EU Cybersecurity Act (Regulation (EU) 2019/881)
The EU Cybersecurity Act gives ENISA a permanent mandate and creates an EU-wide certification framework for ICT products, services, and processes with basic, substantial, and high assurance levels. Certification is largely voluntary but can be mandated by sector law.
What the EU Cybersecurity Act Is
Regulation (EU) 2019/881, the Cybersecurity Act, does two main things. First, it gives the European Union Agency for Cybersecurity (ENISA) a permanent mandate and expanded role in supporting EU cybersecurity policy, operational cooperation, and capacity building. Second, it establishes an EU-wide cybersecurity certification framework so that ICT products, services, and processes can be certified once and recognized across all member states. It exists to raise and harmonize trust in digital products in the single market.
Under the framework, the Commission and ENISA develop European certification schemes, such as the EUCC scheme for ICT products, each defining assurance levels of basic, substantial, or high.
Who It Applies To
The Act applies broadly. ENISA's mandate affects member states and EU institutions. The certification framework is relevant to manufacturers and providers of ICT products, services, and processes that wish to obtain EU-recognized certification, as well as to conformity assessment bodies and national certification authorities. Certification is generally voluntary unless a sector-specific law makes a scheme mandatory.
Key Requirements
- Certification schemes — Align products and services with the requirements of applicable European cybersecurity certification schemes.
- Assurance levels — Select and meet the appropriate assurance level (basic, substantial, or high) for the intended risk.
- Conformity assessment — Undergo evaluation by accredited bodies, with self-assessment permitted only at the basic level for certain schemes.
- Vulnerability handling — Maintain processes to manage and disclose vulnerabilities.
- Documentation — Provide security documentation and supporting evidence.
- Maintenance — Sustain certified status through monitoring and updates.
Penalties for Non-Compliance
Because certification is largely voluntary, penalties typically arise from misuse rather than non-participation: member states set penalties for false claims of certification or breaches of scheme rules, and certificates can be withdrawn. Where other laws make a scheme mandatory for a market, lack of certification can block market access for affected products.
How to Comply
Identify which European certification schemes apply or add value to the product, then design and document the product to meet the relevant assurance level. Engage accredited conformity assessment bodies, prepare security evidence, and operate a vulnerability handling and disclosure process. Maintain certification through ongoing monitoring and updates, and watch for sector laws that may make certification mandatory.