On June 27, 2019, Regulation (EU) 2019/881, known as the Cybersecurity Act, entered into force. It’s one of the foundations of European cybersecurity policy - a regulation that was meant to create a common language for security certification of ICT products, services, and processes across the European Union.
After over six years since entering into force, it’s worth summarizing what the Cybersecurity Act actually changed, what certification schemes have been created, and what we can expect in the future.
What is the Cybersecurity Act and what were its goals?
The Cybersecurity Act is a regulation with a dual character. First, it strengthened the mandate of ENISA - the European Union Agency for Cybersecurity. Second, it established a framework for European cybersecurity certification schemes.
Strengthening ENISA
ENISA existed since 2004, but the Cybersecurity Act gave it a permanent mandate and significantly expanded its competencies. The agency received:
- A permanent mandate (previously renewed periodically)
- Larger budget and resources
- Coordinator role in preparing certification schemes
- Tasks supporting member states and EU institutions
- Functions related to incident response
European certification framework
The main innovation of the Cybersecurity Act was creating a framework for European cybersecurity certification schemes. Before 2019, certification was fragmented - each member state had its own schemes that were not automatically recognized in other countries.
The Cybersecurity Act introduced:
- Unified framework for creating certification schemes
- Three assurance levels (basic, substantial, high)
- Mutual recognition of certificates throughout the EU
- ENISA’s role as coordinator
- Rules for accreditation of conformity assessment bodies
📚 Read the complete guide: Cloud Security / AWS: Bezpieczeństwo chmury publicznej - AWS, Azure, best practices
What certification schemes have been created?
Since 2019, three main certification schemes have been created or are in progress.
EUCC - Common Criteria, European style
EUCC (European Cybersecurity Certification Scheme on Common Criteria) is the first scheme adopted under the Cybersecurity Act. It was published in January 2024.
What EUCC certifies:
- ICT products (hardware, software, components)
- Technical product safeguards
- Conformity with Common Criteria requirements (ISO/IEC 15408)
Assurance levels:
- Substantial - corresponds to Common Criteria levels AVA_VAN 1-2
- High - corresponds to Common Criteria levels AVA_VAN 3-5
EUCC significance: EUCC harmonizes existing national Common Criteria schemes. Previously, a certificate issued in Germany (BSI) required additional validation in France (ANSSI). Now an EUCC certificate is valid throughout the EU.
EUCS - Cloud services certification
EUCS (European Cybersecurity Certification Scheme for Cloud Services) is a scheme dedicated to cloud services. Work on it has been ongoing for years, and finalization is expected in 2026.
What EUCS certifies:
- IaaS, PaaS, SaaS services
- Cloud provider infrastructure and processes
- Data and operations security
Controversies around EUCS: EUCS sparked debate about “digital sovereignty.” Early proposals required that for the highest assurance level, the provider must be headquartered in the EU and not subject to foreign jurisdictions. This met with criticism from American big tech and some member states. The final shape of the scheme is still being negotiated.
EU5G - 5G infrastructure certification
EU5G is a certification scheme for 5G network components. Work on it continues in the context of concerns about telecommunications infrastructure security.
EU5G scope:
- Base stations
- Core network equipment
- Management software
Political context: EU5G is closely linked to the debate about “high-risk vendors” in 5G networks. It’s meant to help verify equipment security regardless of origin.
How does the certification process work under the Cybersecurity Act?
The certification process under the Cybersecurity Act includes several stages and engages various entities.
Entities involved in the process
ENISA:
- Prepares candidate certification schemes
- Coordinates working group activities
- Maintains register of certified products and services
European Commission:
- Adopts schemes in the form of implementing acts
- Determines certification policy
National cybersecurity certification authorities:
- Oversee certification at national level
- Accredit conformity assessment bodies
- Conduct market surveillance
Conformity Assessment Bodies (CABs):
- Conduct product, service, process assessment
- Issue certificates (for substantial and high levels)
- Must be accredited by national authority
Applicants:
- Manufacturers, service providers
- Submit certification applications
- Bear certification costs
Step-by-step certification process
-
Scheme and level selection
- Applicant determines which scheme applies (e.g., EUCC)
- Chooses assurance level (basic, substantial, high)
-
For basic level:
- Self-assessment of conformity by applicant
- EU declaration of conformity
- No mandatory third-party involvement
-
For substantial and high levels:
- Assessment by accredited body (CAB)
- Technical tests, documentation review
- Certificate issued by CAB or national authority
-
Certificate registration:
- Entry in national register
- Entry in ENISA European database
-
Surveillance and renewal:
- Certificate valid for specified time (typically 3-5 years)
- Surveillance by national authority
- Renewal before expiration
What has been achieved in six years?
The Cybersecurity Act balance after over six years is mixed.
Successes
Unified framework: The Cybersecurity Act created coherent framework for certification across the EU. This is the foundation on which specific schemes are built.
ENISA strengthening: The agency significantly developed its competencies and resources. It’s now a key player in the European cybersecurity ecosystem.
EUCC operational: The first scheme (EUCC) has been adopted and is being applied. This proves the system works.
Raised awareness: The debate around the Cybersecurity Act and certification schemes raised awareness of certification importance among manufacturers and buyers.
Challenges and shortcomings
Slow pace: From entering into force in 2019 to adopting the first scheme (EUCC), nearly five years passed. That’s decidedly too slow in the dynamic technology world.
Controversies around EUCS: The debate about digital sovereignty and localization requirements delays adoption of the cloud scheme - an area critical for the modern economy.
Voluntary nature: Certification under the Cybersecurity Act is generally voluntary. Without mandatory requirements, adoption may be slow.
Complexity: The certification process is complex and costly, especially for SMEs. This may limit certification accessibility.
Competition from other standards: International standards (ISO 27001, SOC 2) are more recognizable and required by global clients.
How does the Cybersecurity Act connect with other regulations?
The Cybersecurity Act doesn’t operate in isolation - it’s part of a broader cybersecurity regulation ecosystem.
Cybersecurity Act and NIS2
NIS2 requires essential and important entities to apply “appropriate” security measures. Certification under the Cybersecurity Act may be one way to demonstrate compliance.
Article 24 of NIS2 provides that the Commission may in future require certain entities to use certified products or services.
Cybersecurity Act and CRA
The Cyber Resilience Act will require digital product manufacturers to demonstrate compliance with security requirements. Certification schemes under the Cybersecurity Act may be used for this purpose.
For Class I and II products, certification by a notified body (which may use Cybersecurity Act schemes) will be mandatory.
Cybersecurity Act and DORA
DORA requires financial institutions to manage ICT risk, including supplier risk. Supplier certification under the Cybersecurity Act may facilitate their security assessment.
Cybersecurity Act and public procurement
Public procurement directives allow contracting authorities to require security certification. Cybersecurity Act schemes provide unified, European certificates that may be required.
What are the future perspectives?
Looking to the future, we can expect several trends.
EUCS finalization
The cloud services certification scheme should be finalized in 2026. Regardless of final shape (with or without localization requirements), this will be an important milestone.
Development of new schemes
New certification schemes are planned:
- Scheme for managed security services (MSSP)
- Scheme for IoT devices (linked to CRA)
- Sectoral schemes (e.g., for healthcare sector)
Link to CRA
The entry into force of the Cyber Resilience Act will significantly increase demand for product certification. Cybersecurity Act schemes will be a key mechanism for demonstrating compliance.
Mandatory certification
The European Commission may introduce mandatory certification requirements for selected product or service categories. This will increase the significance of Cybersecurity Act schemes.
International mutual recognition
The EU is conducting talks with partners (USA, Japan, Korea) about mutual certificate recognition. This may increase the attractiveness of European certification for global suppliers.
What does this mean for organizations?
Organizations should consider the Cybersecurity Act in their strategies.
For manufacturers and suppliers
Consider certification: EUCC certification or future EUCS certification may be a competitive advantage, especially when selling to public and regulated sectors.
Follow CRA development: If you produce digital products, CRA combined with Cybersecurity Act schemes will define your certification obligations.
Prepare for mandatory certification: In some sectors (critical infrastructure, finance), certification may become mandatory.
For buyers
Require certification: In procurement and tenders, consider requiring Cybersecurity Act certification as a security criterion.
Verify certificates: Check certificate authenticity in ENISA and national registers.
Include in supplier risk management: Certification is one element of supplier security assessment required by NIS2 and DORA.
For assessment bodies
Obtain accreditation: If you operate in security assessment, consider accreditation as a conformity assessment body for Cybersecurity Act schemes.
Build competencies: Schemes like EUCC require specialized competencies (Common Criteria, penetration tests). Invest in team development.
Practical aspects of EUCC certification
For organizations considering EUCC certification, here’s practical information.
Certification costs
EUCC certification costs depend on:
- Product complexity
- Assurance level (substantial vs high)
- Chosen assessment body
- Certification scope
Approximate costs:
| Level | Simple product | Complex product |
|---|---|---|
| Substantial | EUR 20-50k | EUR 50-150k |
| High | EUR 50-100k | EUR 150-500k |
Certification time: from several months to over a year for complex products at high level.
Choosing an assessment body
When choosing a body, consider:
- Experience in your product category
- Waiting time to start assessment
- Costs
- Location and availability
Preparing for certification
Before submitting a certification application:
-
Define scope:
- Which security features will be certified?
- What assurance level is needed?
-
Prepare documentation:
- Security Target specification
- Design documentation
- Test documentation
-
Conduct internal tests:
- Functional tests
- Preliminary vulnerability tests
- Documentation verification
-
Contact the body:
- Initial consultation
- Scope and schedule agreement
- Price offer
Summary - certification as part of security strategy
The Cybersecurity Act created the foundation for a European cybersecurity certification system. After over six years, we have the first working schemes, with more on the way.
Key conclusions
Certification is gaining importance: As CRA introduces mandatory requirements, and NIS2 and DORA force supplier risk management, certification will become necessary for many organizations.
The European system is crystallizing: Despite initial delays, certification schemes are being created and starting to be applied.
Digital sovereignty remains controversial: The debate about localization requirements in EUCS shows tensions between security, sovereignty, and business interests.
Voluntary is becoming mandatory: The regulatory trend is toward mandatory certification for an increasing number of products and services.
What to do now
| Action | For whom | Priority |
|---|---|---|
| Monitor scheme development | Everyone | Medium |
| Consider EUCC certification | ICT product manufacturers | High |
| Include certification in tenders | Buyers | Medium |
| Prepare for CRA | Digital product manufacturers | High |
| Build assessment competencies | Security laboratories | High |
The Cybersecurity Act is not just a regulation - it’s a vision of a European market where security is verifiable, comparable, and trustworthy. Realizing this vision will take more years, but the direction is clear.
Need support in preparing for certification or choosing certified solutions? Contact us - we’ll help assess options and plan the path to compliance.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- Network Security — Network security is a set of practices, technologies, and strategies aimed at…
- CSPM (Cloud Security Posture Management) — CSPM (Cloud Security Posture Management) is a category of cloud security tools…
- Wireless Network Security — Wireless network security refers to the measures and practices used to protect…
- Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
- Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…
Learn More
Explore related articles in our knowledge base:
- Cybersecurity Mesh Architecture: the future of flexible security systems
- Cybersecurity Mesh: What it is, how it works and its role
- NIS2 national implementation: how the directive is changing cybersecurity law across Europe
- What Cybersecurity Regulations Apply to Local Governments?
- Who Does the National Cybersecurity System Cover? Entities, Operators, Providers and Authorities
Explore Our Services
Need cybersecurity support? Check out:
- Security Audits - comprehensive security assessment
- Penetration Testing - identify vulnerabilities in your infrastructure
- SOC as a Service - 24/7 security monitoring
