The Commission has today adopted the first-ever European cybersecurity certification scheme, in line with the EU Cybersecurity Act. The scheme offers a Union-wide set of rules and procedures on how to certify ICT products in their lifecycle and thus make them more trustworthy for users. Certification provides a formal recognition that ICT products can be trusted to protect both the hardware and software that citizens are using daily.
Thierry Breton, Commissioner for Internal Market, said: “In a highly dynamic cybersecurity threat landscape, we are making strides to raise our collective cyber resilience. Today, we launch a new framework to ensure that the products that we use in some of the most sensitive environments, like routers and ID cards, are cybersecure. We want our citizens, businesses, and the public sector to be able to trust the products they rely upon for securing their networks and for providing sensitive public services.”
The voluntary scheme will complement the Cyber Resilience Act that introduces binding cybersecurity requirements for all hardware and software products in the EU. This major step contributes to fostering Europe’s global digital leadership. Furthermore, the scheme will also boost the implementation of the NIS2 Directive.
The scheme will be published in the Official Journal of the EU shortly and will enter into force 20 days after publication. Together with the publication of the certification scheme in the Official Journal, the Commission will also publish the first Union Rolling Work Programme for European cybersecurity certification. This document sets out a strategic vision and reflections on possible areas for future European cybersecurity certification schemes considering recent legislative and market developments.
The adopted scheme is based on drafts prepared by the European Union Agency for Cybersecurity (ENISA) in close cooperation with industry experts and Member States, after technical and legal discussions, as well as public consultation.