Skip to content

AI-generated content: Responses are generated by AI, automatically assembled and may contain errors. Conformi is a research tool and does not replace legal advice or case-by-case legal review. All responses should be verified using the linked original sources.

Conformi/Knowledge Base/Cybersecurity/Cybersecurity Act
🛡️Cybersecurity & IT

Cybersecurity Act — ENISA and European Cybersecurity Certification Framework

Analysis from 7 June 20260 sourcesConsolidated version of 04.02.2025, incorporating Regulation (EU) 2025/37EUR-Lex Original

Do our ICT products or managed security services need a European cybersecurity certificate before we can sell them across the EU?

Cybersecurity certification under the Cybersecurity Act is currently voluntary unless Union or Member State law mandates it [Art. 56(2)], but the Commission is actively assessing which ICT products, services, processes, and — since 4 February 2025 — managed security services should become subject to mandatory certification [Art. 56(3), as amended by Regulation (EU) 2025/37].

Short Answer

The Cybersecurity Act (Regulation (EU) 2019/881) establishes ENISA as the EU's permanent cybersecurity agency and creates a pan-EU certification framework for ICT products, services, and processes [Art. 1]. Regulation (EU) 2025/37 extended the framework to managed security services such as incident handling, penetration testing, and security consulting [Art. 2(14a), as inserted by Reg. 2025/37]. Certificates issued under a European cybersecurity certification scheme are recognised in all Member States, eliminating the need for separate national certifications [Art. 56(10)]. The Commission periodically assesses whether voluntary schemes should become mandatory, prioritising sectors listed in the NIS Directive [Art. 56(3)].

Who is affected

Any manufacturer or provider placing ICT products, ICT services, ICT processes, or managed security services on the EU internal market. Managed security service providers — including firms offering incident handling, penetration testing, security audits, or consulting with technical support — are explicitly covered since 4 February 2025 [Art. 2(14a), Reg. 2025/37]. Conformity assessment bodies seeking accreditation must meet the requirements in the Annex [Art. 60(1)]. National cybersecurity certification authorities designated by each Member State supervise the framework [Art. 58].

Deadline

The Regulation is fully applicable. Key milestones already passed: Articles 58, 60, 61, 63, 64, and 65 (national authorities, conformity assessment bodies, penalties) apply since 28 June 2021 [Art. 69(2)]. The managed security services extension entered into force on 4 February 2025 [Reg. 2025/37]. The Commission evaluates ENISA and the certification framework every five years — next evaluation due by 28 June 2029 [Art. 67(1)]. No upcoming staggered deadline; the ongoing obligation is to comply with any adopted European cybersecurity certification scheme and to monitor the Commission's assessments of mandatory certification [Art. 56(3)].

Risk

Penalties for infringements of Title III (certification framework) and European cybersecurity certification schemes are laid down by Member States and must be effective, proportionate, and dissuasive [Art. 65]. The Regulation does not set a Union-wide maximum fine; the severity depends on national transposition. Non-compliance can lead to withdrawal of European cybersecurity certificates [Art. 58(8)(e)], suspension of conformity assessment body accreditation [Art. 60(4)], and immediate cessation orders [Art. 58(8)(f)]. Reputational risk is significant: certificates are publicly listed on ENISA's dedicated website, and withdrawals are visible [Art. 50].

Proof

Legal status

  • In force
  • as of 2026-06-07
  • Consolidated version of 04.02.2025, incorporating Regulation (EU) 2025/37

Primary sources

    What to do now

    Legal / DPO

    • Verify whether any adopted European cybersecurity certification scheme covers your ICT products, services, processes, or managed security services, and whether Union or Member State law has made certification mandatory for your category [Art. 56(2)-(3)].
    • Review contracts with conformity assessment bodies to ensure they are accredited under Regulation (EC) No 765/2008 and, where applicable, authorised by the national cybersecurity certification authority for scheme-specific requirements [Art. 60(1), (3)].
    • Establish an internal process for notifying the certifying authority or conformity assessment body of any subsequently detected vulnerabilities or irregularities in certified products or services [Art. 56(8)].

    Compliance

    • Map your portfolio against the Union rolling work programme and existing European cybersecurity certification schemes to anticipate mandatory certification requirements [Art. 47, Art. 56(3)].
    • Where conformity self-assessment is permitted (assurance level 'basic'), ensure the EU statement of conformity is submitted to the national cybersecurity certification authority and to ENISA, with full technical documentation retained for the period specified in the scheme [Art. 53(1)-(3)].
    • Monitor the Commission's periodic assessments of whether voluntary certification should become mandatory, particularly for sectors listed in Annex II of the NIS Directive [Art. 56(3)].

    IT / Security

    • Ensure ICT products, services, and processes meet the security objectives in Art. 51 — including data protection, access control, vulnerability documentation, logging, secure-by-default design, and timely restoration after incidents [Art. 51(a)-(j)].
    • For managed security services, implement the specific objectives introduced by Regulation (EU) 2025/37: staff competence, continuous service quality, data protection during service provision, and secure-by-design tooling [Art. 51a(a)-(g)].
    • Publish supplementary cybersecurity information for certified products — secure configuration guidance, security support periods, vulnerability contact details, and links to vulnerability repositories [Art. 55(1)].

    Product / Engineering

    • Design ICT products, services, and processes to be secure by default and by design, with mechanisms for secure updates and no publicly known vulnerabilities at release — these are explicit certification objectives [Art. 51(i)-(j)].
    • Determine the appropriate assurance level ('basic', 'substantial', or 'high') for each product line based on the risk profile of its intended use, and prepare for the corresponding evaluation depth [Art. 52(1), (5)-(7)].
    • Maintain publicly available supplementary cybersecurity information in electronic form for the entire validity period of any European cybersecurity certificate or EU statement of conformity [Art. 55(1)-(2)].

    Interactive checks for this legal act

    Initial assessment based on the regulation. Not legal advice.

    Start CBAM applicability check

    Key Terms

    ENISA
    The European Union Agency for Cybersecurity, established on a permanent basis by Regulation (EU) 2019/881, headquartered in Athens. Acts as the EU's reference point for cybersecurity advice and expertise [Art. 3-4].
    European cybersecurity certification scheme
    A comprehensive set of rules, technical requirements, standards, and procedures established at Union level for the certification or conformity assessment of specific ICT products, ICT services, ICT processes, or managed security services [Art. 2(9)].
    Managed security service
    A service provided to a third party consisting of carrying out, or providing assistance for, activities relating to cybersecurity risk management, such as incident handling, penetration testing, security audits, and consulting including expert advice related to technical support [Art. 2(14a), inserted by Reg. 2025/37].
    Assurance level
    A basis for confidence that an ICT product, service, process, or managed security service meets the security requirements of a specific European cybersecurity certification scheme — specified as 'basic', 'substantial', or 'high' [Art. 2(21), Art. 52].
    Conformity self-assessment
    An action carried out by a manufacturer or provider evaluating whether their ICT products, services, processes, or managed security services meet the requirements of a specific European cybersecurity certification scheme, permitted only at assurance level 'basic' [Art. 2(22), Art. 53(1)].
    European cybersecurity certificate
    A document issued by a relevant body attesting that a given ICT product, service, process, or managed security service has been evaluated for compliance with the security requirements laid down in a European cybersecurity certification scheme [Art. 2(11)].
    National cybersecurity certification authority
    One or more authorities designated by each Member State to supervise the cybersecurity certification framework, enforce compliance, handle complaints, and — where applicable — issue certificates at assurance level 'high' [Art. 58].
    ECCG (European Cybersecurity Certification Group)
    A group composed of representatives of national cybersecurity certification authorities, chaired by the Commission, which advises on certification policy, assists ENISA in scheme preparation, and facilitates cooperation between Member States [Art. 62].
    ?

    Frequently Asked Questions

    Is cybersecurity certification mandatory under the Cybersecurity Act?
    Certification is voluntary unless Union or Member State law specifically requires it [Art. 56(2)]. However, the Commission regularly assesses whether particular ICT products, services, processes, or managed security services should be subject to mandatory certification [Art. 56(3)].
    What changed with Regulation (EU) 2025/37?
    Regulation (EU) 2025/37, in force since 4 February 2025, extended the European cybersecurity certification framework to cover managed security services — defined as services provided to third parties consisting of activities relating to cybersecurity risk management, such as incident handling, penetration testing, security audits, and consulting [Art. 2(14a)]. It also introduced separate security objectives for these services [Art. 51a].
    What are the three assurance levels?
    'Basic' (minimises known basic risks, review of technical documentation), 'substantial' (minimises known cybersecurity risks from actors with limited skills, testing required), and 'high' (minimises state-of-the-art cyberattacks from skilled actors, includes penetration testing) [Art. 52(5)-(7)].
    Can a manufacturer self-certify?
    Yes, conformity self-assessment is allowed for ICT products, services, processes, or managed security services that present a low risk corresponding to assurance level 'basic', provided the relevant European cybersecurity certification scheme permits it [Art. 53(1)]. The manufacturer or provider issues an EU statement of conformity and assumes full responsibility [Art. 53(2)].
    Are European cybersecurity certificates valid across all EU Member States?
    Yes, a European cybersecurity certificate issued under a scheme adopted pursuant to Art. 49 is recognised in all Member States [Art. 56(10)]. EU statements of conformity are likewise recognised across the EU [Art. 53(5)].
    What role does ENISA play in the certification framework?
    ENISA prepares candidate certification schemes upon request from the Commission or the European Cybersecurity Certification Group (ECCG) [Art. 49(1)-(2)], evaluates adopted schemes every five years [Art. 49(8)], maintains a website with certificate information [Art. 50], and provides the secretariat for the Stakeholder Cybersecurity Certification Group [Art. 22(4)].
    What happens to existing national cybersecurity certification schemes?
    National schemes covering the same ICT products, services, processes, or managed security services as a European scheme cease to produce effects from the date set in the implementing act [Art. 57(1)]. Member States may not introduce new national schemes for categories already covered by a European scheme [Art. 57(2)]. Existing national certificates remain valid until their expiry date [Art. 57(3)].
    3

    Assessment Factors & Checklist

    Premium
    Try for free
    4

    Questions for Your Lawyer

    Premium
    Try for free
    5

    Conclusion & Summary

    Premium
    Try for free

    Detailed analysis with source links.

    Schalten Sie die KI-Analyse frei — mit markierten Fundstellen und direkten Links zu EUR-Lex. Kostenlos prüfen mit Scout.

    Try for free

    Keine Kreditkarte. 50 Recherchen + 5 KI-Analysen frei.