The EU Cybersecurity Act

KEY POINTS

ENISA’s mandate is to:

• achieve a high common level of cybersecurity across the EU;
• support national authorities and EU institutions, bodies, offices and agencies in improving cybersecurity;
• serve as a reference point for scientific and technical advice and expertise on cybersecurity for EU institutions, bodies, offices and agencies, and for other relevant stakeholders;
• contribute to reducing the fragmentation of the internal market;
• act independently, avoid duplicating national activities and take account of national expertise;
• develop its own technical, human and skill resources.

ENISA’s tasks are to:

• help develop and implement EU policy and law;
• promote capacity building, for instance through improved prevention, detection and analysis of, and response to, cyber threats¹ and by assisting the development of national computer security incident response teams (CSIRTs) or through the organisation of cybersecurity exercises at the EU level;
• support EU operational cooperation among all stakeholders involved, including the EU’s Cybersecurity Service for the Union Institutions, Bodies, Offices and Agencies (CERT-EU), by means of, notably, the exchange of know-how and best practices, the supply of relevant guidelines and the servicing of the EU and national CSIRTs networks;
• support and promote the development and implementation of EU cybersecurity certification of ICT products, ICT services, ICT processes and managed security services, as part of its role in preparing schemes under the new European cybersecurity certification framework;
• collect and analyse knowledge and information on cybersecurity, notably on emerging technologies, cyber threats and incidents, to provide information and advice to national authorities, relevant stakeholders and, through a dedicated portal, the public (citizens, organisations and businesses);
• raise public awareness of cybersecurity risks, provide guidance on good practices for individual users and promote cybersecurity awareness and education in general;
• advise on research needs and priorities and contribute to the EU’s strategic cybersecurity research and innovation agenda;
• contribute to the EU’s efforts to cooperate on cybersecurity with its international partners and organisations.

ENISA has the following administrative and management structure.

• The Management Board, with one representative from each EU Member State and two members appointed by the European Commission, which establishes the general direction of the agency’s activities and ensures that the agency carries out its tasks under conditions that enable it to serve in accordance with the founding regulation.
• The Executive Board of five members, which prepares decisions to be adopted by the Management Board.
• An independent executive director, accountable to the Management Board and reporting to the European Parliament and the Council of the European Union when asked to do so, who is responsible for managing the agency.
• The ENISA Advisory Group of recognised experts from relevant stakeholders, such as the ICT industry, providers of electronic communications networks or services, small and medium-sized enterprises, consumers, academics and operators of essential services, along with representatives of competent authorities notified under the European Electronic Communications Code, standardisation organisations, law enforcement and data protection supervisory authorities, which focuses on issues relevant to stakeholders and brings them to the attention of ENISA.
• The National Liaison Officers Network, composed of representatives of all Member States, which facilitates the exchange of information between ENISA and the Member States and supports ENISA in making its activities, findings and recommendations widely known.

The regulation creates the following.

• A Stakeholder Cybersecurity Certification Group of recognised experts to, among other things, advise the Commission on strategic issues regarding the EU cybersecurity certification framework and, upon request, ENISA on general and strategic issues concerning the agency’s relevant tasks.
• A European Cybersecurity Certification Group (ECCG) composed of national representatives to advise and assist the Commission in its work to ensure the consistent implementation and application of the act, and ENISA in relation to the preparation of candidate cybersecurity certification schemes.

ENISA:

• is established for an indefinite period as from 27 June 2019;
• operates in accordance with a single programming document containing its annual and multiannual programming;
• follows the Commission’s security rules to protect sensitive non-classified information and EU-classified information;
• does not divulge to third parties confidential information it processes or receives;
• participates fully in EU measures to combat fraud, corruption and other unlawful activities;
• processes personal data in accordance with respective EU rules.

The regulation establishes a European cybersecurity certification framework to:

• improve the functioning of the internal market by increasing the level of cybersecurity in the EU and enabling a harmonised approach at the EU level to European cybersecurity certification schemes with a view to creating a digital single market for ICT products, ICT services, ICT processes and managed security services;
• set up a mechanism to establish certification schemes that confirm ICT products, ICT services, ICT processes and managed security services that have been evaluated in accordance with such schemes comply with specified security requirements to protect the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or functions or services offered by, or accessible via, those products, services and processes throughout their life cycle.

Under the framework:

• the Commission:
  • publishes an EU rolling work programme for European cybersecurity certification identifying strategic priorities and ICT products, ICT services, ICT processes and managed security services or categories which could benefit from a scheme,
  • may request that ENISA prepare a candidate certification scheme or review an existing one;
• ENISA:
  • prepares suitable draft schemes, following a request from the Commission or the European Cybersecurity Certification Group,
  • evaluates each adopted certification scheme every five years, taking account of the feedback received,
  • maintains a dedicated website that provides information on the schemes, certificates and conformity statements.

The voluntary European cybersecurity certification schemes:

• aim to achieve various security objectives, such as protecting stored, transmitted and processed data;
• denote the security level of ICT products, ICT services, ICT processes and managed security services as basic, substantial or high;
• allow manufacturers and providers of low-risk (i.e. basic) ICT products, ICT services, ICT processes and managed security services to assess these themselves (conformity self-assessment);
• must include certain features, such as clear descriptions of the purpose, subject matter and scope, and the evaluation criteria and methods used;
• replace similar national ones, although those certificates remain valid until their expiry date.

Manufacturers and providers of certified ICT products, ICT services, ICT processes and managed security services must make publicly available:

• guidance and recommendations to help end users install, apply and maintain their products or services;
• information about the duration for which they offer security support;
• their contact details;
• references to online repositories with information on known cybersecurity issues affecting their products or services.

Member States appoint one or more national cybersecurity certification authorities with sufficient resources and powers to monitor, supervise and enforce the rules of the European cybersecurity certification schemes.

The Commission:

• regularly assesses the efficiency and use of the adopted certification schemes and considers whether any scheme should be made compulsory;
• had to complete its first detailed assessment by 31 December 2023, with others every two years thereafter;
• had to evaluate ENISA’s impact, effectiveness and efficiency by 28 June 2024, and every five years thereafter.

Individuals and legal entities have the right to lodge a complaint with the issuer of a European cybersecurity certificate and to seek effective judicial remedy.

Amendment – managed security services

In December 2024, Regulation (EU) 2025/37 amending the regulation as regards managed security services, was adopted. This targeted amendment introduces the definition of managed security services and extends the scope of the European cybersecurity certification framework by including managed security services. Consequently, it also accordingly extends ENISA’s mandate and tasks as regards managed security services.

Regulation (EU) 2025/37 was published in the Official Journal on 15 January 2025 and has applied since 4 February 2025.

Notifications of conformity assessment bodies

In December 2024, the Commission adopted Implementing Regulation (EU) 2024/3143 for notifications pursuant to Article 61(5) of the Cybersecurity Act. The implementing act establishes the circumstances, formats and procedures for notifications of conformity assessment bodies across European cybersecurity certification schemes by the new approach notified and designated organisations (NANDO) information system. It also clarifies the circumstances in which changes should be made to the notification and on the basis of which the competence of notified conformity assessment bodies might be challenged.

Implementing Regulation 2024/3143 was published in the Official Journal on 19 December 2024 and has applied since 8 January 2025.

European common criteria-based cybersecurity certification scheme (EUCC)

In January 2024, the Commission adopted Implementing Regulation (EU) 2024/482 (see summary). This act lays down rules for the application of Regulation (EU) 2019/881 as regards the adoption of the voluntary European common criteria-based cybersecurity certification scheme (EUCC). This is the first scheme at the EU level and concerns certificates at the substantial or high assurance levels for ICT products such as hardware and software, including components such as chips and smart cards. The regulation includes detailed rules on aspects including:

• standards and requirements for the evaluation of and the issuance, renewal and withdrawal of EUCC certificates for products and protection profiles;
• conformity assessment bodies accredited to issue certificates or perform evaluation activities;
• compliance monitoring, non-conformity and non-compliance;
• vulnerability management and disclosure procedures;
• retention of records, disclosure and protection of information;
• mutual recognition agreements with non-EU countries;
• peer assessment of certification bodies;
• maintenance of the scheme; and
• national cybersecurity certification schemes covered by the EUCC.

The EUCC implementing regulation has applied since 27 February 2025.

Regulation (EU) 2019/881 and its related implementing regulation do not affect Member States’ responsibilities for public security, defence, national security or criminal law.

The regulation repeals Regulation (EU) No 526/2013 as from 27 June 2019.