Several EU cybersecurity certification schemes are currently being developed under the Cybersecurity Act (CSA) for the certification of ICT products and services.
The EU Agency for Cybersecurity (ENISA) develops and maintains the CSA certification schemes. ENISA is supported in this endeavor by two advisory groups:
- The European Cybersecurity Certification Group (ECCG), in which the member states are represented. Formally, the ECCG’s role is to advise the European Commission in the field of cybersecurity and certification, but a certification scheme will never be formalised without broad support. The Dutch National Cybersecurity Certification Authority (NCCA) has an active role in this group.
- The Stakeholder Cybersecurity Certification Group (SCCG), an advisory group of the European Commission consisting of stakeholders from market-oriented organisations and European institutions.
ENISA hands over each developed certification scheme to the European Commission, which turns it into an official European scheme. Once published, the schemes are managed by ENISA in cooperation with the member states, which come together in the ECCG. Current
Union Rolling Work Programme
The CSA certification scheme development plans are laid out in the Union Rolling Work programme (URWP). The URWP is a strategic document under the Cybersecurity Act that allows the industry, national authorities and standardisation bodies to prepare in advance for future European cybersecurity certification schemes.
The drafting of the URWP is a joint effort between the European Commission, the European Cybersecurity Certification Group (ECCG) and the Stakeholder Cybersecurity Certification Group (SCCG). The European Commission determines and prioritizes the development of the CSA certification schemes and, with the support of the ECCG and SCCG, these priorities are discussed and included in the URWP. The URWP is updated at least every 3 years.
In duly justified cases the CSA authorizes the EC to decide on the development of certification scheme(s) outside the URWP priorities.
The table below shows the URWP priorities for certification schemes and their current status, including the (upcoming) Common Criteria, Cloud Services and 5G certification schemes.
Table with URWP's priorities for EU certification schemes and their current status (updated 03-10-2023)
| | Certification Type | Operational from (indication) | Current status (see reference below table) |
|---|---|---|---|
| Common Criteria (EUCC) | Hardware products, product-related software | Q2 2024 | 5 |
| Cloud Services (EUCS) | Services in the whole stack | Q4 2024 | 2 |
| 5G (EU5G) | Components, component-related services, secure development | No indication yet | 2 |
| Industrial Automated Control Systems | Expected: products, product-related services | No indication yet | Development not started |
| IoT | Expected: products, Product-related services | No indication yet | Development not started |
| Artificial Intelligence | Scope to be discussed | No indication yet | Development not started |
| Secure (Software) Development | Scope to be discussed | No indication yet | May be part of other schemes |
Current status reference:
- The European Commission assigns ENISA to develop a scheme.
- ENISA makes a public call for experts in the field and scope of the scheme and asks Member States to join the development in the role of observer.
- ENISA delivers a final draft to the European Commission.
- The ECCG advises the European Commission on the final draft of the scheme.
- The European Commission transforms the final draft in an Implementing Act and follows the formal EU legislative procedures.
- The European Commission publishes the Implementing Act, and the scheme is put into force.