Product Security and Certification

Content

EU cybersecurity certification provides evidence of compliance to a given level of trust. Various legislative tools refer to EU cybersecurity certification schemes as a means to demonstrate compliance to their requirements. 

While remaining voluntary, cybersecurity certification maintains a key role in the harmonisation and resilience of the Common Market. Under the Cybersecurity Act (EU 881/2019), and through its privileged position between public institutions, industry and standardisation organisations, ENISA is entrusted with developing and maintaining cybersecurity certification schemes. The involvement of Member States, the Commission and the certification ecosystem (industry, experts, standardization bodies, etc.) is paramount to these schemes' successful delivery. The diverse scope of Information and communication technology (ICT) products and services on the market necessitates the specification of different scopes and requirements per scheme, along with the assignment of different levels of assurance, on the basis of the solution to be certified (basic, substantial, high).

After their adoption, the EU Certification schemes can lead to the issuance of labels (e.g. under the European Cybersecurity Scheme on Common Criteria - EUCC), establish mutual recognition agreements with authorities outside the Common Market, or be used to demonstrate certain products' presumption of conformity to regulatory requirements.

Cyber Resilience Act

The Cyber Resilience Act (CRA) is one of the many regulatory tools whose implementation is complemented by the adoption of cybersecurity certification schemes. By ensuring that products with digital elements (PDEs) maintain a high level of cybersecurity, as well as mandating transparency for their security properties, the CRA ensures that consumers and businesses can be confident that internet-connected hardware and software products will remain secure throughout their lifecycle. 

As the CRA enters into effect, PDEs will have to be compliant before being made available on the Common Market. Some manufacturers of PDEs will be required to carry out a self-conformity assessment, while for PDEs designated Important and Critical a third-party conformity assessment will be necessary. PDEs can be presumed to conform with essential requirements, if they comply with harmonised technical standards. 

To this end, the EU Commission and EU standards bodies work to identify technical cybersecurity standards, while ENISA has already issued a report mapping existing standards against CRA requirements. These requirements will need to be translated into the form of harmonised standards, with which manufacturers can comply. In support of the standardisation effort, the ENISA report identified the most relevant existing cybersecurity standards for each CRA requirement, analysed the coverage already offered on the intended scope of the requirement and highlighted possible gaps to be addressed.

By blending voluntary and mandatory measures, the EU aims to uphold digital security in a structured and cohesive manner across the Union. Certification schemes developed by ENISA operate in conjunction and complementarity with regulations, making digital products safer for consumers. By certifying their products to a commonly agreed upon degree of trust, stakeholders ensure regulatory compliance while also upholding European resilience to cyber threats. 
 

Related content

SOG-IS Transposition

December 17, 2024

the overall scope of this study was to explore and provide an analysis of any likely impediments introduced by the Cybersecurity Act proposal [CSA_P] on a possible transposition of the existing SOG-IS MRA while identifying open challenges that should be f
Public_Consultation_on_Specifications_for_EUICC_Certification.png

Public Consultation on Specifications for EUICC Certification under the EUCC scheme

November 19, 2024

ENISA has published specifications for the evaluation and certification of embedded Universal Integrated Circuit Cards (eUICCs) under the European Common Criteria-based cybersecurity certification scheme (EUCC).

Market of Cybersecurity Assessments

January 31, 2024

This Report aims at presenting the current state of play of cybersecurity assessments of ICT products and cloud services.

Public Consultation on the draft Candidate EUCC Scheme

May 26, 2021

This report presents the outcome of the public consultation on the first draft of the cybersecurity certification candidate EUCC scheme.

BROWSE ALL PUBLICATIONS

Cybersecurity Certification Conference 2024

2024 Feb 19

2023 Cybersecurity Certification Conference

2023 Feb 19

BROWSE ALL EVENTS

ENISA Cybersecurity Resilience and Market Conference: Joining forces for a cyber-secure and resilient digital single market

Press Release November 04, 2024

The central theme of the conference was the expansion of synergies in the field to achieve the shared goal of safeguarding the digital single market and its economy through a robust EU Cybersecurity Regulatory Framework.

Call for Experts: Join the ENISA Ad Hoc Working Group on EU Digital Identity Wallets Cybersecurity Certification

Press Release October 18, 2024

The European Union Agency for Cybersecurity (ENISA) launches a call for expression of interest to create an Ad Hoc Working Group on the certification of EU Digital Identity Wallets.

EU Digital Identity Wallet: A leap towards secure and trusted electronic identification through certification

Press Release September 24, 2024

The European Union Agency for Cybersecurity (ENISA) and the European Commission announce the request to ENISA to support the certification of the EU Digital Identity Wallets (EUDI).

Share your feedback: ENISA public consultation bolsters EU5G Cybersecurity Certification

News Item June 26, 2024

ENISA has released and is seeking feedback on the embedded Universal Integrated Circuit Card (eUICC) specifications to support certification of 5G, which is carried out under the European Common Criteria scheme (EUCC).

BROWSE ALL NEWS