The Cybersecurity Act (EU 881 / 2019) is a European regulation that introduces a harmonised European framework for the EU cybersecurity certification of ICT products, services and processes.
The main objective of the Cybersecurity Act (CSA) is to improve protection against threats to cybersecurity within the EU. The CSA also enables manufacturers and service providers to use one mutually recognised certificate throughout the EU.
Over the years, many European member states have adopted national cybersecurity certification regulations. Divergence between standards in different member states and the lack of mutual recognition risked disruption to the free flow of ICT products and services within the EU. The CSA certification schemes replace the current national-level certification schemes, provided these are similar enough in scope.
The development plans for certification schemes are laid out in the Union Rolling Work programme (URWP). While the CSA framework allows for the EU cybersecurity certification of ICT products, services and processes, there currently are no planned certification schemes for the certification of processes.
The CSA requires every EU member state to identify at least one National Cybersecurity Certification Authority (NCCA). In the Netherlands, the role of NCCA is fulfilled by the Dutch Authority for Digital Infrastructure, which is part of the Ministry of Economic Affairs.
Mandatory vs voluntary certification
EU cybersecurity certification is voluntary unless otherwise specified in other EU law or national law. Several actual EU regulation proposals, such as the NIS II directive, Artificial Intelligence act and Cyber Resilience act, mandate the European Commission to define the obligations for EU cybersecurity certification under these regulations.
Mandatory certification will come in different forms. EU cybersecurity certification may become mandatory for EU market entry for certain products and services or for specific sectors. In other cases, certification may be used as a ‘presumption of compliance’ for the cybersecurity requirements with respect to a specific regulation.
CSA assurance levels
The CSA defines three distinct levels, known as assurance levels, on the basis of which products and services can be certified: basic, substantial and high.
In essence, each CSA assurance level defines how resilient a specific product or service has to be against a cyberattack with a certain level of skill and resources. For example, High assurance certification means protection against advanced attacks from attackers with significant skills and resources.
The details of the CSA assurance levels will be worked out separately for every CSA certification scheme due to the need for a tailor-made security approach to products and services.