ means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons;

(12)‘European cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services, ICT processes, managed security services or cyber posture of entities;

(13)‘national cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures developed and adopted by a national public authority and that apply to the certification or conformity assessment of ICT products, ICT services, ICT processes, managed security services or cyber posture of entities falling under the scope of the specific scheme;

(14)‘European cybersecurity certificate’ means a document issued by a relevant body, attesting that a given ICT product, ICT service, ICT process or managed security services, or the cyber posture of an entity has been evaluated for compliance with specific security requirements laid down in a European cybersecurity certification scheme;

(15)‘EU statement of conformity’ means a document issued by a manufacturer or provider of ICT products, ICT services, ICT processes, managed security services or the entity the cyber posture of which is subject to certification, stating that the fulfilment of the requirements corresponding to assurance level “basic”, laid down in the European cybersecurity certification scheme, has been demonstrated through conformity self-assessment;

(16)‘ICT product’ means an element or a group of elements of a network or information system;

(17)‘ICT service’ means a service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems;

(18)‘ICT process’ means a set of activities performed to design, develop, deliver or maintain an ICT product or ICT service;

(19)‘managed security service’ means a service provided to a third party consisting of carrying out, or providing assistance for, activities relating to cybersecurity risk management, such as incident handling, penetration testing, security audits and consulting, including expert advice related to technical support;

(20)‘accreditation’ means accreditation as defined in Article 2, point (10), of Regulation (EC) No 765/2008;

(21)‘national accreditation body’ means a national accreditation body as defined in Article 2, point (11), of Regulation (EC) No 765/2008;

(22)‘conformity assessment’ means a conformity assessment as defined in Article 2, point (12), of Regulation (EC) No 765/2008;

(23)‘conformity assessment body’ means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;

(24)‘standard’ means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council 71 ;

(25)‘technical specification’ means a technical specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012;

(26)‘harmonised standard’ means a harmonised standard as defined in Article 2, point (1) (c), of Regulation (EU) No 1025/2012;

(27)‘assurance level’ means a basis for confidence that an ICT product, ICT service, ICT process, managed security service or the cyber posture of an entity meets the security requirements of a specific European cybersecurity certification scheme, and indicates the level at which an ICT product, ICT service, ICT process, managed security service or cyber posture of entity has been evaluated but as such does not measure the security of the ICT product, ICT service, ICT process, managed security service or cyber posture of entity concerned;

(28)‘conformity self-assessment’ means an action carried out by a manufacturer or provider of ICT products, ICT services, ICT processes, managed security services or the entity the cyber posture of which is subject to certification, which evaluates whether those ICT products, ICT services, ICT processes, managed security services or cyber posture of entities meet the requirements of a specific European cybersecurity certification scheme;

(29)‘cyber posture of entities’ means entities’ level of cybersecurity with respect to the specific security requirements;

(30)‘prior approval model’ means a model whereby a conformity assessment body may issue a European cybersecurity certificate based on the assessment by a national cybersecurity certification authority in the context of a specific certification process under a relevant scheme;

(31)‘general delegation model’ means a model whereby a conformity assessment body may issue a European cybersecurity certificate based on a delegation of certification activities by a national cybersecurity certification authority;

(32)‘computer security incident response team’ or ‘CSIRT’ means a CSIRT designated or established pursuant to Article 10 of Directive (EU) 2022/2555.

(33)‘ICT components’ means ICT products, ICT services or ICT processes that may be used in the operation of ICT assets;

(34)‘ICT assets’ means software or hardware assets in the network and information systems used by an entity of the type referred to in Annexes I and II to Directive (EU) 2022/2555;

(35)‘key ICT assets’ means ICT assets identified in accordance with Article 102;

(36)‘electronic communications network’ means electronic communications network as defined in Article 2, point (1), of Regulation (EU) XX/XXXX [DNA proposal];

(37)‘control’ means the ability to exercise a decisive influence on a legal entity directly, or indirectly through one or more intermediate legal entities;

(38)‘establishment’ means the effective exercise of activity through stable arrangements in the country where the entity has its central administration or its principal place of business;

(39)‘high-risk supplier’ means either of the following:

(a)an entity established in a third country posing cybersecurity concerns designated in accordance with Article 100, or controlled by such third country, by an entity established in such third country, or by a national of such third country;

(b)an entity designated in accordance with Article 103(7) and entities controlled by that entity;

(40)‘ICT supply chain’ means a sum of ICT services, ICT products and ICT processes that encompass activities and actors involved at all stages upstream of a product being made available or a service being delivered on the market;

(41)‘third country’ means third country as defined in Article 3 (4) of Regulation (EU) 2023/2675 of the European Parliament and the Council 72 ;

(42)‘non-technical risk’ means the likelihood of the supplier being subject to influence by a third country with the potential to cause loss or disruption of the service provided or to compromise the product manufactured by an entity or to lead to exfiltration of data, including for the purposes of espionage or revenue generation;

(43)‘significant non-technical cybersecurity risk’ means a non-technical cybersecurity risk which can be assumed to have a high likelihood to cause an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption;

(44)‘core network functions of mobile electronic communications networks’ means the central architectural element of the mobile electronic communications networks connecting major network nodes to the Internet and managing essential system functions that includes user equipment authentication, lawful interception (LI) functions, security gateways (SeGW) at the network edge, signalling security functions, roaming and session management, user and control plane data transport, access policy management, registration and authorisation of network services, storage of end-user and network data, critical network services including domain name system (DNS), interconnection with third-party mobile networks, exposure of core network functions to external applications, and the selection and management of network slices;

(45)‘network function virtualisation (NFV) and management and network orchestration (MANO) of mobile electronic communications networks’ means the software and architectural framework ensuring the lifecycle management, orchestration, and automation of virtualised network functions (VNFs), cloud-native network functions (CNFs) and the selection and management of network slices within mobile electronic communications networks;

(46)‘radio access network (RAN) of mobile electronic communications networks’ means the network connecting the mobile user equipment to the core network, including base stations (eNodeB for 4G, gNodeB for 5G), remote radio heads (RRH) and baseband units (BBU), active antenna systems (AAS), and where applicable, disaggregated RAN components such as centralised units (CU) and distributed units (DU), and the RAN intelligent controller (RIC);

(47)‘core network functions of fixed electronic communications networks’ means the backbone intelligence of the network, connecting the major nodes and handling a range of essential functions, including user authentication and authorisation (AAA), lawful interception (LI) functions, domain name system (DNS) and IP addressing services (DHCP), access policy management, storage of end-user and network data, IP switching and routing, and international internet gateways (IIG);

(48)‘network management system of fixed electronic communications networks’ means all centralised platforms and software components necessary for the operation, administration, maintenance and provisioning (OAM&P) of the network and the monitoring of network-related information;

(49)‘transport and transmission functions of fixed electronic communications networks’ means all components necessary for the backhaul and aggregation of traffic across the network, including optical transport equipment, microwave links and submarine cable systems that include the underwater equipment as well as the submarine line terminal equipment (SLTE) and the physical landing station facilities;

(50)‘access network of fixed electronic communications networks’ means the network connecting the end-user premises to the aggregation or core network, including the optical line termination (OLT) and the optical network termination (ONT) for fibre networks; coaxial cable modem termination system (CMTS) and cable modems for coaxial cable networks, and fixed wireless access components where used as a fixed line substitute.

TITLE II
THE EUROPEAN UNION AGENCY FOR CYBERSECURITY

Chapter I
Mission and Objectives

Article 3
Mission of ENISA

1.The mission of ENISA is to support Member States and Union entities in achieving a high level of cybersecurity, cyber resilience and trust within the Union.

2.ENISA shall act as a reference point for advice and expertise on cybersecurity for Member States, as well as for other stakeholders in the Union.

3.ENISA shall contribute to reducing the fragmentation of the internal market by carrying out the tasks assigned to it under this Regulation.

4.ENISA shall carry out the tasks assigned to it by Union legal acts.

5.ENISA shall develop its own capabilities, including technical and human capabilities and skills, necessary to perform the tasks assigned to it under this Regulation.

Article 4
Objectives of ENISA

1.ENISA shall be a centre of expertise on cybersecurity by virtue of its independence, the scientific and technical quality of the advice, contributions, and assistance it delivers, the information it provides, the transparency of its operating procedures, the methods of operation, and its diligence in carrying out its tasks.

2.ENISA shall assist Member States and, where appropriate, Union entities in implementing horizontal and sectoral Union policies and legislation related to cybersecurity, including market surveillance activities.

3.ENISA shall provide its expertise and assist the Commission in developing Union policies and legislation related to cybersecurity.

4.ENISA shall support capacity-building and preparedness across the Union by assisting Member States, Union entities, through  the Cybersecurity Service for the Union institutions, bodies, offices and agencies (CERT-EU) referred to in Chapter IV of Regulation (EU, Euratom) 2023/2841, and public and private stakeholders to increase the protection of their network and information systems, to develop and improve cyber resilience and response capacities.

5.ENISA shall contribute to the implementation of the Cybersecurity Skills Academy and the growth of the cybersecurity workforce in the Union by supporting efforts to develop skills portability across the Union, including through the maintenance and uptake of the ECSF and the development, maintenance and uptake of European individual cybersecurity skills attestation schemes in accordance with Chapter II, Section 4 of this Title, and by ensuring the provision of training in accordance with Article 6(8).

6.ENISA shall promote cooperation, including information sharing and coordination at Union level, among Member States, Union entities in accordance with Regulation (EU, Euratom) 2023/2841, and relevant private and public stakeholders on matters related to cybersecurity.

7.ENISA shall contribute to increasing cybersecurity capabilities at Union level in order to support the actions of Member States in preventing and responding to cyber threats.

8.ENISA shall support operational cooperation at Union level, including by contributing to shared situational awareness of the cyber threat and incident landscape among Member States and, in cooperation with CERT-EU, among Union entities.

9.ENISA shall closely cooperate with Europol, CSIRTs and other relevant national authorities in order to improve cybersecurity preparedness and response to ransomware incidents.

10.ENISA shall contribute to the establishment and maintenance of a European cybersecurity certification framework in accordance with Title III of this Regulation. ENISA shall promote the use of European cybersecurity certification, with a view to avoiding the fragmentation of the internal market.

11.ENISA shall contribute to the harmonisation of the digital single market by engaging in standardisation work relevant for Union policies related to cybersecurity and by developing technical specifications.

12.ENISA shall promote a high level of cybersecurity awareness among organisations and businesses.

Chapter II
Tasks

Section 1
Support for implementation of Union policy and law

Article 5
Support for implementation of Union policy and law

1.ENISA shall contribute to the implementation of Union policy and law by:

(a)assisting Member States in implementing Union policy and law regarding cybersecurity consistently, including by issuing technical guidance and reports, by providing advice and sharing best practices, and by facilitating the exchange of best practices between competent authorities in this regard;

(b)supporting information sharing within and between sectors, in particular regarding the sectors listed in Annexes I and II to Directive (EU) 2022/2555 and products with digital elements falling within the scope of Regulation (EU) 2024/2847, by providing best practices and guidance on available tools and procedures;

(c)at the request of the Commission, assisting Member States by providing support, such as technical guidance, including on cybersecurity risk management measures, tools for cybersecurity maturity assessment, and incident response playbooks, tailored to the sectors listed in Annexes I and II to Directive (EU) 2022/2555 or support for the implementation of secure-by-design principles for products with digital elements in line with Regulation (EU) 2024/2847, with a view to facilitating the improvement of the cybersecurity maturity levels and compliance with Union law regarding cybersecurity;

(d)contributing to the work of the Cooperation Group established pursuant to Article 14(1) of Directive (EU) 2022/2555 (‘NIS Cooperation Group’), the European Digital Identity Cooperation Group established pursuant to Article 46e(1) of Regulation (EU) No 910/2014, the European Cybersecurity Certification Group (‘ECCG’) as referred to in Article 90 of this Regulation, and the administrative cooperation group (ADCO) established pursuant to Article 52(15) of Regulation (EU) 2024/2847;

(e)assisting Member States and relevant Union entities in developing and promoting cybersecurity policies related to sustaining the general availability and integrity of the public core of the open internet;

(f)in accordance with Regulation (EU) 2024/2847, providing technical advice and support to Member States and the Commission on matters related to the implementation of that Regulation;

(g)assisting Member States in carrying out mutual assistance and in facilitating such cooperation processes for essential and important entities pursuant to [Article 37a of Directive (EU) 2022/2555];

(h)at the request of the European Data Protection Board, providing advice on the implementation of specific cybersecurity aspects of Union policy and law related to data protection and privacy.

2.ENISA shall contribute to coordinated Union level cybersecurity risk assessments, including those carried out pursuant to Article 22 of Directive (EU) 2022/2555.

3.ENISA shall issue guidelines regarding the interoperability of network and information systems used for information-sharing, including with regard to Cross-Border Cyber Hubs as referred to in Article 6(3) of Regulation (EU) 2025/38.

4.ENISA shall be a member of the NIS Cooperation Group pursuant to Article 14(3) of Directive (EU) 2022/2555.

5.At the Commission’s request, ENISA shall provide expertise, technical advice, information or analysis or carry out preparatory work on specific cybersecurity matters with a view to informing the Commission’s policymaking and monitoring of the implementation of Union legislation.

Article 6
Capacity-building

ENISA shall assist:

(1)Member States in their efforts to improve the prevention, detection and analysis of, and the capability to respond to cyber threats and incidents by providing them with knowledge and expertise;

(2)Member States, at their request, in establishing and implementing vulnerability disclosure policies on a voluntary basis;

(3)in accordance with Regulation (EU, Euratom) 2023/2841, CERT-EU and the Interinstitutional Cybersecurity Board in their efforts to support Union entities in strengthening their cybersecurity, improve the prevention, detection and analysis of cyber threats and incidents as well as to improve their capabilities to respond to such cyber threats and incidents;

(4)Member States in developing national CSIRTs, where requested pursuant to Article 10(10) of Directive (EU) 2022/2555;

(5)Member States in developing or updating a national cybersecurity strategy and key performance indicators for the assessment of that strategy, where requested pursuant to Article 7(4) of Directive (EU) 2022/2555, promote the dissemination of those strategies and note the progress in their implementation across the Union in order to promote best practices;

(6)Union institutions, at their request, in developing and reviewing Union strategies regarding cybersecurity, promoting their dissemination and tracking the progress in their implementation;

(7)national CSIRTs in raising the level of their capabilities, including by promoting dialogue and exchanges of information, with a view to ensuring that, with regard to the state of the art, each CSIRT possesses a common set of minimum capabilities and operates according to best practices;

(8)Member States, Union entities and public and private stakeholders in their efforts to assess, grow and enhance the cybersecurity workforce, including by developing, maintaining and promoting the uptake of relevant tools, such as the ECSF and European individual cybersecurity skills attestation schemes in accordance with Section 4 of this Chapter;

(9)relevant public bodies as well as private stakeholders by conducting targeted trainings, where appropriate in cooperation with stakeholders;

(10)the NIS Cooperation Group in the exchange of best practices and information, in particular in relation to the implementation of Directive (EU) 2022/2555 pursuant to Article 14(4), point (c), of that Directive;

(11)the market surveillance authorities designated pursuant to Regulation (EU) 2024/2847 in their activities that aim to ensure the effective implementation of that Regulation, including support for guidance and technical advice to economic operators, support for compliance checks, evaluation of risks, joint activities and sweeps as laid down in Regulation (EU) 2024/2847;

(12)the ECCG members in the exchange of best practices and upon request from individual Member States assist national cybersecurity certification authorities in relation to the implementation of the European cybersecurity certification schemes at national level;

(13)public authorities and private stakeholders in relation to conformity assessment and evaluation activities, including conformity assessment bodies and small and medium-sized enterprises, to support a robust, competitive, inclusive and harmonised conformity assessment ecosystem supporting the implementation Regulation (EU) 2024/2847 and the European cybersecurity certification framework;

(14)the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres established pursuant to Regulation (EU) 2021/887 by sharing information about current and emerging risks and cyber threats, including with respect to new and emerging information and communications technologies;

(15)Member States by providing technical support, including for the establishment and operation of regulatory sandboxes in the area of cybersecurity in accordance with relevant Union legislation.

Article 7
Awareness-raising and talent pool

ENISA shall assist Member States in their efforts to raise awareness of Union policies and legislation regarding cybersecurity and promote their visibility by developing actionable tools and guidance. ENISA shall support initiatives aimed at increasing the European cybersecurity talent pool, in particular by coordinating competitions.

Article 8
Market knowledge and analyses

1.ENISA shall carry out and disseminate analyses of the main market trends in the cybersecurity market on both the demand and supply sides, in particular related to the areas where European cybersecurity certification schemes exist or are planned, sectors listed in Annexes I and II to Directive (EU) 2022/2555, and product categories covered by Regulation (EU) 2024/2847, including Annexes III and IV to that Regulation.

2.ENISA shall carry out and disseminate analyses of technological cybersecurity trends in particular in relation to activities and entities falling within the scope of Directive (EU) 2022/2555 and products with digital elements falling within the scope of Regulation (EU) 2024/2847.

3.ENISA shall build knowledge and disseminate technical advice and analyses on state-of-the-art cybersecurity tools, frameworks standards and best practices.

Article 9
International cooperation

ENISA shall contribute to the Union’s efforts to cooperate with third countries and international organisations as well as within relevant international cooperation frameworks to promote international cooperation on issues related to cybersecurity, by:

(a)where appropriate, engaging as an observer in the organisation of international exercises, and analysing and reporting to the Management Board on the outcome of such exercises;

(b)at the request of the Commission, facilitating the exchange of best practices with third countries and international organisations;

(c)at the request of the Commission, providing it with expertise;

(d)providing expert advice and support to the Commission on matters relating to the international recognition of European cybersecurity certificates in accordance with Article 87;

(e)providing expert advice and support to the Commission on matters concerning international standardisation and engaging with relevant international standardisation organisations, where relevant, in collaboration with the ECCG established under Article 90.

Section 2

Operational Cooperation

Article 10
Operational cooperation at Union level

1.ENISA shall support operational cooperation among Member States, Union entities through CERT-EU, and between other stakeholders.

2.ENISA shall be a member of the network of national CSIRTs established pursuant to Article 15(1) of Directive (EU) 2022/2555 and shall provide the secretariat of the CSIRTs network pursuant to Article 15(2) of Directive (EU) 2022/2555.

3.ENISA shall provide the secretariat of the European cyber crisis liaison organisation network (EU-CyCLONe) pursuant to Article 16(2), second subparagraph, of Directive (EU) 2022/2555.

4.ENISA shall support technical and operational cooperation among Member States, in particular through the CSIRTs network and EU-CyCLONe. Such support shall include:

(a)advising on improvement of capabilities to prevent, detect, respond to and recover from incidents;

(b)at the request of one or more Member States, providing advice and assessments in relation to a specific potential or ongoing incident or cyber threat, including through the provision of expertise and facilitating the technical handling of such incidents, and through supporting the voluntary sharing of relevant information and technical solutions between Member States;

(c)analysing vulnerabilities, threats and incidents;

(d)at the request of one or more Member States, providing support in relation to ex post technical inquiries regarding significant incidents within the meaning of Article 23(3) of Directive (EU) 2022/2555;

(e)contributing to supporting the coordinated management of large-scale cybersecurity incidents and crises at operational level, in particular by assisting EU-CyCLONe in preparing reports to political level and by facilitating timely information sharing between the CSIRTs network and EU-CyCLONe;

5.At the request of a Member State or a Union entity in cooperation with CERT-EU, ENISA shall support consistent public communication relating to an incident or cyber threat.

6.ENISA shall support cooperation among Member States and through CERT-EU among Union entities with regard to the deployment of secure communications tools. ENISA shall use within the CSIRTs network and EU-CyCLONe secure communications tools which are provided by legal entities established or deemed to be established in the Union and controlled by Member States or by nationals of Member States.

Article 11
Shared cybersecurity situational awareness

1.For the purposes of an enhanced shared situational awareness of the cyber threat and incident landscape among Member States and among Union entities, ENISA shall:

(a)develop in cooperation with EU-CyCLONe, the CSIRTs network, the Commission, CERT-EU, Europol and other relevant Union entities, repositories of verified, reliable cyber threat intelligence, including trends in incidents, tactics, techniques and procedures;

(b)in accordance with Article 12, issue early alerts of a potential or ongoing significant or large-scale incident, or a cyber threat of a potential cross-border nature, in particular in relation to sectors listed in Annexes I and II to Directive (EU) 2022/2555;

(c)provide timely ad hoc analyses on emerging trends in incidents upon request of the CSIRTs network, EU-CyCLONe, or the Commission;

(d)provide, at the request of Member States or the Commission, analysis or other information regarding an actual or perceived cybersecurity risk or threat;

(e)provide analysis and technical advice regarding cybersecurity risks in products with digital elements, including to support market surveillance and by drawing up a biennial technical report on emerging trends in accordance with Article 17(3) of Regulation (EU) 2024/2847;

(f)prepare a regular in-depth EU Cybersecurity Technical Situation Report on incidents and cyber threats, and make the report available to the Council, EU-CyCLONe, the CSIRTs network, the Commission, the European External Action Service and Europol;

(g)monitor trends in techniques, demands and impact of ransomware attacks and provide information about such trends to the Commission, the CSIRTs network and EU-CyCLONe and Europol.

2.For the purposes of an enhanced shared situational awareness of the cyber threat and incident landscape among stakeholders, ENISA shall:

(a)perform analyses of cyber threats, incidents, trends, emerging technologies and their impacts, including a regular analysis addressing sectors listed in Annexes I and II to Directive (EU) 2022/2555 and relevant product categories covered by Regulation (EU) 2024/2847;

(b)issue, in cooperation with the Commission, and, where appropriate, the CSIRTs network, advice, guidance and best practices for the security of network and information systems, in particular for the security of the infrastructures supporting the sectors listed in Annexes I and II to Directive (EU) 2022/2555;

(c)carry out long-term strategic analyses of cyber threats and incidents in order to identify emerging trends and help prevent incidents.

3.ENISA may make the analyses, advice, guidance, best practices and reports referred to in paragraph 2 public, in agreement with the contributing entities referred to in paragraph 2.

4.In carrying out the activities listed in paragraph 1, points (a) to (d) and (f), and paragraph 2, ENISA shall use its own analyses and, as appropriate, the information received in carrying out its tasks, including:

(a)information provided in publicly available sources, including publicly known vulnerabilities in ICT products or ICT services available in the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555;

(b)information shared by Member States, Union entities, CERT-EU, private sector or non-governmental partners and third country and international organisations, subject to any limitations by means of a visible marking on further distribution of that information.

5.ENISA shall cooperate closely with the Member States in the preparation of the EU Cybersecurity Technical Situation Report referred to in paragraph 1, point (e). The Report shall be based on publicly available information, ENISA’s own analysis, and reports shared by, among others, the Member States’ CSIRTs or the single points of contact established by Directive (EU) 2022/2555, both on a voluntary basis, EC3 and CERT-EU. In agreement with the contributing entities, ENISA may make an aggregated version of the Report publicly available.

Article 12
Early alerts

1.Early alerts referred to in Article 11(1), first subparagraph, point (b), of this Regulation shall contain relevant information concerning a potential or ongoing significant or large-scale incident, or a cyber threat of a potential cross-border nature, in relation to sectors listed in Annexes I and II to Directive (EU) 2022/2555. Such information may include publicly known vulnerabilities and whether they affect products with digital elements covered by Regulation (EU) 2024/2847, techniques and procedures, indicators of compromise, adversarial tactics, threat actor-specific information and recommendations on mitigation measures.

2.Early alerts referred to in Article 11(1), first subparagraph, point (b), shall be issued as soon as possible to the CSIRT or CSIRTs concerned, and, where appropriate, to the CSIRTs network and EU-CyCLONe.

3.ENISA shall offer an early alert service to entities operating in sectors listed in Annexes I and II to Directive (EU) 2022/2555.

4.The service referred to in paragraph 3 shall be provided upon a request of the entity and in a machine-readable format made publicly available. That service shall include sharing of information on cyber threat indicators and recommendations on mitigation measures.

5.ENISA shall establish a procedure to disseminate the early alerts to entities referred to in paragraph 3.

Article 13
Support in incident response and review

1.ENISA shall operate and administer the EU Cybersecurity Reserve, in full or in part, in accordance with Regulation (EU) 2025/38.

2.At the request of the Commission or EU-CyCLONe, ENISA, with the support of the CSIRTs network and with the approval of the Member State concerned, shall review and assess significant cybersecurity incidents or large-scale cybersecurity incidents in accordance with Article 21 of Regulation (EU) 2025/38.

3.ENISA shall assist, in cooperation with Europol and CSIRTs or other competent authorities as applicable, individual essential and important entities listed in Annexes I and II to Directive (EU) 2022/2555 in preparing, responding to and recovering from a ransomware incident. For that purpose, ENISA shall establish a helpdesk and in particular make use of the enhanced shared situational awareness of the cyber threat and incident landscape pursuant to Article 11(1), first subparagraph, points (a) and (g) of this Regulation.

Article 14
Cybersecurity exercises at Union level

1.ENISA shall support the Commission in compiling an annual rolling programme of Union-level cybersecurity exercises

2.ENISA shall maintain a repository of lessons learned from the exercises referred to in paragraph 1 and recommend to Member States and, where relevant, to Union entities how to implement the lessons learned effectively and efficiently.

3.At the request of EU-CyCLONe, the Commission, ENISA shall organise, or contribute to the organisation of, cybersecurity exercises at Union level, including testing preparedness to respond to large-scale cybersecurity incidents and crises at Union level.

4.At the request of Member States, ENISA shall support them in organising national cybersecurity exercises.

5.At the request of CERT-EU, ENISA shall contribute to the organisation of cybersecurity exercises organised by CERT-EU pursuant to Article 13(7) of Regulation (EU, Euratom) 2023/2841.

Article 15
Provision of tools and platforms

1.ENISA shall establish, provide, operate, maintain and update as necessary, operational technical tools, including platforms related to cybersecurity at Union level, in particular the single reporting platform established pursuant to Article 16(1) of Regulation (EU) 2024/2847 [and the single-entry point for incident reporting established pursuant to Article 23a of Directive (EU) 2022/2555], and testing tools to support the implementation of conformity assessment procedures in accordance with the relevant Union legislation.

2.Where appropriate for the purposes of paragraph 1, ENISA shall cooperate and exchange information with the CSIRTs network and, where applicable, market surveillance authorities.

Article 16
Vulnerability management services

ENISA shall develop a common Union vulnerability management service capacity and provide vulnerability management services to stakeholders by:

(a)maintaining the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555;

(b)providing vulnerability management services to stakeholders, building on the European vulnerability database and making use of relevant information available to ENISA;

(c)where appropriate, entering into structured cooperation with organisations providing programmes, registries or databases similar to the European vulnerability database;

(d)actively supporting the CSIRTs designated as coordinators pursuant to Article 12(1) of Directive (EU) 2022/2555 with regard to the management of the coordinated disclosure of vulnerabilities which may have a significant impact on entities in more than one Member State;

(e)developing and maintaining methodologies and governance mechanisms for vulnerability identification and coordinated disclosure, in cooperation with national competent authorities, CSIRTs, industry and the research community.

Section 3

Cybersecurity Certification and Standardisation

Article 17
Cybersecurity certification

1.ENISA shall contribute to and promote the development and implementation of Union policy on cybersecurity certification as established in Title III of this Regulation. ENISA shall be in charge of:

(a)preparing candidate European cybersecurity certification schemes (‘candidate schemes’) for ICT products, ICT services, ICT processes, managed security services and the cyber posture of entities in accordance with Article 74 and, where applicable, developing technical specifications in accordance with Article 77;

(b)maintaining adopted European cybersecurity certification schemes in accordance with Article 75, including in view of a possible review of the adopted European cybersecurity certification schemes in accordance with Article 76;

(c)promoting the uptake of adopted schemes and maintaining a dedicated website providing information on, and publicising, European cybersecurity certification schemes, European cybersecurity certificates and EU statements of conformity in accordance with Article 79;

(d)organising capacity-building related to certification processes, evaluation activities, peer review and peer assessment, including by providing support to Member States at their request in accordance with Article 6, point (12).

2.ENISA shall support the Commission in the following activities:

(a)the governance of the ECCG pursuant to Article 90;

(b)organising a European Cybersecurity Certification Assembly in accordance with Article 72(1);

(c)relating to the international recognition of European cybersecurity certificates in accordance with Article 87;

(d)organising peer reviews pursuant to Article 89;

(e)preparing model provisions to be referenced in the European cybersecurity certification schemes for ICT products, ICT services, ICT processes, managed security services and cyber posture of entities in accordance with Article 81(5).

Article 18
Standardisation, technical specifications and guidance

1.ENISA shall draft technical specifications and guidance to support the implementation of Union legislation in the field of cybersecurity. When drafting those technical specifications, ENISA shall consider existing European and international standards as well as other relevant technical specifications. ENISA shall ensure the consistency of its technical specifications and guidance.

2.ENISA shall monitor and, where relevant, participate and lead in standardisation development activities at Union level and, in accordance with Article 9, at international level, in view of supporting Union policies related to cybersecurity.

3.ENISA shall support the development and evaluation of cryptographic algorithms. Where a cryptographic algorithm is evaluated positively by ENISA, ENISA shall cooperate, in accordance with Regulation (EU) No 1025/2012, with the European standardisation bodies to support its standardisation.

4.ENISA shall provide technical advice to the Commission and, where relevant, the Member States, on appropriate standards or technical specifications in support of Union policies related to cybersecurity, including for Union harmonisation legislation in the field of cybersecurity, in particular Regulation (EU) 2024/2847, technical areas for the purpose of Article 25 of Directive (EU) 2022/2555, and European cybersecurity certification schemes pursuant to Article 81(1), point (d).

5.ENISA shall assist the Commission in the assessment of draft harmonised standards to support the implementation of Union harmonisation legislation in the field of cybersecurity.

6.ENISA shall promote the uptake of European and international standards for cybersecurity.

7.ENISA shall carry out the tasks referred to in paragraphs 1 to 6 with integrity, impartiality and confidentiality, including by withdrawing or pausing its participation from specific technical bodies when such a participation conflicts with other tasks or objectives.

Section 4
Implementation of the Cybersecurity Skills Academy

Article 19
European Cybersecurity Skills Framework

1.ENISA shall develop and make publicly available a European Cybersecurity Skills framework (‘ECSF’). Before making the ECSF publicly available or updating it pursuant to paragraph 4, ENISA shall consult the Commission.

2.The ECSF shall define profiles of cybersecurity professionals and association of specific tasks, skills and knowledge to a given role profile. The use of the ECSF shall be voluntary for public and private entities.

3.ENISA may consult stakeholders in the development and uptake of the ECSF.

4.ENISA shall assess the need to update the ECSF on a regular basis and, where relevant, update it.

Article 20
Development, adoption and maintenance of European individual cybersecurity skills attestation schemes

1.ENISA shall develop, adopt and maintain European individual cybersecurity skills attestation schemes. The use of European individual cybersecurity skills attestation schemes shall be voluntary for national public bodies and private entities, unless otherwise specified by national law.

2.Prior to initiating a new European individual cybersecurity skills attestation scheme, ENISA shall consult the Commission. ENISA shall only adopt such a scheme following a positive opinion from the Commission. When preparing a European individual cybersecurity skills attestation scheme, ENISA may consult relevant stakeholders.

3.A European individual cybersecurity skills attestation scheme shall include the following:

(a)subject matter and scope of the attestation scheme based on ECSF role profiles or subsets thereof;

(b)requirements applicable to individuals trained to perform assessments (‘assessors’) in accordance with Article 21, the necessary skills, knowledge and experience as well as training methods;

(c)market uptake analysis specific to each attestation scheme;

(d)the learning outcomes, assessment methods, and conditions that authorised attestation providers shall use to evaluate an individual's demonstration of the required skills in accordance with Article 21;

(e)where relevant, one or more proficiency levels;

(f)rules concerning the retention of records by authorised attestation providers;

(g)the content and the format of the European individual cybersecurity skills attestations, taking into due consideration Article 21(5), point (e);

(h)maximum period of validity of a European individual cybersecurity skills attestation issued under the attestation scheme.

4.A European individual cybersecurity skills attestation scheme may include the indicative cost of a European individual cybersecurity skills attestation.

5.ENISA shall ensure close cooperation with Member States throughout preparation of the European individual cybersecurity skills attestation schemes.

6.The modification of a European individual cybersecurity skills attestation scheme shall not affect the authorisation granted pursuant to Article 22(3)(a), which shall remain valid for the period it is granted for.

Article 21
Authorised attestation providers

1.Authorised attestation providers shall assess whether individuals meet the requirements of a European individual cybersecurity skills attestation scheme and, where those requirements are met, issue European individual cybersecurity skills attestations. Attestation providers may hold several authorisations, each granted for one European individual cybersecurity skills attestation scheme.

2.ENISA shall provide guidance to and conduct obligatory training of assessors regarding the requirements and assessment methods included in the European individual cybersecurity skills attestation scheme as referred to in Article 20(3), point (b).

3.Entities wishing to become authorised attestation providers or renew their authorisation (‘applicants’) shall submit an application to ENISA. They shall meet the following requirements:

(a)they shall have legal personality;

(b)they shall be capable of carrying out the tasks laid down in this Regulation in relation to European individual cybersecurity skills attestations, regardless of whether the assessment is carried out by the authorised attestation provider itself or on its behalf and under its responsibility;

(c)they shall have the means necessary to perform the technical and administrative tasks connected with the European individual cybersecurity skills attestation scheme in an appropriate manner and have access to all necessary equipment and facilities.

For the purposes of the first subparagraph, point (b), any subcontracting to, or consultation of, external staff shall be properly documented, shall not involve any intermediaries and shall be subject to a written agreement covering, among other things, confidentiality and conflicts of interest.

4.Applicants shall not be high-risk suppliers.

5.Authorised attestation providers shall meet the following obligations:

(a)for the implementation of each European individual cybersecurity skills attestation scheme:

(i)have at their disposal the necessary assessors and personnel to carry out their activities as established in that scheme in a timely manner;

(ii)ensure that assessors observe professional secrecy, are impartial and perform their work independently and with the highest degree of professional integrity;

(iii)have written procedures for carrying out their activities under the scheme that they are authorised for.

(b)not assess or issue European individual cybersecurity skills attestations to their own assessors; 

(c)ensure, where relevant by putting in place appropriate safeguards, that their assessors can perform their work independently, in particular where such individuals belong to their own structure or are employees or learners of such a structure;

(d)not engage in any activity that may conflict with the independence of judgement or integrity of their assessors;

(e)ensure that, at the request of the individual, electronic attestations of European individual cybersecurity skills attestations are issued as electronic attestations of attributes in a format that can be stored in the European Digital Identity Wallets set out in Regulation (EU) No 910/2014.

6.Authorised attestation providers shall immediately inform ENISA if any of the requirements listed in paragraphs 3 and 4 or the obligations listed in paragraph 5, are no longer met or if any doubt that those requirements or obligations are not met, arises, including regarding the independence of assessors.

7.Authorised attestation providers may request a fee from individuals for assessing and issuing the European individual cybersecurity skills attestations, taking into account the indicative cost of a European individual cybersecurity skills attestation pursuant to Article 20(4) and made public on a dedicated website in accordance with Article 23, point (d).

8.Applicants and authorised attestation providers shall allow ENISA to conduct evaluations as part of the application process or maintenance of the authorisation and share all relevant information to ensure the requirements laid down in paragraphs 3 and 4, or the obligations laid down in paragraph 5, are met or continue to be met in accordance with Article 22(2).

Article 22
Examination of applications to become an authorised attestation provider and maintenance of authorisations

1.Applicants shall pay a fee to ENISA for the examination of their application. Authorised attestation providers shall pay a fee to ENISA for the maintenance of their authorisation.

2.ENISA shall evaluate whether the requirements laid down in Article 21(3) and (4) and the obligations laid down in Article 21(5) are met or continue to be met by applicants and authorised attestation providers.

3.After examining an application against the requirements laid down in Article 21(3) and (4), ENISA may issue one of the following decisions:

(a)granting the applicant the status of authorised attestation provider or renewing it;

(b)rejecting the application to become an authorised attestation provider or not renewing it;

(c)closing the processing of the application due to the applicant’s inaction following a request for additional information by ENISA.

ENISA may amend, suspend or revoke such decisions based on its evaluation pursuant to Article 22(2) or in the case referred to in Article 21(6).

4.ENISA shall issue the decision referred to in paragraph 3 within three months from the date of submission of an application in accordance with Article 21(3). Where ENISA requested the applicant for the additional information, ENISA shall issue the decision referred to in paragraph 3 within one month of receiving additional information.

5.The decision referred to in paragraph 3, point (a) shall have a maximum duration of three years and indicate the fee related to the yearly maintenance of the authorisation.

6.ENISA shall ensure that its activities relating to the development and adoption of European individual cybersecurity skills attestation schemes as laid down in Article 20 are strictly separated and carried out independently from the activities on the examination of applications and on evaluations set out in paragraphs 2 and 3 of this Article.

Article 23
Public information

ENISA shall maintain and regularly update a dedicated website providing public information on:

(a)the ECSF, including the framework and its timeline for update;

(b)the European individual cybersecurity skills attestation schemes, their progress and timelines for their development;

(c)the fees associated with each European individual cybersecurity skills attestation scheme adopted pursuant to Article 47 of this Regulation;

(d)the indicative cost of a European individual cybersecurity skills attestation in accordance with Article 20(4);

(e)the list of authorised attestation providers.

Chapter III
Organisation of ENISA

Article 24
Administrative and management structure of ENISA

The administrative and management structure of ENISA shall comprise:

(a)a Management Board which shall exercise the functions set out in Article 28;

(b)an Executive Board which shall exercise the functions set out in Article 30;

(c)an Executive Director who shall exercise the responsibilities set out in Article 32;

(d)a Deputy Executive Director who shall exercise the responsibilities set out in Article 34;

(e)an ENISA Advisory Group;

(f)a Board of Appeals which shall exercise the functions set out in Articles 39 to 42.

Section 1
Management Board

Article 25
Composition of the Management Board

1.The Management Board shall be composed of one member appointed by each Member State and two members appointed by the Commission. All members shall have the right to vote.

2.Each member of the Management Board shall have an alternate. The alternates shall represent the members in their absence.

3.Each Member State shall appoint the head of a national competent authority designated pursuant to Article 8(1) of Directive (EU) 2022/2555 as the member of the Management Board. Where this proves not to be feasible, Member States shall appoint a high-level representative of a national competent authority designated pursuant to Article 8(1) of Directive (EU) 2022/2555 as the member of the Management Board.

4.Members appointed by the Commission and alternate members of the Management Board shall be appointed in light of their knowledge in the field of cybersecurity, taking into account their relevant managerial, administrative and budgetary skills. The Commission and the Member States as regards alternates, shall aim to achieve a balanced representation between men and women on the Management Board and shall make efforts to limit their turnover in order to ensure continuity of the Management Board’s work.

5.The term of office of the members appointed by Member States shall be equal to the term of their function referred to in paragraph 3.

6.The term of office of the alternates and of the members appointed by the Commission shall be four years. That term shall be renewable.

Article 26
Chairperson of the Management Board

1.The Management Board shall elect a Chairperson and a Deputy Chairperson from among its members with voting rights. The Chairperson and the Deputy Chairperson shall be elected by a majority of two thirds of the members of the Management Board with voting rights.

2.The Deputy Chairperson shall automatically replace the Chairperson if the Chairperson is prevented from attending to their duties.

3.The term of office of the Chairperson and of the Deputy Chairperson shall be four years and may be renewed once. If, however, their membership of the Management Board ends at any time during their term of office, that term of office shall automatically expire on that date.

Article 27
Meetings of the Management Board

1.The Chairperson shall convene meetings of the Management Board.

2.The Executive Director shall take part in the meetings of the Management Board, without the right to vote.

3.The Management Board shall hold at least two ordinary meetings a year. In addition, it shall meet on the initiative of its Chairperson, at the request of the Commission, or at the request of at least one third of its members.

4.A representative from the European Cybersecurity Industrial, Technology and Research Competence Centre established by Regulation (EU) 2021/887 shall be a permanent observer, without voting rights, at the meetings of the Management Board.

5.The Management Board may invite any person whose opinion may be of interest to attend a meeting, or part of a meeting, as an ad hoc observer, without voting rights and subject to the rules of procedure of the Management Board.

6.The members of the Management Board and their alternates may be assisted at the meetings of the Management Board by advisers or experts, subject to the rules of procedure of the Management Board.

Article 28
Functions of the Management Board

1.The Management Board shall:

(a)establish the general direction of the operation of ENISA and ensure that ENISA operates in accordance with the rules and principles laid down in this Regulation; it shall also ensure the consistency of ENISA’s work with activities conducted by the Member States as well as at Union level;

(b)adopt ENISA’s draft single programming document referred to in Article 44, before its submission to the Commission for an opinion;

(c)taking into account the opinion of the Commission, adopt ENISA’s single programming document in accordance with Article 29(2), point (a);

(d)supervise the implementation of the multiannual and annual programme included in the single programming document;

(e)adopt the annual budget of ENISA in accordance with Article 29(2), point (b), and exercise other functions in respect of ENISA’s budget in accordance with Chapter IV;

(f)assess and adopt the consolidated annual report on ENISA’s activities, including the accounts and a description of how ENISA has met its performance indicators; submit both the annual report and the assessment thereof by 1 July of the following year to the European Parliament, to the Council, to the Commission and to the European Court of Auditors; make the annual report public;

(g)adopt the financial rules applicable to ENISA in accordance with Article 50;

(h)adopt an anti-fraud strategy that is proportionate to the fraud risks, having regard to a cost-benefit analysis of the measures to be implemented;

(i)ensure adequate follow-up to findings and recommendations stemming from internal or external audit reports and evaluations and from investigations of the European Anti-Fraud Office (OLAF) and of the European Public Prosecutor’s Office (EPPO);

(j)adopt its rules of procedure, including rules for provisional decisions on the delegation of specific tasks, pursuant to Article 30(7);

(k)exercise, in accordance with paragraph 2 of this Article, with respect to the staff of ENISA, the powers conferred by the Staff Regulations of Officials of the European Union (the ‘Staff Regulations’) and by the Conditions of Employment of Other Servants of the European Union (the ‘Conditions of Employment’), laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 73 , respectively, on the appointing authority and on the authority empowered to conclude a contract of employment (‘appointing authority powers’);

(l)adopt implementing rules giving effect to the Staff Regulations and the Conditions of Employment in accordance with Article 110(2) of the Staff Regulations;

(m)appoint the Executive Director and, if it decides to create the function of a Deputy Executive Director, the Deputy Executive Director, and where relevant extend their term of office or remove them from office in accordance with Article 31;

(n)appoint an accounting officer, subject to the Staff Regulations and the Conditions of Employment, who shall be independent in the performance of their duties;

(o)take all decisions concerning the establishment of ENISA’s internal structures and, where necessary, the modification of those internal structures, taking into consideration ENISA’s activity needs and having regard to sound budgetary management;

(p)authorise the conclusion of working arrangements with regard to Article 68;

(q)authorise the conclusion of working arrangements in accordance with Article 70;

(r)appoint and remove the members of the Board of Appeal in accordance with Article 29(2), point (d);

(s)adopt rules for the prevention and management of conflicts of interest in respect of the members of the Board of Appeal.

2.In accordance with Article 110(2) of the Staff Regulations, the Management Board shall adopt a decision based on Article 2(1) of the Staff Regulations and Article 6 of the Conditions of Employment, delegating the relevant appointing authority powers to the Executive Director and defining the conditions under which that delegation of powers can be suspended. The Executive Director may sub-delegate those powers.

3.Where exceptional circumstances so require, the Management Board may adopt a decision to temporarily suspend the delegation of appointing authority powers to the Executive Director and any appointing authority powers sub-delegated by the Executive Director and instead exercise them itself or delegate them to one of its members or to a staff member other than the Executive Director.

Article 29
Voting rules of the Management Board

1.The Management Board shall adopt its decisions by an absolute majority of its members with voting rights, except if otherwise provided in this Regulation.

2.A majority of two thirds of the members of the Management Board with voting rights shall be required for:

(a)the adoption of the single programming document referred to in Article 28(1)(c);

(b) the adoption of the annual budget referred to in Article 28(1)(e);

(c) the appointment, extension of the term of office or removal of the Executive Director and of the Deputy Executive Director, as referred to in Articles 31 and 33;

(d)the appointment and removal of the members of the Board of Appeal, as referred to in Article 36.

3.Decisions on budgetary or human resources matters, in particular matters referred to in Article 28(1), points (c), (e), (f), (g), (h), (i), (k), (l), (m), (n), shall only be adopted if the representatives of the Commission cast a positive vote. For the purposes of adopting the decisions referred to in Article 28(1), point (c) regarding ENISA’s single programming document, a positive vote of the representative of the Commission shall only be required on the elements of the decision not related to the annual and multiannual work programme of ENISA.

4.Each member with voting rights shall have one vote. In the absence of a member with the right to vote, their alternate shall be entitled to exercise the member’s right to vote.

5.The Chairperson of the Management Board shall take part in the voting.

6.The Executive Director shall not take part in the voting.

7.The Management Board’s rules of procedure shall establish more detailed voting arrangements, in particular the circumstances in which a member may act on behalf of another member.

Section 2
Executive Board

Article 30
Executive Board

1.The Management Board shall be assisted by an Executive Board.

2.The Executive Board shall:

(a)prepare decisions to be adopted by the Management Board;

(b)together with the Management Board, ensure the adequate follow-up to findings and recommendations stemming from internal or external audit reports and evaluations, as well as from investigations of OLAF and the EPPO;

(c)without prejudice to the responsibilities of the Executive Director set out in Article 32, assist and advise the Executive Director in implementing the decisions of the Management Board, with a view to reinforcing supervision of administrative and budgetary management.

3.The Executive Board shall be composed of the Chairperson of the Management Board, one representative of the Commission to the Management Board, and three other members appointed by the Management Board from among its members with the right to vote. The Chairperson of the Management Board shall also be the Chairperson of the Executive Board. The appointments of the members of the Executive Board shall aim to ensure gender balance on the Executive Board. The Executive Director shall take part in the meetings of the Executive Board without the right to vote.

4.The term of office of the members of the Executive Board shall be four years. That term shall be renewable. The term of office of members of the Executive Board shall end when their membership of the Management Board ends.

5.The Executive Board shall hold at least one ordinary meeting every three months. In addition, it shall meet on the initiative of its Chairperson or at the request of its members.

6.The Management Board shall lay down the rules of procedure of the Executive Board.

7.When necessary due to urgency, the Executive Board may take certain provisional decisions on behalf of the Management Board, in particular on administrative management matters, including the suspension of the delegation of the appointing authority powers and budgetary matters. Any such provisional decisions shall be notified to the Management Board without undue delay. The Management Board shall then decide whether to approve or reject the provisional decision no later than three months after that decision was taken. The Executive Board shall not take decisions on behalf of the Management Board that require the approval of a majority of two thirds of the members of the Management Board with voting rights.

Section 3
Executive Director

Article 31
Appointment, dismissal and extension of the term of office

1.The Executive Director shall be appointed by the Management Board on the basis of merit and skills from a list of candidates proposed by the Commission, following an open and transparent and selection procedure.

2.Before appointment, the candidate selected by the Management Board shall be invited to make a statement before the relevant committee of the European Parliament and to answer Members’ questions.

3.The Executive Director shall be engaged as a temporary agent of ENISA under Article 2(a) of the Conditions of Employment.

4.For the purpose of concluding the contract with the Executive Director, ENISA shall be represented by the Chairperson of the Management Board.

5.The term of office of the Executive Director shall be five years. In due time before the end of that period, the Commission shall carry out an assessment that takes into account an evaluation of the performance of the Executive Director and ENISA’s future tasks and challenges.

6.The Management Board, acting on a proposal from the Commission which takes into account the assessment referred to in paragraph 5, may extend the term of office of the Executive Director once for no more than five years.

7.An Executive Director whose term of office has been extended may not participate in another selection procedure for the same post at the end of the overall period.

8.The Management Board shall inform the European Parliament about its intention to extend the Executive Director’s term of office in accordance with paragraph 6. Within three months before any such extension, the Executive Director, if invited, shall make a statement before the relevant committee of the European Parliament and answer members’ questions.

9.The Executive Director may be removed from office only upon a decision of the Management Board acting on a proposal from the Commission.

Article 32
Tasks and responsibilities of the Executive Director

1.The Executive Director shall manage ENISA and shall be accountable to the Management Board.

2.The Executive Director shall be independent in the performance of their tasks and shall neither seek nor take instructions from any government nor from any other body.

3.The Executive Director shall report to the European Parliament on the performance of their tasks when invited to do so. The Council may invite the Executive Director to report on the performance of their tasks.

4.The Executive Director shall be the legal representative of ENISA.

5.The Executive Director shall be responsible for the implementation of the tasks assigned to ENISA by this Regulation. In particular, the Executive Director shall:

(a)ensure the day-to-day administration of ENISA;

(b)implement decisions adopted by the Management Board;

(c)ensure compliance with the financial rules of ENISA;

(d)prepare the draft single programming document and submit it to the Management Board for approval before its submission to the Commission for an opinion;

(e)implement the single programming document and report to the Management Board on its implementation;

(f)prepare ENISA’s consolidated annual activity report, including the implementation of ENISA’s annual work programme, and present it to the Management Board for assessment and adoption;

(g)prepare an action plan that follows up on the conclusions of the retrospective evaluations of ENISA as referred to in Article 121, and reporting on progress every two years to the Commission;

(h)prepare an action plan that follows up on conclusions of internal or external audit reports and evaluations, and from investigations of OLAF and of the EPPO and report on progress biannually to the Commission and regularly to the Management Board;

(i)prepare the draft financial rules applicable to ENISA as referred to in Article 50;

(j)prepare ENISA’s draft statement of estimates of revenue and expenditure and implement its budget;

(k)protect the financial interests of the Union by applying preventive measures against fraud, corruption and any other illegal activities, without prejudicing the investigative competence of OLAF and the EPPO, by effective checks and, if irregularities are detected, by recovering amounts wrongly paid and, where appropriate, by imposing effective, proportionate and dissuasive administrative and financial penalties;

(l)prepare an anti-fraud strategy, an efficiency gains and synergies strategy, a strategy for cooperation with third countries or international organisations and a strategy for the organisational management and internal control systems for ENISA, and present it to the Management Board for approval;

(m)develop and maintain contact with the business community and consumers’ organisations to ensure regular dialogue with relevant stakeholders;

(n)exchange views and information regularly with relevant Union entities regarding their activities relating to cybersecurity to ensure coherence in the implementation of Union policy in that field;

(o)promote diversity and gender balance in the recruitment of ENISA’s staff;

(p)adopt European individual cybersecurity skills attestation schemes, as referred to in Article 20(1);

(q)adopt decisions with respect to applicants to become authorised attestation providers or to renew their authorisation, as referred to in Article 22(3);

(r)carry out other tasks assigned to the Executive Director by this Regulation.

6.Where necessary and within ENISA’s objectives and tasks, the Executive Director may set up ad hoc working groups composed of experts, including experts from the Member States’ competent authorities. The Executive Director shall inform the Management Board in advance thereof. The procedures regarding in particular the composition of the working groups, the appointment of the experts of the working groups by the Executive Director and the operation of the working groups shall be specified in ENISA’s internal rules of operation.

7.Where necessary for the purpose of carrying out ENISA’s tasks in an efficient and effective manner and based on an appropriate cost-benefit analysis, the Executive Director may decide to establish one or more local offices in one or more Member States. Before deciding to establish a local office, the Executive Director shall seek the opinion of the Member States concerned, including the Member State in which the seat of ENISA is located, and shall obtain the prior consent of the Commission and the Management Board. In cases of disagreement during the consultation process between the Executive Director and the Member States concerned, the issue shall be brought to the Council for discussion. The aggregate number of staff in all local offices shall be kept to a minimum and shall not exceed 40% of the total number of ENISA’s staff located in the Member State in which the seat of ENISA is located. The number of the staff in each local office shall not exceed 10% of the total number of ENISA’s staff located in the Member State in which the seat of ENISA is located.

8.The decision establishing a local office shall specify the scope of the activities to be carried out at the local office in a manner that avoids unnecessary costs and duplication of administrative functions of ENISA.

Section 4
Deputy Executive Director

Article 33
Deputy Executive Director

1.The Management Board may decide to create a function of a Deputy Executive Director to assist the Executive Director.

2.Where the Management Board decides to create a function of a Deputy Executive Director, the provisions of Article 31 shall apply to the Deputy Executive Director accordingly.

Article 34
Tasks and responsibilities of the Deputy Executive Director

The Deputy Executive Director shall assist the Executive Director in managing ENISA and in carrying out the tasks referred to in Article 32. If the Executive Director is absent or indisposed, or the post is vacant, the Deputy Executive Director shall take their place during the time of absence or until the post is filled.

Section 5
ENISA Advisory Group

Article 35
ENISA Advisory Group

1.The Management Board, acting on a proposal from the Executive Director, shall establish in a transparent manner the ENISA Advisory Group. The ENISA Advisory Group shall be composed of recognised experts representing relevant stakeholders, such as the cybersecurity industry, ICT industry, SMEs, entities operating in sectors listed in Annexes I and II to Directive (EU) 2022/2555, manufacturers of products with digital elements and open-source software stewards within the meaning of Regulation (EU) 2024/2847, conformity assessment bodies notified under the European Cybersecurity Certification Framework referred to in Article 93 and Regulation (EU) 2024/2847, entities operating in the area of electronic identification means, consumer groups, academic experts in the field of cybersecurity, European standardisation organisations, as well as law enforcement and data protection supervisory authorities. Those recognised experts shall be nationals of Member States. The Management Board shall aim to ensure an appropriate gender and geographical balance, as well as a balance between the different stakeholder groups.

2.Procedures for the ENISA Advisory Group, in particular regarding its composition, the proposal by the Executive Director referred to in paragraph 1, the number and appointment of its members and the operation of the ENISA Advisory Group, shall be specified in ENISA’s internal rules of operation and shall be made public.

3.The ENISA Advisory Group shall be chaired by the Executive Director or by any person whom the Executive Director appoints on a case-by-case basis.

4.The term of office of the members of the ENISA Advisory Group shall be two and a half years and shall be renewable once. Members of the Management Board shall not be members of the ENISA Advisory Group. Experts from the Commission and experts from the Member States shall be entitled to be present at the meetings of the ENISA Advisory Group and to participate in its work. The Executive Director may invite representatives of other bodies that are not members of the ENISA Advisory Group, to attend the meetings of the ENISA Advisory Group and to participate in its work.

5.The ENISA Advisory Group shall advise ENISA in respect of the performance of ENISA’s tasks, except for the application of the provisions of Titles III, IV and V of this Regulation. It shall in particular advise the Executive Director on the drawing up of a proposal for ENISA’s annual work programme, and on ensuring communication with the relevant stakeholders on issues related to the annual work programme.

6.The ENISA Advisory Group shall inform the Management Board of its activities on a regular basis.

7.ENISA shall provide the logistical support necessary for the ENISA Advisory Group and provide a secretariat for its meetings.

Section 6
Board of Appeal

Article 36
Creation and composition of the Board of Appeal

1.ENISA shall establish a Board of Appeal by a decision of the Management Board.

2.The Board of Appeal shall be composed of a Chairperson and three other members. Each member of the Board of Appeal shall have an alternate. The alternate shall represent the member in their absence.

3.The Management Board shall appoint the Chairperson, the other members and their alternates from a list of qualified candidates established by the Commission. The list of qualified candidates shall be valid for four years. The validity of this list may be extended by the Management Board for additional four-year periods acting on a proposal from the Commission.

4.Where the Board of Appeal considers that the nature of the appeal so requires, it may request the Management Board to appoint two additional members and their alternates from the list referred to in paragraph 3.

5.The Board of Appeal shall adopt and make public its rules of procedure.

Article 37
Members of the Board of Appeal

1.The term of office of the members and alternates of the Board of Appeal shall be four years. Their term of office may be renewed by the Management Board for additional four-year periods acting on a proposal from the Commission.

2.The members of the Board of Appeal shall be independent and shall not perform any other duties within ENISA. In making their decisions they shall neither seek nor take instructions from any government, any other body or any private entity.

3.The members of the Board of Appeal shall not be removed from office or from the list of qualified candidates during their term of office, unless there are serious grounds for such removal and the Management Board takes a decision to that effect, acting on a proposal from the Commission.

Article 38
Exclusion and objection

1.The members of the Board of Appeal shall not take part in any appeal proceedings if they have any personal interest in the proceedings, if they have previously been involved as representatives of one of the parties to the proceedings, or if they participated in the adoption of the decision under appeal.

2.If, for one of the reasons listed in paragraph 1 or for any other reason, a member of a Board of Appeal considers that they should not take part in any appeal proceeding, they shall inform the Board of Appeal accordingly.

3.A party to the appeal proceedings may object to any member of a Board of Appeal on any of the grounds listed in paragraph 1, or if the member is suspected of partiality. Any such objection shall not be admissible if, while being aware of a reason for objecting, the party to the appeal proceedings has taken a procedural step. No objection may be based on the nationality of members of the Board of Appeal.

4.The Board of Appeal shall decide as to the action to be taken in the cases specified in paragraphs 2 and 3 without the participation of the member concerned. For the purposes of taking that decision, the member concerned shall be replaced on the Board of Appeal by their alternate.

Article 39
Appeals against decisions and failures to act

1.An appeal may be brought before the Board of Appeal against:

(a)decisions adopted by ENISA pursuant to Article 22(3);

(b)ENISA’s failure to act within the applicable time limits laid down in Article 22(4).

2.An appeal brought pursuant to paragraph 1 shall be subject to interlocutory revision in accordance with Article 41 before being put to the Board of Appeal for examination.

3.An appeal brought pursuant to paragraph 1 shall not have a suspensive effect.

Article 40
Persons entitled to appeal, time limit and form

1.Applicants within the meaning of Article 21(3) may appeal against

(a)a decision of ENISA addressed to them, pursuant to Article 22(3);

(b)ENISA’s failure to act in respect of an application submitted by them to ENISA within the applicable time limits laid down in Article 22(4).

2.In the case referred to in paragraph 1, point (a), the appeal, together with the statement of grounds thereof, shall be filed in writing in accordance with the rules of procedure referred to in Article 36(5) within two months of notification of the decision to the applicant concerned, or, in the absence thereof, of the day on which the decision came to the knowledge of the applicant.

3.In the case referred to in paragraph 1, point (b), the appeal shall be filed with ENISA in writing in accordance with the rules of procedure referred to in Article 36(5) within two months of the day of expiry of the time limit set out in Article 22(4).

Article 41
Interlocutory revision

1.If ENISA considers the appeal to be admissible and well founded, it shall rectify the decision or failure to act referred to in Article 40(1).

2.If ENISA does not rectify the decision within one month after receipt of the appeal, it shall immediately decide whether to suspend the application of its decision and shall refer the appeal to the Board of Appeal.

Article 42
Examination of decisions on appeals

1.The Board of Appeal shall decide within three months of the appeal being filed whether to grant or refuse that appeal. When examining an appeal, the Board of Appeal shall act within the deadlines laid down in its rules of procedure. It shall, as often as necessary, invite the parties to the appeal proceedings to file, within specified time limits, observations on its notifications or on communications from other parties to the appeal proceedings. Parties to the appeal proceedings shall be entitled to make oral representations.

2.Where the Board of Appeal finds that the grounds for appeal are founded, it shall remit the case to ENISA. ENISA shall take its final decision in compliance with the findings of the Board of Appeal and shall provide a statement of reasons for that decision. ENISA shall inform the parties to the appeal proceedings accordingly.

Article 43
Actions before the Court of Justice of the European Union

1.Actions for the annulment of decisions of ENISA adopted pursuant to Article 22(3), or actions for failure to act within the applicable time limits pursuant to Article 22(4), may be brought before the Court of Justice of the European Union, after the appeal procedure within ENISA laid down in Articles 39 to 42 has been exhausted or in the event of failure to act within the applicable time limit pursuant to Article 41(2).

2.ENISA shall take all necessary measures to comply with the judgment of the Court of Justice of the European Union.

Section 7
Operations

Article 44
Single programming document

1.ENISA shall operate in accordance with a single programming document containing its annual and multiannual work programme, which shall include all of its planned activities.

2.Each year, the Executive Director shall draw up a draft single programming document, as referred to in paragraph 1, with the corresponding financial and human resources planning in accordance with Article 32 of Commission Delegated Regulation (EU) 2019/715 74 and taking into account the guidelines set by the Commission.

3.By 30 November each year, the Management Board shall adopt the single programming document referred to in paragraph 1, taking into account the opinion of the Commission referred to in Article 32(7) of Delegated Regulation (EU) 2019/715. If the Management Board decides not to take into account any elements of the opinion of the Commission, it shall provide thorough justification for that decision. The Management Board shall forward the single programming document to the European Parliament, to the Council and to the Commission by 31 January of the following year, as well as any subsequently updated versions of that document.

4.The single programming document shall become final after the definitive adoption of the general budget of the Union and shall be adjusted as necessary.

5.The annual work programme shall comprise detailed objectives and expected results including performance indicators. It shall also contain a description of the actions to be financed and an indication of the financial and human resources allocated to each action, in accordance with the principles of activity-based budgeting and management. The annual work programme shall be coherent with the multiannual work programme referred to in paragraph 7. It shall clearly indicate tasks that have been added, changed or deleted in comparison with the previous financial year.

6.The Management Board shall amend the adopted annual work programme when a new task is assigned to ENISA. Any substantial amendments to the annual work programme shall be adopted by the same procedure as for the initial annual work programme. The Management Board may delegate the power to make non-substantial amendments to the annual work programme to the Executive Director.

7.The multiannual work programme shall set out the overall strategic programming including objectives, expected results and performance indicators. It shall also set out the resource programming including multiannual budget and staff.

8.The resource programming shall be updated annually. The strategic programming shall be updated where appropriate and in particular where necessary to address the outcome of the evaluation referred to in Article 120.

CHAPTER IV
Establishment and structure of ENISA’s budget

Article 45
Establishment of ENISA’s budget

1.Each year, the Executive Director shall draw up a provisional draft estimate of ENISA’s revenue and expenditure for the following financial year, including the establishment plan, and shall send it to the Management Board.

2.The provisional draft estimate shall be based on the objectives and expected results of the annual work programme, and shall take into account the financial resources necessary to achieve those objectives and expected results, in accordance with the principle of sound financial management and performance.

3.On the basis of the provisional draft estimate, the Management Board shall adopt a draft estimate of ENISA’s revenue and expenditure for the following financial year, and shall send it to the Commission by 31 January each year.

4.The Commission shall send the draft estimate to the budgetary authority together with the draft general budget of the Union. The draft estimate shall also be made available to ENISA.

5.On the basis of the draft estimate, the Commission shall enter in the draft general budget of the Union the estimates it considers to be necessary for the establishment plan and the amount of the contribution to be charged to the general budget of the Union, which it shall submit to the budgetary authority in accordance with Articles 313 and 314 TFEU.

6.The budgetary authority shall authorise the appropriations for the contribution from the general budget of the Union to ENISA.

7.The budgetary authority shall adopt ENISA’s establishment plan.

8.The Management Board shall adopt ENISA’s budget. It shall become final following the final adoption of the general budget of the Union, and, if necessary, it shall be adjusted accordingly.

9.For any building project likely to have significant implications for the budget of ENISA, Delegated Regulation (EU) 2019/715 shall apply.

Article 46
Structure of ENISA’s budget

1.Estimates of all revenue and expenditure of ENISA shall be prepared each financial year and shall be shown in ENISA’s budget. The financial year shall correspond to the calendar year.

2.ENISA’s budget shall be balanced in terms of revenue and expenditure.

3.Without prejudice to other resources, ENISA’s revenue shall be composed of:

(a)a contribution from the Union entered in the general budget of the Union;

(b)revenue assigned to specific items of expenditure in accordance with its financial rules referred to in Article 50;

(c)Union funding in the form of contribution agreements or ad hoc grants in accordance with ENISA’s financial rules referred to in Article 50 and with the provisions of the relevant instruments supporting the policies of the Union;

(d)the fees levied on the applicants for activities related to European individual cybersecurity skills attestation schemes referred to in Article 22(1);

(e)the fees levied on the conformity assessment bodies for participation in and issuance of European cybersecurity certificates under a European cybersecurity certification scheme referred to in Article 47(2);

(f)the fees levied on public authorities or private bodies for testing tools as referred to in Article 47(3);

(g)any contribution from third countries participating in the work of ENISA, as provided for in Article 70(4);

(h)any voluntary contributions from Member States in money or in kind.

4.Member States that provide voluntary contributions, as referred to in paragraph 3, point (g) shall not claim any specific right or service as a result thereof.

5.The expenditure of ENISA shall include staff remuneration, administrative and infrastructure expenses, and operational expenditure.

Article 47
Fees

1.In relation to each European attestation scheme activity referred to in Article 22(1), the following fees shall be levied towards applicants within the meaning of Article 21(3) or to authorised attestation providers to contribute to covering the full costs of the activities performed by ENISA:

(a)issuing authorisations following examination of the requirements laid down in Article 21(3) and (4), including conducting evaluations;

(b)yearly maintenance of the authorisation;

(c)renewing authorisations for providers of European individual cybersecurity skills attestations, including conducting evaluations.

2.In relation to certification, the following fees shall be levied on the conformity assessment bodies for the maintenance of European cybersecurity certification schemes under which European cybersecurity certificates are issued, in particular:

(a)an annual fee for the participation in a European cybersecurity certification scheme;

(b)a fee for issuance of European cybersecurity certificates under European cybersecurity certification schemes.

The fees referred to in point b) shall be levied when the conformity assessment body submits European cybersecurity certificates to ENISA for publication on their website pursuant to Article 79.

3.In relation to testing tools referred to in Article 15(1), a fee shall be levied on any public authority or private body for their use.

4.Fees shall be expressed and payable in euro. 

5.The Commission shall adopt implementing acts laying down detailed rules relating to determining the fees to be levied by ENISA, specifying in particular the estimated costs attributable to each of the matters for which fees pursuant to paragraphs 1, 2 and 3 are chargeable, and the individual fee amounts chargeable, as well as the ways and conditions under which the fees should be paid. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 118(2). The Commission shall consult ENISA when preparing those draft implementing acts.

6.The fees determined by the implementing acts referred in paragraph 5 shall be set out in advance to be proportionate to the estimated costs of the activities performed or services delivered as determined in a cost-effective way and shall be sufficient to cover those costs. All expenditure of ENISA attributed to staff involved in activities referred to in paragraphs 1, 2 and 3 shall be reflected in the costs to cover. Fees shall be set at such a level as to avoid a deficit or a significant accumulation of surplus in ENISA’s budget. Budgetary surpluses generated through fees shall be carried over to fund activities of ENISA, in particular future activities related to fees, or offset the losses incurred. If a significant positive balance in the budget, resulting from activities covered by fees, becomes recurrent, or if a significant negative balance results from the provision of the services covered by fees, the Commission shall amend the implementing acts referred to in paragraph 5 to revise the method for calculating the fees in accordance with Article 118(2).

The amount of the fees for the tasks referred to in paragraph 1 shall be fixed at such a level as to ensure that the revenue in respect thereof sufficiently contributes to cover the costs of the activities related to the development and maintenance of European individual attestation schemes, the processing of applications and the delivery and renewal of authorisations and the necessary for those oversight activities by ENISA.

The amount of the fees for the tasks referred to in paragraph 2 shall be fixed at such a level as to ensure that the revenue in respect thereof sufficiently contributes to cover the full costs of the activities related to maintaining the European cybersecurity certification schemes set out in Article 75.

The amount of the fees for the tasks referred to in paragraph 3 shall be fixed at such a level as to ensure that the revenue in respect thereof sufficiently contributes to cover the costs of the activities related to the provision of testing tools as set out in Article 15(1).

7.ENISA shall provide a report on the fees levied and their impact on its budget as part of the procedure for the presentation of accounts laid down in Article 50.

8.ENISA shall put in place a set of indicators to measure the workload, effectiveness and efficiency in relation to activities financed through fees. ENISA shall adapt its staff planning and management of resources related to fees accordingly to be able to adequately respond to such demand and to any fluctuations in revenue from fees. ENISA shall share the report with the Commission, which the Commission may use for the purpose of the evaluation referred to in Article 120(1).

Article 48
Implementation of ENISA’s budget

1.The Executive Director shall be responsible for the implementation of ENISA’s budget and shall act as authorising officer.

2.The Commission’s internal auditor shall exercise the same powers over ENISA as over Commission departments.

3.Each year, the Executive Director shall send to the budgetary authority all information relevant to the findings of evaluation procedures.

Article 49
Presentation of accounts and discharge

1.ENISA’s accounting officer shall send the provisional accounts for the financial year (year N) to the Commission’s accounting officer and to the Court of Auditors by 1 March of the following financial year (year N + 1).

2.ENISA’s accounting officer shall also provide the required accounting information for consolidation purposes to the Commission’s accounting officer, in the manner and format required by the latter by 1 March of year N + 1.

3.ENISA shall send the report on the budgetary and financial management for year N to the European Parliament, the Council, the Commission and the Court of Auditors by 31 March of year N + 1.

4.On receipt of the Court of Auditor’s observations on ENISA’s provisional accounts for year N, ENISA’s accounting officer shall draw up ENISA’s final accounts on their own responsibility. The Executive Director shall submit them to the Management Board for an opinion.

5.The Management Board shall deliver an opinion on ENISA’s final accounts for year N.

6.ENISA’s accounting officer shall, by 1 July of year N + 1 send the final accounts for year N to the European Parliament, the Council, the Commission and the Court of Auditors, together with the Management Board’s opinion.

7.A link to the web pages containing ENISA’s final accounts shall be published in the Official Journal of the European Union by 15 November of year N + 1.

8.The Executive Director shall send to the Court of Auditors, by 30 September of year N + 1, a reply to the observations made in its annual report. The Executive Director shall also send that reply to the Management Board and to the Commission.

9.The Executive Director shall submit to the European Parliament, at the latter’s request, any information required for the smooth application of the discharge procedure for year N, in accordance with Article 267(3) of Regulation (EU, Euratom) 2024/2509 of the European Parliament and of the Council.

10.On a recommendation from the Council acting by qualified majority, the European Parliament shall, before 15 May of year N + 2, give a discharge to the Executive Director in respect of the implementation of the budget for year N.

Article 50
Financial rules

1.The financial rules applicable to ENISA shall be adopted by the Management Board after consulting the Commission. They shall not depart from Delegated Regulation (EU) 2019/715 unless such a departure is specifically required for the operation of ENISA and the Commission has given its prior consent.

2.ENISA shall establish and implement its budget in accordance with its financial rules and Regulation (EU, Euratom) 2024/2509.

Article 51
Combating fraud

1.In order to combat fraud, corruption and other unlawful activities, the provisions of Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council 75  shall apply without restriction to the activities of ENISA.

2.ENISA shall accede to the Interinstitutional Agreement of 25 May 1999 between the European Parliament, the Council of the European Union and the Commission of the European Communities concerning internal investigations by the European Anti-Fraud Office (OLAF) 76 within six months from [OP please insert the exact date, as referred to in Art. 127] and shall adopt the appropriate provisions applicable to its staff using the template set out in the Annex to that Agreement.

3.The Court of Auditors shall have the power of audit, on the basis of documents and on-the-spot checks, over all grant beneficiaries, contractors and subcontractors who have received Union funds from ENISA.

4.OLAF may carry out investigations, including on-the-spot checks and inspections with a view to establishing whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in connection with a grant or a contract funded by ENISA, in accordance with the provisions and procedures laid down in Regulation (EU, Euratom) No 883/2013 and Council Regulation (Euratom, EC) No 2185/96 77 .

5.Without prejudice to paragraphs 1to 4, working agreements with third countries and international organisations, contracts, grant agreements and grant decisions of ENISA shall contain provisions expressly empowering the Court of Auditors and OLAF to conduct such audits and investigations, according to their respective competencies.

6.In accordance with Council Regulation (EU) 2017/1939, the EPPO may investigate and prosecute fraud and other illegal activities affecting the financial interests of the Union as provided for in Directive (EU) 2017/1371 of the European Parliament and of the Council 78 .

Article 52
Declaration of interests

1.Members of the Management Board, the Executive Director, the Deputy Executive Director, and officials seconded by Member States on a temporary basis, shall each make a declaration of commitments and a declaration indicating the absence or presence of any direct or indirect interest which might be considered to be prejudicial to their independence. The declarations shall be accurate and complete, shall be made annually in writing, and shall be updated whenever necessary.

2.Members of the Management Board, the Executive Director, the Deputy Executive Director, external experts participating in ad hoc working groups, shall each accurately and completely declare, at the latest at the start of each meeting, any interest which might be considered to be prejudicial to their independence in relation to the items on the agenda, and shall abstain from participating in the discussion of and voting on such items.

3.ENISA shall lay down, in its internal rules of operation, the practical arrangements for the rules on declarations of interest referred to in paragraphs 1 and 2.

Article 53
Transparency

1.ENISA shall carry out its activities with a high level of transparency and in accordance with Article 55.

2.ENISA shall ensure that the public and any interested parties are provided with appropriate, objective, reliable and easily accessible information, in particular with regard to the results of its work. It shall also make publicly available the declarations of interest made in accordance with Article 52.

3.The Management Board, acting on a proposal from the Executive Director, may authorise interested parties to observe the proceedings of some of ENISA’s activities.

4.ENISA shall lay down, in its internal rules of operation, the practical arrangements for implementing the transparency rules referred to in paragraphs 1 and 2.

Article 54
Confidentiality within ENISA

1.Without prejudice to Article 55, ENISA shall not disclose to third parties information that it processes or receives in relation to which a reasoned request for confidential treatment has been made.

2.Members of the Management Board, the Executive Director, the Deputy Executive Director, the members of the ENISA Advisory Group, external experts participating in ad hoc working groups, and members of the staff of ENISA, including officials seconded by Member States on a temporary basis, shall comply with the confidentiality requirements of Article 339 TFEU, even after their duties have ceased.

3.ENISA shall lay down, in its internal rules of operation, the practical arrangements for implementing the confidentiality rules referred to in paragraphs 1 and 2.

Article 55
Access to documents

1.Regulation (EC) No 1049/2001 shall apply to documents held by ENISA.

2.The Management Board shall adopt arrangements for implementing Regulation (EC) No 1049/2001.

3.Decisions taken by ENISA pursuant to Article 8 of Regulation (EC) No 1049/2001 may be the subject of a complaint to the European Ombudsman under Article 228 TFEU or of an action before the Court of Justice of the European Union under Article 263 TFEU.

CHAPTER V
Staff and Liaison Officers

Article 56
General provisions

1.The Staff Regulations of Officials and the Conditions of Employment of Other Servants, as well as the rules adopted by agreement between the Union institutions for giving effect to the Staff Regulations of Officials and the Conditions of Employment of Other Servants shall apply to the staff of ENISA.

2.The staff of ENISA, liaison officers and seconded national experts to ENISA shall undergo appropriate security clearance procedure.

Article 57
Privileges and immunities

Protocol No 7 on the privileges and immunities of the European Union, annexed to the TFEU, shall apply to ENISA and its staff.

Article 58
Liaison officers

1.Each Member State shall designate at least two liaison officers from a national competent authority designated pursuant to Article 8(1) of Directive (EU) 2022/2555 as seconded national experts to ENISA to work at its seat or its local office, in accordance with Article 59(2). The Commission may also designate a liaison officer.

2.Liaison officers shall contribute to executing the tasks of ENISA, including by facilitating operational cooperation and exchange of information as referred to in Article 11. Liaison officers shall also support ENISA in disseminating information about its activities, findings and recommendations to relevant stakeholders across the Union. They shall also act as national contact points for questions from their Member States and relating to their Member States, either by answering those questions directly or by liaising with their national administrations.

3.Liaison officers designated by their Member States shall be entitled to request and receive all relevant information from their Member States, as provided for by this Regulation, while fully respecting the national law and the Member State’s practices, in particular as regards data protection and confidentiality.

Article 59
Seconded national experts and other staff

1.ENISA may make use of seconded national experts or other staff not employed by ENISA, in any areas of its work. The Staff Regulations and the Conditions of Employment shall not apply to such staff.

2.The Management Board shall adopt a decision laying down rules on the secondment of national experts, including liaison officers, to ENISA.

CHAPTER VI
GENERAL PROVISIONS CONCERNING ENISA

Article 60
Legal status of ENISA

1.ENISA shall be a body of the Union with legal personality.

2.In each Member State, ENISA shall enjoy the most extensive legal capacity accorded to legal persons under that Member State’s national law. It may, in particular, acquire or dispose of movable and immovable property and be a party to legal proceedings.

3.ENISA shall be represented by the Executive Director.

Article 61
Seat

ENISA shall have its seat in Athens, Greece.

Article 62
Headquarters Agreement and operating conditions

1.The necessary arrangements concerning the accommodation to be provided for ENISA in the host Member State and the facilities to be made available by that Member State together with the specific rules applicable in the host Member State to the Executive Director, members of the Management Board, ENISA’s staff and members of their families shall be laid down in a headquarters agreement between ENISA and the host Member State, concluded after obtaining the approval of the Management Board.

2.ENISA’s host Member State shall provide the best possible conditions for ensuring the proper functioning of ENISA, taking into account the accessibility of the location, the existence of adequate education facilities for the children of staff members, appropriate access to the labour market, social security and medical care for both children and spouses of staff members.

Article 63
Administrative control

The operations of ENISA shall be supervised by the European Ombudsman in accordance with Article 228 TFEU.

Article 64
Liability of ENISA

1.The contractual liability of ENISA shall be governed by the law applicable to the contract in question.

2.The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration clause contained in a contract concluded by ENISA.

3.In the case of non-contractual liability, ENISA shall make good any damage caused by it or its staff in the performance of their duties, in accordance with the general principles common to the laws of the Member States.

4.The Court of Justice of the European Union shall have jurisdiction in disputes overcompensation for damages referred to in paragraph 3.

5.The personal liability of ENISA’s staff towards ENISA shall be governed by the provisions laid down in the Staff Regulations or Conditions of Employment applicable to them.

Article 65
Language arrangements

1.Council Regulation No 1 79 shall apply to ENISA. The Member States and the other bodies appointed by the Member States may address ENISA and receive a reply in the official language of the institutions of the Union that they choose.

2.Translation and all other linguistic services required for the functioning of ENISA, other than interpretation, shall be provided by the Translation Centre for the Bodies of the European Union.

Article 66
Protection of personal data

1.The processing of personal data by ENISA shall be subject to Regulation (EU) 2018/1725.

2.The Management Board shall adopt implementing rules as referred to in Article 45(3) of Regulation (EU) 2018/1725. The Management Board may adopt additional measures necessary for the application of Regulation (EU) 2018/1725 by ENISA.

Article 67
Security rules on the protection of sensitive non-classified information and classified information

In agreement with the Commission, ENISA shall adopt security rules applying the security principles contained in the Commission’s security rules for protecting sensitive non-classified information and EUCI, as set out in Decisions (EU, Euratom) 2015/443 80 and 2015/444 81 . Those security rules shall include provisions for the exchange, processing and storage of such information. 

Article 68
Cooperation with Union entities and national authorities

1.To ensure consistency, create synergies and address issues of common concern, ENISA shall cooperate on matters related to cybersecurity with CERT-EU and relevant Union entities, including Europol, the European Cybersecurity Industrial, Technology and Research Competence Centre established pursuant to Regulation (EU) 2021/887, and the European Data Protection Board established pursuant to Article 68(1) of Regulation (EU) 2016/679.

2.The cooperation referred to in paragraph 1 may be ensured by means of:

(a)the exchange of know-how and best practices;

(b)the provision of advice and issuance of guidance on matters related to cybersecurity;

(c)the establishment of practical arrangements for the execution of specific tasks, after consulting the Commission.

3.ENISA shall engage in a structured cooperation with CERT-EU, in particular on matters related to capacity-building, operational cooperation, and long-term strategic analyses of cyber threats.

4.ENISA shall cooperate and exchange information with relevant market surveillance and supervisory authorities designated under Union legislation in the field of cybersecurity, including Regulation (EU) 2024/2847.

Article 69
Cooperation with stakeholders

1.Where necessary to achieve the objectives of this Regulation, ENISA shall cooperate with relevant stakeholders, such as the cybersecurity industry, the ICT industry, SMEs, entities operating in sectors listed in Annexes I and II to Directive (EU) 2022/2555, manufacturers, importers or distributors of products with digital elements within the meaning of Regulation (EU) 2024/2847, conformity assessment bodies notified under the European cybersecurity certification framework and Regulation (EU) 2024/2847, entities operating in the area of electronic identification means, consumer groups, and academic experts in the field of cybersecurity. To that end, ENISA may establish public-private partnerships.

2.ENISA shall, in consultation with the Commission, support cooperation between notified conformity assessment bodies pursuant to Article 93. In particular, it may establish a group of notified conformity assessment bodies for sharing of best practices, creating synergies with other relevant Union legislation, in particular Regulation (EU) 2024/2847.

Article 70
Cooperation with third countries and international organisations

1.To the extent necessary to achieve the objectives of this Regulation, ENISA may cooperate with the competent authorities of third countries or with international organisations or both, in line with the priorities of the Union. To that end, ENISA may establish working arrangements with the authorities of third countries and international organisations, subject to the prior approval of the Commission. Those working arrangements shall not create legal obligations incumbent on the Union and its Member States.

2.The Management Board shall adopt a strategy for relations with third countries and international organisations concerning matters for which ENISA is competent and in line with the priorities referred to in paragraph 1. The Commission shall ensure that ENISA operates within its mandate and the existing institutional framework by concluding appropriate working arrangements with the Executive Director.

3.To support cooperation with third countries, in particular countries that are candidates for accession to the Union, ENISA may deliver its capacity-building expertise, in particular in the following areas:

(a)assessment of the level of maturity of cybersecurity capabilities and resources;

(b)growth and enhancement of the cybersecurity workforce, including by promoting the ECSF and the European individual cybersecurity skills attestation schemes, and providing learning and training activities;

(c)supporting the planning and execution of cybersecurity exercises.

4.ENISA shall be open to the participation of third countries in ENISA’s work that have concluded agreements with the Union to that effect. Under the relevant provisions of agreements concluded between third countries and the Union, working arrangements shall be established, subject to prior approval of the Commission, specifying in particular the nature, extent and manner in which those third countries are to participate in ENISA’s work, and shall include provisions relating to participation in the initiatives undertaken by ENISA, to financial contributions and to staff. As regards staff matters, those working arrangements shall comply with the Staff Regulations and Conditions of Employment in any event.

5.ENISA shall regularly report to the Council and the Commission on the implementation of the working arrangements referred to in paragraphs 1 and 4.

TITLE III

EUROPEAN CYBERSECURITY CERTIFICATION FRAMEWORK

CHAPTER I
Objectives, Scope and Procedures

Article 71
Objectives and scope of the European cybersecurity certification framework

1.The European cybersecurity certification framework shall be established with a view of creating a digital single market for ICT products, ICT services, ICT processes, managed security services and entities. To that end, it shall increase the level of cybersecurity within the Union and enable a harmonised approach to European cybersecurity certification schemes as well as leverage certification to facilitate compliance with applicable Union legislation.

2.The European cybersecurity certification framework shall provide for a mechanism to establish European cybersecurity certification schemes and to attest the following:

(a)that the ICT products, ICT services and ICT processes that have been evaluated in accordance with such schemes comply with specified security requirements for the purpose of protecting the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, services and processes throughout their lifecycle;

(b)that managed security services that have been evaluated in accordance with such schemes comply with specified security requirements for the purpose of protecting the availability, authenticity, integrity and confidentiality of data which are accessed, processed, stored or transmitted in relation to the provision of those services, and that those services are provided continuously with the requisite competence, expertise and experience by staff with a sufficient and appropriate level of relevant technical knowledge and professional integrity;

(c)that the cyber posture of an entity that has been evaluated in accordance with such schemes complies with specified cybersecurity requirements.

3.European cybersecurity certification shall be voluntary, unless otherwise specified in Union or national law.

4.A European cybersecurity certificate and EU statement of conformity issued under the European cybersecurity certification framework shall be automatically recognised in all Member States.