Skip to main content
NormaGrid

Cybersecurity Act (CSA)

In force Cybersecurity Regulation Adopted: 17 April 2019 · Applies from: 27 June 2019

AI-assisted content notice: this page includes AI-assisted summaries, FAQs, and glossary entries prepared for navigation purposes. Verify the underlying legal text before relying on this content.

Summary

Regulation (EU) 2019/881 (the Cybersecurity Act) strengthens and makes permanent the mandate of the EU Agency for Cybersecurity (ENISA) and establishes an EU-wide framework for cybersecurity certification of ICT products, services and processes. It provides for European cybersecurity certification schemes to increase trust and security in the internal market and to reduce fragmentation from divergent national certification approaches.

Who is affected?

ENISA, the European Commission and national cybersecurity certification authorities are responsible for developing, adopting and supervising EU cybersecurity certification schemes. Manufacturers, providers and operators placing ICT products, services or processes on the EU market may seek certification under European schemes, and users/procurers benefit from harmonised assurance levels.

Scope

Applies across the EU to ENISA’s tasks and governance and to the establishment and operation of a European cybersecurity certification framework for ICT products, services and processes.

Key Points

  • Makes ENISA’s mandate permanent and expands its role in supporting Member States, EU institutions and the internal market on cybersecurity.
  • Creates a European cybersecurity certification framework for ICT products, services and processes.
  • Provides for European cybersecurity certification schemes with defined assurance levels (basic, substantial, high).
  • Sets rules on the preparation, adoption, supervision and mutual recognition of certificates issued under European schemes.
  • Establishes governance structures including the European Cybersecurity Certification Group and stakeholder consultation mechanisms.

Related Regulations

Frequently Asked Questions

Who must comply with the Cybersecurity Act (CSA)?

Manufacturers, providers, and operators who place ICT products, services, or processes on the EU market may seek certification under the European cybersecurity certification schemes established by the CSA. National cybersecurity certification authorities, ENISA, and the European Commission also have specific roles and obligations under the Act.

What is the main purpose of the Cybersecurity Act?

The CSA aims to strengthen cybersecurity in the EU by making ENISA’s mandate permanent and establishing a unified European cybersecurity certification framework for ICT products, services, and processes. This reduces market fragmentation caused by differing national certification schemes and increases trust in digital products and services.

What does the European cybersecurity certification framework cover?

The framework covers the preparation, adoption, and supervision of EU-wide cybersecurity certification schemes for ICT products, services, and processes. It sets out assurance levels and rules for mutual recognition of certificates across Member States.

What are the assurance levels defined under the CSA?

The CSA defines three assurance levels for certification: basic, substantial, and high. These levels indicate the degree of confidence in the cybersecurity properties of a certified product, service, or process.

What are the key obligations for manufacturers and service providers under the CSA?

Manufacturers and providers seeking certification must ensure their ICT products, services, or processes meet the requirements of the relevant European cybersecurity certification scheme. They must also cooperate with certification authorities and maintain compliance throughout the validity of the certificate.

What penalties or consequences exist for non-compliance?

While the CSA itself does not specify penalties, Member States are required to establish rules on penalties for infringements, which may include fines or withdrawal of certificates. Non-compliance can also result in reputational damage and loss of market access for uncertified products.

How does the CSA interact with other EU cybersecurity laws?

The CSA complements existing EU cybersecurity legislation, such as the NIS Directive, by focusing specifically on certification and ENISA’s role. It does not replace sector-specific security requirements but provides a harmonised approach to certification.

What practical steps should companies take to comply with the CSA?

Companies should identify relevant certification schemes for their ICT products or services, assess their compliance with scheme requirements, and apply for certification through accredited bodies. Ongoing monitoring and cooperation with authorities are also necessary to maintain certification.

Who oversees the implementation of the certification framework?

ENISA, the European Commission, and national cybersecurity certification authorities are responsible for developing, adopting, and supervising the implementation of European cybersecurity certification schemes.

When did the Cybersecurity Act enter into force?

The Cybersecurity Act (Regulation (EU) 2019/881) entered into force on 27 June 2019 and is directly applicable in all EU Member States.

Key Terms

ENISA
The European Union Agency for Cybersecurity, responsible for supporting Member States, EU institutions, and stakeholders on cybersecurity matters and for assisting in the development and implementation of EU cybersecurity certification schemes.
European Cybersecurity Certification Framework
A set of rules and procedures established by the CSA for the creation, adoption, and supervision of EU-wide cybersecurity certification schemes for ICT products, services, and processes.
Cybersecurity Certification Scheme
A specific set of requirements, procedures, and assurance levels for certifying the cybersecurity properties of ICT products, services, or processes under the EU framework.
Assurance Level
A classification (basic, substantial, or high) that indicates the degree of confidence in the cybersecurity properties of a certified ICT product, service, or process.
National Cybersecurity Certification Authority
A designated authority in each Member State responsible for supervising and enforcing the application of European cybersecurity certification schemes at the national level.
European Cybersecurity Certification Group (ECCG)
A governance body established by the CSA to facilitate cooperation and coordination among national certification authorities and advise the European Commission and ENISA.
Mutual Recognition
A principle under the CSA whereby certificates issued under European cybersecurity certification schemes are recognized across all EU Member States.
Stakeholder Consultation Mechanism
Processes established under the CSA to involve industry, consumer groups, and other stakeholders in the development and review of cybersecurity certification schemes.
ICT Products, Services, and Processes
Information and Communication Technology goods, digital services, and operational processes that may be subject to certification under the CSA.
Certificate Withdrawal
The process by which a cybersecurity certificate is revoked or invalidated due to non-compliance or other grounds as specified in the relevant certification scheme.