Cybersecurity Act

The Cybersecurity Act is a key EU instrument for the promotion of cybersecurity, cyber resilience and trust within the Union. The Cybersecurity Act strengthened the EU Agency for Cybersecurity (“ENISA”) by giving it a permanent mandate, more resources and new tasks. The Act also established the European cybersecurity certification framework, which is managed and overseen by ENISA.

What does this mean?

  • ENISA was founded in 2004 to ensure a high and effective level of network and information security within the EU. The Cybersecurity Act reinforced ENISA’s role as the EU center of expertise on cybersecurity and assigned ENISA the tasks described in the Act. Among other tasks, ENISA provides independent technical advice and assistance to EU Member States and bodies on cybersecurity, develops and implements EU cybersecurity policy and law, and engages in cybersecurity capacity-building, certification and standardization activities.
  • The European cybersecurity certification framework is a new mechanism to establish European cybersecurity certification schemes intended to attest that ICT products, ICT services and ICT processes evaluated in accordance with such schemes comply with specified security requirements. Recourse to certification is voluntary, unless otherwise provided for in Union or EU Member State law.
  • The European Commission may request ENISA to prepare a candidate cybersecurity certification scheme. Based on ENISA’s candidate scheme, the European Commission adopts an implementing act providing for the respective cybersecurity certification scheme.
    • In 2023, ENISA facilitated the adoption of the first European cybersecurity certification scheme, the Common Criteria-based Cybersecurity Certification Scheme (“EUCC”), dedicated to certifying ICT products such as hardware and software products and components (e.g., chips and smart cards). The European Commission adopted an implementing act for the EUCC on 31 January 2024.
    • ENISA is also in the process of developing candidate certification schemes covering cybersecurity of cloud services, 5G and digital identity services. ENISA offers different ways for stakeholders to participate in the creation of the candidate schemes, including public consultations and ad-hoc working groups.
  • Following the establishment of a European cybersecurity certification scheme, national cybersecurity certification schemes or procedures for ICT products, ICT services or ICT processes covered by the European scheme should cease to be effective from a date established by the European Commission in its implementing act.
    • National cybersecurity certification schemes or procedures for ICT products covered by the EUCC ceased to be effective in February 2025.

Who?

  • Manufacturers and providers of ICT products, ICT services and ICT processes should consider the cybersecurity certification and related advantages, such as benefits in marketing and competitive advantage.

Timeline

  • The Cybersecurity Act entered into force on 27 June 2019.
  • On 18 April 2023, the European Commission proposed a targeted amendment to the Cybersecurity Act. This targeted amendment was adopted on 15 January 2025 and aims to enable the future adoption of European certification schemes for managed security services covering areas such as incident response, penetration testing, security audits and consultancy.
  • On 11 April 2025, the Commission launched a public consultation for input to evaluate and revise the Cybersecurity Act.
  • The EUCC entered into force on 27 February 2024 and its implementing became fully applicable on 27 February 2025.

Last updated 15 January 2026.