Skip to main content
Shaping Europe’s digital future

The EU cybersecurity certification framework

The EU cybersecurity certification framework for ICT products enables the creation of tailored and risk-based EU certification schemes.

    Person holding tablet with their hand facing upwards so the screen doesn't show.  There is a padlock above the screen, surrounded by smaller icons representing the digital world.

© iStock by Getty Images -1159281243 Wojtek Skora

Certification plays a crucial role in increasing trust and security in important products and services for the digital world. At the moment, a number of different security certification schemes for ICT products exist in the EU. But, without a common framework for EU-wide valid cybersecurity certificates, there is an increasing risk of fragmentation and barriers between Member States.

The certification framework will provide EU-wide certification schemes as a comprehensive set of rules, technical requirements, standards and procedures. The framework will be based on agreement at EU level on the evaluation of the security properties of a specific ICT-based product or service. It will attest that ICT products and services that have been certified in accordance with such a scheme comply with specified requirements.

In particular, each European scheme should specify:

  • the categories of products and services covered;
  • the cybersecurity requirements, such as standards or technical specifications;
  • the type of evaluation, such as self-assessment or third party;
  • the intended level of assurance.

The assurance levels are used to inform users of the cybersecurity risk of a product, and can be basic, substantial, and/or high. They are commensurate with the level of risk associated with the intended use of the product, service or process, in terms of probability and impact of an accident. A high assurance level would mean that the certified product passed the highest security tests.

The resulting certificate will be recognised in all EU Member States, making it easier for businesses to trade across borders and for purchasers to understand the security features of the product or service.

Common Criteria-based Cybersecurity Certification Scheme

The first scheme to be adopted under the Cybersecurity Act certification framework is based on the renowned international standard Common Criteria, used to issuing certificates in Europe for almost 30 years now. The scheme takes advantage of the high reputation of European vendors and certifiers using the Common Criteria-based certification across the world. 

The scheme  will apply on a voluntary-basis EU-wide and focuses on certifying the cybersecurity of ICT products in their lifecycle: biometric systems, firewalls (both hardware and software), detection and response platforms, routers, switches, specialised software (such as SIEM and IDS/IDP systems), data diodes, operating systems (including for mobile devices), encrypted storages, databases as well as smart cards and secure elements included in all sorts of products, such as in passports daily used by all the citizens. 

Union Rolling Work Programme for European cybersecurity certification (URWP)

EU Cybersecurity Act foresees the publication by the Commission of a Union Rolling Work Programme for European cybersecurity certification, a document setting out a strategic vision and reflections on possible areas for future European cybersecurity certification schemes considering recent legislative and market developments. 

Taking into account the Cyber Resilience Act (CRA) and other legislative developments, such as the European Digital Identity Regulation, the first URWP points to areas for future European cybersecurity certification schemes linked to legislative developments as well as areas for future reflection regarding cybersecurity certification, which might eventually lead to requests for new schemes where necessary and appropriate. Furthermore, it outlines the strategic priorities to be considered when preparing any European cybersecurity certification scheme. 

The URWP stresses as areas for future European cybersecurity certification linked to EU legislation in particular ID Wallets and managed security services.  Other areas might include Industrial Automation and Control Systems and security lifecycle development building on the CRA requirements as well as cryptographic mechanisms.  

European Cybersecurity Certification Group 

The European Cybersecurity Certification Group (ECCG) was established to help ensure the consistent implementation and application of the Cybersecurity Act. It is composed of representatives of national cybersecurity certification authorities or representatives of other relevant national authorities. ECCG is instrumental for preparation of the candidate certificate scheme and the general implementation of the certification framework.

Stakeholder Cybersecurity Certification Group

Following the entry into force of the Cybersecurity Act in 2019, the Stakeholder Cybersecurity Certification Group (SCCG) was established. 

The SCCG is responsible for advising the Commission and ENISA on strategic issues regarding cybersecurity certification, and assisting the Commission in the preparation of the Union rolling work programme. This is the first stakeholder expert group for cybersecurity certification launched by the European Commission.

Follow the work of the Group

Latest News

Related Content

Big Picture

Cybersecurity Policies

The European Union works on various fronts to promote cyber resilience, safeguarding our communication and data and keeping online society and economy secure.

Dig deeper

See Also

The EU Cyber Solidarity Act

The EU Cyber Solidarity Act will improve the preparedness, detection and response to cybersecurity incidents across the EU.

22 Cybersecurity projects selected to receive €10.9 million

Operators of Essential Services (OES), National Cybersecurity Certification Authorities (NCCAs) and National Competent Authorities (NCAs) for cybersecurity are among the selected applicants that will receive €11 million in funding by the Connecting Europe Facility cybersecurity...

The EU Cybersecurity Act

The Cybersecurity Act strengthens the EU Agency for cybersecurity (ENISA) and establishes a cybersecurity certification framework for products and services.