EU Cybersecurity Act (CSA)

European Cybersecurity

EU CSA establishes the foundations for European cybersecurity efforts by providing the legal basis for ENISA and introducing a framework for European cybersecurity certification.

• ENISA: EU CSA assigns the European Union Agency for Cybersecurity (ENISA) the mandate for strategic and operational cooperation, certification and standardization, and education and knowledge transfer in the field of cybersecurity.
• Certification schemes: EU CSA introduces certification schemes for ICT products, services, and processes. Each certification scheme comes with evaluation criteria and methods, assurance levels, references to (inter-)national standards and more.
• Current developments: EUCC was the first European certification scheme to be adopted and targets ICT products. Further European cybersecurity certification schemes on cloud services (EUCS) and 5G networks (EU5G) are currently under development.
• Governance: EU CSA establishes National Cybersecurity Certification Authorities, Conformity Assessment Bodies, and the European Cybersecurity Certification Group to ensure reliable certificate issuance and to provide advise during the development of new certificate schemes.
• Penalties: Under the EU CSA, penalties are adopted on national level and must be effective, proportionate, and dissuasive.

European Union Agency for Cybersecurity

EU CSA assigned the European Union Agency for Cybersecurity (ENISA) the mandate to achieve a high common level of cybersecurity across the Union, to support member states and EU institutions, bodies, offices and agencies in improving cybersecurity, and to give advice on cybersecurity. Art. 3

As center of expertise on cybersecurity, ENISA’s role encompasses multiple objectives. The agency is tasked with assisting the development and implementation of European Union cybersecurity policies, promoting European cybersecurity certification, raising cybersecurity awareness, and supporting capacity-building and preparedness Art. 4.

Strategic and Operational Cooperation

ENISA assists in the development of Union policy and law by providing opinions, analyses, and preparatory work. The agency is tasked with providing advice and best practices, guidelines on risk management, incident reporting, and information sharing. In particular, ENISA’s role is to support and provide advice on: Art. 5

• development and implementation of EU electronic identity and trust service policies
• promotion of secure electronic communication
• implementation of data protection and privacy in member states
• publishing an annual report reviewing Union policy and reporting various incident notifications

ENISA is tasked with assisting cybersecurity capacity-building in the EU. Art. 6 (1)(a)

• preventing, detecting, analyzing, and responding to cyber threats and incidents
• establishing and implementing voluntary vulnerability disclosure policies
• developing national CSIRTs and NIS strategies
• organize cybersecurity exercises at Union level
• and more

ENISA is also tasked with supporting operational cooperation among member states and cooperating with Union institutions such as CERT-EU, cybercrime services, and data protection authorities by exchanging know‑how, giving advice, issuing guidelines, and establishing practical arrangements for specific tasks Art. 7(1) Art. 7(2)

Especially in the event of large-scale cross-border incidents and cybersecurity crises, ENISA assists the European Union and its member states in developing a cooperative response by: Art. 7 (7)

• improving prevention, detection, and response capabilities
• giving threat‑specific advice on request
• assessing significant or substantial incidents
• facilitating technical handling and voluntary sharing of technical solutions
• analyzing vulnerabilities and incidents
• providing support for ex‑post technical inquiries
• contribute to common situational awareness
• facilitate escalation and information exchange between CSIRTs and decision-makers
• supporting member states in technical incident or crisis handling and in testing plans
• assisting Union institutions in public incident or crisis communication

Cybersecurity Certification

ENISA supports Union policy on cybersecurity certification through different tasks. Art. 8

• Standardization and technical specifications where standards are unavailable
• Candidate European cybersecurity certification schemes
• Evaluation pf adopted schemes
• Peer reviews of national cybersecurity certification authorities according to Art. 59
• Guidelines and good practices on cybersecurity requirements for ICT products, services
• European and international standards for risk management and ICT security
• Advice and guidelines on technical areas for operators of essential services (in Germany Betreiber kritischer Anlagen) and digital service providers (including existing standards)
• Analyses of supply and demand trends in the Union cybersecurity market

Knowledge, education and consultation

ENISA performs analyses of cyber threats and incidents. In cooperation with experts from member states, ENISA also provides advice, guidance, and best practices for security of network and information systems. ENISA compiles reports based on public information of significant incidents Art. 9

ENISA is also tasked with raising awareness for cybersecurity risks by providing guidance on good practices for cyber-hygiene and cyber-literacy. ENISA assists member states by supporting them in their education and awareness efforts, and supports closer coordination and exchange of best practices among member states Art. 10

ENISA also advises EU institutions and member states on research needs and priorities in cybersecurity. The agency can participate in the implementation of research and innovation funding programs and contribute to strategic cybersecurity research and innovation in the European Union Art. 11

ENISA contributes to Union cooperation with third countries and international organizations on cybersecurity. ENISA observes and reports on international exercises, facilitates exchange of best practices, provides expertise to the Commission, and supports the mutual recognition of cybersecurity certificates with third countries with the European Cybersecurity Certification Group (ECCG) Art. 12

Organization

EU CSA lays down six different boards, roles, and groups for decision making that compose ENISA’s organizational structure.

Management Board

The Management Board establishes ENISA’s general operational direction, in particular by adopting ENISA’s single programming document and supervising its implementation Art. 15 (1)(a) to (d). Among other tasks, the Management Board also establishes ENISA’s Advisory Group. Art. 15 Art. 21 (1)

The Management Board is composed of one member and one alternate appointed by each member state, and two members appointed by the European Commission. All members are appointed based on their cybersecurity knowledge for a term of four years (renewable). Art. 14

A chairperson and a deputy chairperson are elected by the members with a two thirds majority for a term of four years (renewable). The chairperson is allowed to chair the Executive Board as well. Art. 16

Executive Board

The Executive Board assists the Management Board and the Executive Director. It prepares decisions to be adopted by the Management Board and assists the Executive Director in implementing the decisions of the Management Board regarding administrative and budgetary matters .Art. 19 (1)(2)

The Executive Board consists of five members, including the chairperson of the Management Board and meets at least once every three months Art. 19 (3)(5).

Members of the Executive Board are appointed for four years, renewable. Art. 19 (4)

Executive Director

The Executive Director manages ENISA and is responsible for its day-to-day administration: Art. 20

• Implement decisions adopted by the Management Board
• Implement the single programming document
• Preparing ENISA’s annual report
• Network with relevant stakeholders
• Exchange views and information with Union institutions

ENISA Advisory Group

Alongside ENISA’s internal roles and boards, the agency is in close contact with several expert groups of external stakeholders.

The Advisory Group advises the Executive Director on drafting ENISA’s annual work programme and on communicating with relevant stakeholders concerning related issues. It thereby facilitates the information exchange between ENISA and relevant stakeholders. Art. 21 (5)

The Advisory Group regularly informs the Management Board about its activities and is comprised of stakeholders from academia, various industries, and authorities such as: Art. 21 (1)(6)

• ICT industry
• Publicly available electronic communications networks or services
• SMEs
• Academic cybersecurity experts
• Representatives of competent authorities

Members are appointed for 18 months Art. 21 (4)

Stakeholder Cybersecurity Certification Group

The Stakeholder Cybersecurity Certification Group (SCCG) advises ENISA and the European Commission on strategic matters concerning cybersecurity certification. It advises the European Commission regarding the European cybersecurity certification framework (ECCF) and assists it in preparing the Union Rolling Work Programme (URWP). The SCCG also advises ENISA regarding its tasks related to market, cybersecurity certification, and standardization Art. 22 (3).

The SCCG is composed of experts representing relevant stakeholders. Following an open call, ENISA proposes candidates from which the Commission selects members for the SCCG. Art. 22 (2).

The SCCG is co-chaired by representatives of the European Commission and of ENISA, its secretariat is provided by ENISA. Art. 22 (4)

National Liaison Officers Network

The National Liaison Officers Network exists to facilitate the information exchange between ENISA and member states. It serves as a point of contact at the national level facilitating cooperation with national experts. The network is also meant to support ENISA in disseminating its activities, findings, and recommendations to relevant stakeholders. Art. 23 (2)(3)

ENISA has specified and published the functions and procedures of the National Liaison Officers Network. Art. 23 (5)

• Support ENISA identify national public and private stakeholders to support ENISA’s work in their member states
• Cooperate with and support the Management Board representatives
• Inform ENISA about national developments related to cybersecurity and of expertise from national competent authorities — for instance of publications and national legal acts.

The National Liaison Officers Network is composed of 1 representative per member state Art. 23 (1)

Motivation

EU CSA introduces an European Cybersecurity Certification Framework (ECCF) in order to increase the level of cybersecurity within the EU and to enable a harmonized approach within the EU for cybersecurity certification. The EU CSA introduces European cybersecurity certification schemes that attest evaluated ICT products, ICT services, and ICT processes to meet specified security requirements protecting availability, authenticity, integrity, and confidentiality throughout their life cycle. Art. 46

Union Rolling Work Programme

The Union Rolling Work Programme (URWP) for European cybersecurity certification defines strategic priorities for future European cybersecurity certification schemes and lists ICT products benefiting from inclusion in a European certification scheme. ICT products are included in the URWP based on cyber threat developments, ECCG requests, market demand, EU law or member state policies, or because of fragmentation risks of the national certification scheme landscapes. Art. 47 (1)-(3)

On the request of the European Commission, ENISA prepares a candidate scheme or reviews an existing scheme based on the URWP. In justified cases, the European Commission or the ECCG can request ENISA to prepare or review a scheme not included in the URWP. Art. 48

Development of cybersecurity certification schemes

Before European cybersecurity certification schemes get adopted by the European Commission, they must pass a multi-step procedure. After the European Commission requests ENISA to prepare a candidate scheme, ENISA sets up an ad-hoc working group that provides advice during the scheme drafting process. Based on the candidate scheme, the ECCG issues an opinion. If accepted, ENISA’s proposed scheme is adopted by an implementing act of the European Commission. Art. 49

ENISA evaluates each adopted scheme at least every five years and can request a revision. Art. 49

ENISA also maintains a dedicated website on European Union Cybersecurity Certification schemes, certificates, and EU statements of conformity. This website also indicates national schemes replaced by a European scheme. Art. 50

European cybersecurity certification schemes

Security objectives

European cybersecurity certification schemes aim at satisfying different security objectives: Art. 51

• protect data against accidental and unauthorized storage, processing, access, disclosure, destruction, loss, alteration or unavailability during the entire life cycle
• ensure only authorized access to data, services or functions
• identify and document known dependencies and vulnerabilities
• record and allow verification of access and use (who, what, when)
• verify absence of known vulnerabilities
• restore availability and access in a timely manner after physical and technical incidents
• security by default and by design
• up‑to‑date software and hardware without publicly known vulnerabilities
• secure update mechanisms

Assurance levels

Certification schemes feature assurance levels corresponding to the risk of potential security incidents related to the certified ICT products. The assurance levels are classified by basic, substantial, and high. The applicable assurance level is listed on the respective certificate and in the EU statement of conformity Art. 52.

For each assurance level, certification schemes provide security requirements concerning security functionalities and evaluation. The assurance levels aim at protecting against different threat actors and their evaluation methods differ in depth and rigor: Art. 52

Conformity self-assessment

Certification schemes can permit manufacturers and providers to perform conformity self-assessments for ICT products, services, and processes certified under the assurance level basic.

As part of the conformity self-assessment, the manufacturer or provider issues an EU statement of conformity stating that the respective products, services, or processes fulfill the necessary certification scheme requirements. By issuing the statement of conformity, the manufacturer or provider takes responsibility for the compliance of the respective products, services, or processes. Art. 53

The EU statement of conformity is voluntary (unless otherwise specified by law) and recognized in all member states. A copy of the EU statement of conformity must by made available to the national cybersecurity certification authority and to ENISA. Art. 53

Certification scheme elements

CSA defines the elements that European cybersecurity certification schemes must feature: Art. 54

• subject matter and scope, including covered ICT products, services, and processes
• purpose and alignment of selected standards, evaluation methods and assurance levels with needs
• references to (inter-)national standards, technical specifications, or scheme‑specific requirements
• assurance levels
• permissibility of self‑assessments
• evaluation criteria and methods
• rules for compliance monitoring
• rules on vulnerabilities reporting
• content and format of certificates and EU statements of conformity
• period of validity for certificates
• disclosure policy for issued, amended, and withdrawn certificates
• conditions for mutual recognition agreements with third countries
• peer assessment rules for issuers of certificates with high assurance levels
• and more

Cybersecurity certification

Certified ICT products, services, and processes are presumed to comply with the requirements of the certification schemes. Art. 56 (1) A certification is voluntary, unless specified by law. Art. 56 (2)

The European Commission regularly assesses, in a biennially manner, the efficiency and the use of certification schemes and whether to make specific schemes mandatory. Art. 56 (3) A document request to the European Commission regarding these assessments yielded no results, even after a deadline extension.

Conformity assessment bodies issue European cybersecurity certificates for the assurance levels basic and substantial Art. 56 (4). Certificates requiring the assurance level high are only to be issued by national cybersecurity certification authorities, or by conformity assessment bodies upon prior approval by the national cybersecurity certification authority or on the basis of a general delegation by the national cybersecurity certification authority to the conformity assessment body Art. 56 (6).

Certificate holders must inform the issuer of detected vulnerabilities or irregularities affecting the compliance with the requirements of the certification. The informed authority or body forwards that information to the national cybersecurity certification authority Art. 56 (8).

European cybersecurity certificates are issued for the period specified in the respective certification scheme and can be renewed if the necessary requirements are continued to be met Art. 56 (9). European cybersecurity certificates are recognized in all member states Art. 56 (10).

Obligations of manufacturers and providers

Manufacturers and providers of ICT products must publish supplementary cybersecurity information that needs to be kept up-to-date Art. 55. Manufacturers and providers must publish the following information during the validity of the certificate or the EU statement of conformity: Art. 55 (1)

• guidance on secure configuration, installation, deployment, operation, and maintenance
• period for security updates and security support
• contact details and accepted vulnerability‑reporting methods for end-users and security researchers
• references to relevant advisories and repositories listing disclosed vulnerabilities

National certification schemes

For ICT products already covered by a European cybersecurity certification scheme, national schemes no longer apply from the date specified in the respective implementing act. National schemes continue to remain effective for ICT products that are not covered by a European cybersecurity certification scheme Art. 57 (1).

Existing national certificates for national certification schemes that are covered by a European scheme remain valid until their expiry Art. 57 (3).

In case member states intend to develop new national cybersecurity certification schemes, they inform the ECCG and the European Commission to prevent fragmentation of the internal market of the European Union Art. 57 (4).

Regular evaluation

EU CSA requires the European Commission to regularly evaluate the impact, effectiveness and efficiency of ENISA and the European cybersecurity certification framework Art. 67 (1) and (2).

The evaluation of ENISA assesses its working practices, the potential need to modify its mandate, and the financial implications of any changes Art. 67 (1).

The evaluation of the European cybersecurity evaluation framework examines the framework’s role in ensuring an adequate level of cybersecurity for ICT products. It also investigates whether essential cybersecurity requirements for market access are necessary to prevent non-compliant ICT products from entering the Union market Art. 67 (2) and (3).

The initial evaluation was supposed to be published by June 28, 2024, followed by subsequent evaluations every five years Art. 67 (1). A document request to the European Commission regarding the evaluation yielded no results, even after a deadline extension.

National cybersecurity certification authorities

Each member state designates one or more national cybersecurity certification authorities. National cybersecurity certification authorities participate in the ECCG with the following tasks: Art. 58 (1)(6)(7)

• supervise and enforce compliance of certified ICT products based on certification scheme rules in cooperation with market surveillance authorities
• enforce obligations of manufacturers and providers that conduct conformity self-assessments
• assist national accreditation bodies supervising conformity assessment bodies
• monitor public bodies issuing certificates
• authorize conformity assessment bodies
• restrict, suspend, and revoke authorizations
• handle complaints in relation to issued certificates
• provide annual summary report to ENISA and ECCG
• cooperate with other authorities by sharing information
• monitor developments in the fields of cybersecurity certification

Among other measures, these authorities are, with regard to conformity assessment bodies, certificate holders, and issuers of EU statements of conformity, empowered to: Art. 58 (8)

• request information and conduct audits
• take appropriate measures to ensure compliance of these bodies
• access their premises
• withdraw certificates
• impose penalties specified by national law

In order to ensure equivalent EU-wide standards, national authorities participate in peer reviews based on transparent criteria The assessments cover aspects such as the separation of supervision and enforcement procedures, monitoring of manufacturers, providers, and conformity assessment bodies, and the expertise of authority staff issuing certificates for assurance level high Art. 59 (1)-(3)

Peer reviews are conducted by at least two national cybersecurity certification authorities and the European Commission at least every five years. ENISA can participate as well Art. 59 (4)

The European Commission can establish a plan for at least five years by adopting implementing acts. This plan covers the members of the peer review team, the methodology used for evaluation, the schedule, and the frequency of peer reviews Art. 59 (5)

The ECCG examines the outcomes of the peer reviews and issues recommendations Art. 59 (6)

Conformity Assessment Bodies

Conformity assessment bodies are accredited by national accreditation bodies and must meet the requirements set out in the Annex of EU CSA. Accreditation is issued for a maximum of five years and can be renewed or revoked. Art. 60 (1)(4)

National cybersecurity certification authorities notify the European Commission of conformity assessment bodies that have been accredited per scheme and assurance level. The European Commission publishes the list of the accredited conformity assessment bodies for the respective certification scheme, one year after its entry into force Art. 61 (1)(2)

European Cybersecurity Certification Group

The European Cybersecurity Certification Group (ECCG) is composed of representatives of national cybersecurity certification authorities or other relevant national authorities. The European Commission chairs the ECCG with support by ENISA, which provides the secretariat Art. 62 (2)(5)

The tasks for the ECCG include: Art. 62 (4)

• Advise the Commission on implementation of the URWP, cybersecurity policy, coordination of policy approaches, and preparation or European cybersecurity certification schemes.
• Advise the ENISA on the preparation of candidate certification schemes
• Opinions on candidate certification schemes
• Request ENISA to prepare candidate certification schemes
• Opinions on the maintenance and review of existing European cybersecurity certification schemes
• Examine developments related to cybersecurity certification and exchange good practices
• Cooperation and information exchange between national cybersecurity certification authorities
• Support peer assessments mechanisms under certification schemes
• Alignment of certification schemes with internationally recognized standards

Penalties

Penalties are imposed based on national infringement rules that must be effective, proportionate, and dissuasive. Art. 65

Ongoing EU certification schemes

With the introduction of the European cybersecurity certification schemes, the European Union has set the stage for harmonized standards that target various cybersecurity-related areas.

Launched in March 2020, these efforts will soon have been underway for six years, focusing on three certification schemes targeting ICT products (EUCC), cloud services (EUCS), and 5G networks (EUCC). Based on the general structure for certification schemes that the EU CSA requires, these certification schemes can be summarized and compared as follows:

EUCC – EU Common Criteria (EUCC)

EU Cybersecurity Certification Scheme on Common Criteria (EUCC) certifies the security of ICT products at the assurance levels substantial and high. EUCC has been adopted through an EU implementing act published in the European Official Journal in February 2024 and has since been amended twice, in December 2024 and 2025.

The first certificate at level substantial has been issued in July 2025 in Spain.

EUCC evaluates the security of ICT products based on the SOG-IS Common Criteria framework and requires evaluation criteria from the following standards:

• ISO 15408-1 through -5:2022, or
• Common Criteria for Information Technology Security Evaluation, CC:2022, Parts 1-5, CCRA

EUCC requires the following standards for the evaluation methodology:

• ISO 18045:2022, or
• Common Methodology for Information Technology Security Evaluation, version CEM:2022, CCRA

Until December 2027, transition rules apply allowing older versions to be applied for evaluation. In particular, EUCC allows the following standards concerning the evaluation criteria:

• ISO 15408-1:2009, ISO 15408-2 or -3:2008, or
• Common Criteria for Information Technology Security Evaluation, version 3.1, revision 5, CCRA

EUCC transition rules allow for evaluation methods from the following standards:

• ISO 18045:2008
• Common Methodology for Information Technology Security Evaluation, version 3.1, revision 5, CCRA

EU Cloud Certification Scheme (EUCS)

With the EU Cloud Certification Scheme (EUCS), the European Commission wants to harmonize existing, fragmented cloud certifications in the EU. ENISA started the development of EUCS in 2020. EUCS plans certifications of cloud services offered as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS) in assurance levels basic, substantial, and high.

A candidate scheme of the EUCS was initially published by ENISA in December 2020, followed by a public consultation. Multiple draft candidate schemes have been developed by May 2023 (1.0.319), August 2023 (1.0.335), and March 2024 (1.0.413) as reported. These updated draft schemes, however, were apparently not officially published. The publication of the final candidate scheme is still pending.

Since the last draft candidate schemes, development has slowed down due to ongoing debates on the digital sovereignty requirements. The draft candidate scheme of May 2023 proposed strict requirements targeting cloud service providers for certifications under the assurance level high requiring cloud service providers to have their headquarters located in the EU, and, among other requirements, to provision and maintain cloud services solely from EU-based locations.

The proposed sovereignty requirements have been removed in the draft candidate scheme of March 2024 due to concerns that these requirements could, in fact, counteract the goal of increasing the security of cloud environments as, among other line of arguments, this would limit the access to potentially more secure non-EU cloud services.

EUCS evaluation criteria draw significant inspiration from German BSI C5, French SecNumCloud. As the draft candidate scheme of December 2020 states, the evaluation criteria are also based on international standards, including ISO 27001, ISO 27017 and ISO 27002.

The draft candidate scheme of December 2020 lists general evaluation methods in Annex B while Annex C details the evaluation methods for the assurance levels substantial and high based on ISO 17021. Annex D details the evaluation methods for the assurance level basic.

The draft candidate scheme also allows for evaluations based on ISAE 3402.

EU5G

EU5G is expected to provide a certification scheme for 5G networks. The scheme drafting process and sectoral risk assessments are ongoing since the establishment of an ad-hoc working group on EU5G in 2021. No public drafts are available at time of writing.

Updated Cybersecurity Act in 2026

In January 2026, the European Commission proposed revisions to the Cybersecurity Act EU CSA2 to strengthen ICT supply-chain security across member states, simplify certification, facilitate compliance with existing EU cybersecurity rules, and reinforce ENISA’s role in supporting member states and the EU in managing cyber threats.

EU CSA2 proposes a high-risk supplier concept for key ICT assets with vendor restrictions and phase-out requirements for the most sensitive parts of critical-sector ICT supply chains — including telecom networks, where the proposal defines key assets across both core and the network edge and even bars Conformity Assessment Bodies from relying on, high-risk suppliers in their certification work.

The CSA2 proposal is now being negotiated between Council and the European Parliament (trilogue), as of January 2026. In the Council, where positions are typically agreed by qualified majority, support is uncertain — particularly if a coalition of member states pushes to narrow the provisions on high-risk suppliers.

ICT Toolbox

EU CSA2 introduces a trusted ICT supply chain framework as a toolbox to address non-technical supply-chain risks for the eighteen EU NIS2 sectors. The mechanism is designed to identify key ICT assets in critical ICT supply chains and to anchor proportionate measures for affected entities. Art. 98

The framework is triggered through EU-wide coordinated security risk assessments carried out in the NIS Cooperation Group, with a six-month default timeline and an emergency pathway for significant cyber threats Art. 99.

Based on the assessment, the Commission could (via implementing acts) identify key ICT assets Art. 101 Art. 102 and impose mitigating measures, including restrictions and/or prohibitions for the use, installation or integration of ICT components from high-risk suppliers in those key ICT assets, with transition and phase-out periods. Art. 103

For electronic communications networks, EU CSA2 applies the same logic to key network assets Annex II and introduces a phase-out obligation for ICT components from high-risk suppliers, including a capped phase-out period for mobile networks (linked to publication of the high-risk supplier list) Art. 110 and a prohibition to use, install or integrate such components in key ICT assets. Art. 111

High-risk suppliers

EU CSA2 defines high-risk suppliers primarily by establishment in (or control from) a third country designated as posing cybersecurity concerns, and also covers entities designated under the framework (and entities they control). Art. 3 (39) Art. 100 Art. 103 (7)

Once EU CSA2 is adopted, the European Commission would establish and regularly update lists of high-risk suppliers through implementing acts, relevant for toolbox prohibitions and the telecom restrictions. Art. 104 (1)

The EU CSA2 draft sets out a structured process around supplier mapping and an establishment/ownership-and-control assessment, including information requests, preliminary findings shared with the supplier, and an opportunity to be heard with the possibility to involve competent authorities in initial assessments. Art. 104 (2)–(7)

In practice, the ICT Toolbox builds on the concept of the 5G toolbox (2020), restricting the usage of 5G technologies in European telecommunications infrastructure. The voluntary 5G toolbox was adopted by thirteen member states restricting several suppliers.

Adjustments to the CSA certification framework

CSA2 proposes adjustments to the European cybersecurity certification framework to speed up development, broaden the scope and make certifications more usable across the EU. Art. 71 (1)

European schemes could certify ICT products, ICT services and ICT processes, managed security services, and the cyber posture of an entity. While cyber-posture certification is enabled in the framework, EU CSA2 itself does not make it mandatory. Art. 71 (1)(2)

For managed security services, the proposal integrates security requirements and operational delivery into the certification, which remains voluntary unless required by Union or national law. Certificates and EU statements of conformity would be recognized across member states. Art. 71 (2)(3)(4)

The Commission can request ENISA to prepare a candidate scheme, Art. 73 which ENISA should deliver within twelve months, with defined consultations. Art. 74 (1)(7)–(9)

EU CSA2 also formalizes scheme maintenance and review, including ENISA-led evaluations at least every four years, Art. 75, 76 and anchors presumption of conformity where EU legislation provides for it. Art. 78

ENISA under EU CSA2

In EU CSA2, ENISA’s mandate moves further towards operational delivery in three main areas: EU tools and platforms that support reporting and compliance, shared situational awareness and early warning, and hands-on support functions in incident response and vulnerability management.

EU CSA2 would require ENISA to establish, provide, operate, maintain and update operational technical tools and platforms at Union level. Art. 15 This explicitly includes the Single Reporting Platform for incident reporting and a future single-entry point for incident reporting. The same provision also anchors ENISA’s role in providing testing tools to support conformity assessments. Art. 15

ENISA has a role in building an enhanced shared situational awareness picture, which includes repositories of verified cyber threat intelligence, providing ad-hoc analyses (by request of EU-CyCLONe, CSIRT network, Commission), producing a regular in-depth EU Cybersecurity Technical Situation Report, and monitoring ransomware trends. Art. 11

ENISA would be able to issue early alerts on potential or ongoing significant or large-scale incidents, or cross-border cyber threats Art. 11 (1) (b) and Art. 12. Early alerts can contain publicly known vulnerabilities, indicators of compromise, and mitigation recommendations and foresees an early alert service for entities operating in EU NIS2 sectors Art. 12 (1)–(5).

Beyond situational reporting, EU CSA2 embeds vulnerability and crisis coordination in ENISA’s cooperation role, including analyzing vulnerabilities, threats, and incidents Art. 10 (4) (c) and supporting the coordinated management of large-scale incidents and crises by assisting EU-CyCLONe and facilitating information-sharing. Art. 10 (4) (e)

EU CSA2 tasks ENISA with operating he EU Cybersecurity Reserve Art. 13 (1) and allows ENISA, at the request of the Commission or EU-CyCLONe, to review significant and large-scale incidents. Art. 13 (2) Additionally, ENISA would assist essential and important entities with ransomware preparedness, response, and recovery, including through a dedicated helpdesk. Art. 13 (3)

EU CSA2 requires ENISA to develop a common EU vulnerability-management capacity and provide services to stakeholders, Art. 16 including the European vulnerability database established under EU NIS2 Art. 12 (2), coordinated vulnerability disclosure via CSIRTs EU NIS2 Art. 12 (1) and methodologies and mechanisms for vulnerability identification and coordinated disclosure. Art. 16 (a)–(e)

The EU CSA2 proposal’s budgetary section estimates ENISA’s budget at EUR 341 million over 2028–2034 (an average of EUR 49 million per year), described as an 81.5% increase compared to ENISA’s 2025 budget baseline. The accompanying financial planning also foresees a ramp-up in staffing to 118 fulltime employees and introduces fee-based financing elements for specific ENISA services.

Literature

1. Union Rolling Work Programme, European Commission
2. European Union Cybersecurity Certification, ENISA
3. Developing Certification Schemes, ENISA
4. Advisory Group (AG), ENISA
5. Decision No MB/2020/04 of the Management Board of the European Union Agency for Cybersecurity (ENISA) Setting up a National Liaison Officers Network, ENISA, February 2020
6. Evaluation ENISA (European Union Agency for Cybersecurity) and the European Cybersecurity Certification Framework, Online Trust Coalition, October 2023
7. Joint Statement on EUCS, European Banking Federation, November 2023
8. Two Visions of Digital Sovereignty, Sujit Raman, American University Washington College of Law, September 2023
9. Rechtsgutachten zur US-Rechtslage zum weltweiten Datenzugriff durch US-Behörden bei Nutzung von Cloud-Diensten [Legal opinion on the US legal situation regarding global data access by US authorities when using cloud services], University of Cologne, March 2025

Sources

1. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act), Official Journal of the European Union, June 07, 2019
2. EUCS — Cloud Services Scheme, ENISA, December 22, 2020
3. Towards a more secure and trusted cloud in Europe, European Commission, December 09, 2019
4. C5:2025 - the future of C5 as community draft, German Federal Office for Information Security
5. EU Cloud Certification at an Impasse, Centrum für Europäische Politik, April 25, 2025
6. The Economic Impacts of the Proposed EUCS Exclusionary Requirements Estimates for member states, October 2023
7. EU Cybersecurity Certification Scheme on Common Criteria (EUCC), ENISA
8. Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC), Official Journal of the European Union, February 07, 2024
9. First EUCC Certificate at level substantial, ENISA, July 23, 2025
10. Consolidated Annual Activity Report 2021, ENISA