Scheme development plans

Several EU cybersecurity certification schemes are currently being developed under the Cybersecurity Act (CSA) for the certification of ICT products and services. 

The EU Agency for Cybersecurity (ENISA) develops and maintains the CSA certification schemes. ENISA is supported in this endeavor by two advisory groups:

  • The European Cybersecurity Certification Group (ECCG), in which the member states are represented. Formally, the ECCG’s role is to advise the European Commission in the field of cybersecurity and certification, but a certification scheme will never be formalised without broad support. The Dutch National Cybersecurity Certification Authority (NCCA) has an active role in this group.
  • The Stakeholder Cybersecurity Certification Group (SCCG), an advisory group of the European Commission consisting of stakeholders from market-oriented organisations and European institutions.

ENISA hands over each developed certification scheme to the European Commission, which turns it into an official European scheme. Once published, the schemes are managed by ENISA in cooperation with the member states, which come together in the ECCG. Current 

Union Rolling Work Programme

The CSA certification scheme development plans are laid out in the Union Rolling Work programme (URWP). The URWP is a strategic document under the Cybersecurity Act that allows the industry, national authorities and standardisation bodies to prepare in advance for future European cybersecurity certification schemes.

The drafting of the URWP is a joint effort between the European Commission, the European Cybersecurity Certification Group (ECCG) and the Stakeholder Cybersecurity Certification Group (SCCG). The European Commission determines and prioritizes the development of the CSA certification schemes and, with the support of the ECCG and SCCG, these priorities are discussed and included in the URWP. The URWP is updated at least every 3 years.

In duly justified cases the CSA authorizes the EC to decide on the development of certification scheme(s) outside the URWP priorities.

The table below shows the URWP priorities for certification schemes and their current status, including the (upcoming) Common Criteria, Cloud Services and 5G certification schemes.

Table with URWP's priorities for EU certification schemes and their current status (updated 03-10-2023)

Table with URWP's priorities for EU certification schemes and their current status (updated 03-10-2023)
Certification TypeOperational from (indication)Current status (see reference below table)
Common Criteria (EUCC)Hardware products, product-related softwareQ2 20245
Cloud Services (EUCS)Services in the whole stackQ4 20242
5G (EU5G)Components, component-related services, secure developmentNo indication yet2
Industrial Automated Control SystemsExpected: products, product-related servicesNo indication yetDevelopment not started
IoTExpected: products, Product-related servicesNo indication yetDevelopment not started
Artificial IntelligenceScope to be discussedNo indication yetDevelopment not started
Secure (Software) DevelopmentScope to be discussedNo indication yetMay be part of other schemes

Current status reference:

  1. The European Commission assigns ENISA to develop a scheme.
  2. ENISA makes a public call for experts in the field and scope of the scheme and asks Member States to join the development in the role of observer.
  3. ENISA delivers a final draft to the European Commission.
  4. The ECCG advises the European Commission  on the final draft of the scheme.
  5. The European Commission transforms the final draft in an Implementing Act and follows the formal EU legislative procedures.
  6. The European Commission publishes the Implementing Act, and the scheme is put into force.
Source table as .csv (732 bytes)