Skip to main content
Shaping Europe’s digital future logo

The EU cybersecurity certification framework

The EU cybersecurity certification framework for ICT products enables the creation of tailored and risk-based EU certification schemes.

© iStock by Getty Images -1159281243 Wojtek Skora

Certification plays a crucial role in increasing trust and security in important products and services for the digital world. At the moment, a number of different security certification schemes for ICT products exist in the EU. But, without a common framework for EU-wide valid cybersecurity certificates, there is an increasing risk of fragmentation and barriers between Member States.

The certification framework will provide EU-wide certification schemes as a comprehensive set of rules, technical requirements, standards and procedures. The framework will be based on agreement at EU level on the evaluation of the security properties of a specific ICT-based product or service. It will attest that ICT products and services that have been certified in accordance with such a scheme comply with specified requirements.

In particular, each European scheme should specify:

  • the categories of products and services covered;
  • the cybersecurity requirements, such as standards or technical specifications;
  • the type of evaluation, such as self-assessment or third party;
  • the intended level of assurance.

The assurance levels are used to inform users of the cybersecurity risk of a product, and can be basic, substantial, and/or high. They are commensurate with the level of risk associated with the intended use of the product, service or process, in terms of probability and impact of an accident. A high assurance level would mean that the certified product passed the highest security tests.

The resulting certificate will be recognised in all EU Member States, making it easier for businesses to trade across borders and for purchasers to understand the security features of the product or service.

As for the implementation of the certification framework, Member State authorities, gathered in the European Cybersecurity Certification Group (ECCG) have already met several times.

Stakeholder Cybersecurity Certification Group

Following the entry into force of the Cybersecurity Act in 2019, the European Commission launched a call for applications to select members of the Stakeholder Cybersecurity Certification Group (SCCG).

The SCCG will be responsible for advising the Commission and ENISA on strategic issues regarding cybersecurity certification, and assisting the Commission in the preparation of the Union rolling work programme. This is the first stakeholder expert group for cybersecurity certification launched by the European Commission.

Follow the work of the Group

Latest

PRESS RELEASE |
The European Cybersecurity Competence Centre and Network is now ready to take off

The regulation establishing a new Cybersecurity Competence Centre and a Network of National Coordination Centres has entered into force this week. The Cybersecurity Competence Centre, which will be located in Bucharest, will contribute to strengthening European cybersecurity capacities and to boosting research excellence and the competitiveness of the Union's industry in the cybersecurity field.

PRESS RELEASE |
EU Cybersecurity: Commission proposes a Joint Cyber Unit to step up response to large-scale security incidents

The Commission has laid out a vision to build a new Joint Cyber Unit to tackle the rising number of serious cyber incidents impacting public services, as well as the life of businesses and citizens across the European Union. Advanced and coordinated responses in the field of cybersecurity have become increasingly necessary, as cyberattacks grow in number, scale and consequences, impacting heavily our security. All relevant actors in the EU need to be prepared to respond collectively and exchange relevant information on a ‘need to share', rather than only ‘need to know', basis.

PRESS RELEASE |
Commission to invest €14.7 billion from Horizon Europe for a healthier, greener and more digital Europe

The Commission has adopted the main work programme of Horizon Europe for the period 2021-2022, which outlines the objectives and specific topic areas that will receive a total of €14.7 billion in funding. These investments will help accelerate the green and digital transitions and will contribute to sustainable recovery from the coronavirus pandemic and to EU resilience against future crises. They will support European researchers through fellowships, training and exchanges, build more connected and efficient European innovation ecosystems and create world-class research infrastructures

PRESS RELEASE |
Security Union: EU rules on removing terrorist content online enter into force

Landmark EU rules on addressing the dissemination of terrorist content online entered into force this week. Platforms will have to remove terrorist content referred by Member States' authorities within 1 hour. The rules will also help to counter the spread of extremist ideologies online - a vital part of preventing attacks and addressing radicalisation.

Related Content

Big Picture

Cybersecurity Policies

The European Union works on various fronts to promote cyber resilience, safeguarding our communication and data and keeping online society and economy secure.

See Also

European Cybersecurity Competence Centre and Network

The European Cybersecurity Competence Centre (ECCC) aims to increase Europe’s cybersecurity capacities and competitiveness, working together with a Network of National Coordination Centres (NCCs) to build a strong cybersecurity Community.

The EU Cybersecurity Act

The Cybersecurity Act strengthens the EU Agency for cybersecurity (ENISA) and establishes a cybersecurity certification framework for products and services.

NIS Directive

The NIS Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.