The EU Cybersecurity Act is Regulation (EU) 2019/881, adopted by the European Parliament and the Council on 17 April 2019 and entering into force on 27 June 2019. It has two main pillars.
First, it transformed the European Union Agency for Cybersecurity (ENISA), previously operating under temporary mandates since 2004, into a permanent agency with a strengthened role, a larger budget, and expanded tasks covering operational cooperation, capacity building, and support to EU institutions and member states during large-scale cyber incidents.
Second, it established a European cybersecurity certification framework. Under this framework, the European Commission can request ENISA to prepare candidate certification schemes for specific categories of ICT products, services, and processes. Each scheme defines security requirements, evaluation methods, and one of three assurance levels: basic, substantial, or high. Certificates issued under an EU scheme are valid across all member states, replacing fragmented national schemes such as France's CSPN or Germany's BSI certifications for the categories covered.
The first scheme adopted under the Act was the EUCC (Common Criteria-based scheme), formally adopted by Commission Implementing Regulation (EU) 2024/482 in January 2024. Other schemes under development include EUCS (for cloud services) and EU5G (for 5G networks), though their finalization has been politically contentious, particularly over sovereignty requirements affecting non-EU cloud providers.
The Act sits within a broader EU cybersecurity policy architecture that includes the NIS Directive (2016) and its successor NIS2 (Directive (EU) 2022/2555), the Cyber Resilience Act (Regulation (EU) 2024/2847), and the Digital Operational Resilience Act (DORA) for financial entities. While the NIS framework imposes security obligations on operators, the Cybersecurity Act focuses on agency governance and voluntary certification, though sectoral laws may make specific certifications mandatory.
Example
In January 2024, the European Commission adopted the EUCC, the first certification scheme under the EU Cybersecurity Act, enabling ICT vendors to obtain EU-wide security certificates based on Common Criteria.
Frequently asked questions
By default, schemes are voluntary. However, other EU laws (such as sectoral regulations or the Cyber Resilience Act) can make specific certifications mandatory for certain products.
Keep learning