Skip to main content
European Commission logo
Shaping Europe’s digital future

The EU Cybersecurity Certification Framework

The EU's Cybersecurity Certification Framework for Information and Communication Technology (ICT) products enables tailored and risk-based EU certification schemes.

Certification plays a crucial role in increasing trust and security in critical products and services for the digital world. At present, a number of different security certification schemes for ICT products exist in the EU. However, without a common framework for EU-wide valid cybersecurity certificates, there is an increasing risk of fragmentation and barriers between Member States.

The certification framework

The certification framework will provide EU-wide certification schemes as a comprehensive set of rules, technical requirements, standards and procedures. The framework will be based on agreement at EU level on the evaluation of the security properties of a specific ICT-based product or service. It will attest that ICT products and services that have been certified in accordance with such a scheme comply with specified requirements.

In particular, each European scheme should specify:

  • The categories of products and services covered;
  • The cybersecurity requirements, such as standards or technical specifications;
  • The type of evaluation, such as self-assessment or third party;
  • The intended level of assurance.

The assurance levels are used to inform users of a product's cybersecurity risk, and can be basic, substantial, and/or high. They are commensurate with the level of risk associated with the intended use of the product, service or process, in terms of probability and impact of an accident. A high assurance level would mean that the certified product passed the highest security tests.

The resulting certificate

The resulting certificate will be recognised in all EU Member States, making it easier for businesses to trade across borders and for purchasers to understand the security features of the product or service.

To learn more about the work done on EU Cyber Certification, please consult the ENISA cybersecurity certification.

The EU Cybersecurity Certification Scheme on Common Criteria (EUCC)

The first scheme to be adopted under the Cybersecurity Act certification framework is based on the renowned international standard Common Criteria, used to issuing certificates in Europe for almost 30 years now. The scheme takes advantage of the high reputation of European vendors and certifiers using the Common Criteria-based certification across the world. The scheme will start being available for vendors as of 27 February 2025.

The scheme will apply EU-wide, on a voluntary-basis, and focuses on certifying the cybersecurity of ICT products in their lifecycle, including:

  • Biometric systems
  • Firewalls (both hardware and software)
  • Detection and response platforms
  • Routers
  • Switches
  • Specialised software (such as SIEM and IDS/IDP systems)
  • Data diodes
  • Operating systems (including for mobile devices)
  • Encrypted storages
  • Databases
  • Smart cards and secure elements included in all sorts of products, such as in passports daily used by all citizens. 

To learn more about the EUCC, please consult the ENISA certification website.

The Union Rolling Work Programme for European cybersecurity certification (URWP)

The Union Rolling Work Programme (URWP) on European Cybersecurity Certification was published at the same time as the first EU-wide cybersecurity certification scheme (EUCC). The first URWP outlines strategic priorities for future European cybersecurity certification schemes, taking into consideration recent legislative and market developments, such as the Cyber Resilience Act (CRA) and the European Digital Identity Regulation. This might eventually lead to requests for new schemes where necessary and appropriate. Furthermore, it outlines the strategic priorities to be considered when preparing any European cybersecurity certification scheme. 

The URWP stresses the following areas for future European cybersecurity certification linked to EU legislation:

  • ID Wallets
  • Managed security services
  • Industrial Automation and Control Systems
  • Security lifecycle development building on the CRA requirements
  • Cryptographic mechanisms

The European Cybersecurity Certification Group (ECCG)

The European Cybersecurity Certification Group (ECCG) was established to help ensure the consistent implementation and application of the Cybersecurity Act. It is composed of representatives of national cybersecurity certification authorities or representatives of other relevant national authorities. The ECCG is instrumental for preparation of the candidate certificate scheme and the general implementation of the certification framework.

The Stakeholder Cybersecurity Certification Group (SCCG)

Following the entry into force of the Cybersecurity Act in 2019, the Stakeholder Cybersecurity Certification Group (SCCG) was established. 

The SCCG is responsible for advising the Commission and ENISA on strategic issues regarding cybersecurity certification, and assisting the Commission in the preparation of the Union Rolling Work Programme (URWP). This is the first stakeholder expert group for cybersecurity certification launched by the European Commission.

Follow the work of the Group

Latest News

Image representing the EU flag next to the Republic of Korea flag
  • Press release
  • 10 March 2025
EU and Korea deepen ties with landmark digital trade deal

The EU and the Republic of Korea have concluded negotiations for a landmark Digital Trade Agreement (DTA), underscoring their commitment to a strong and reliable partnership that is fit to face the fast-paced digital developments of today.

Browse Cybersecurity

Related Content

Big Picture

Cybersecurity Policies

The European Union works on various fronts to promote cyber resilience, safeguarding our communication and data and keeping online society and economy secure.

Last update

4 March 2025

Print as PDF