Data & Privacy
- Data Act
- Data Governance Act
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
Cybersecurity
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
Cybersecurity Act
- Recitals
TITLE I
General provisionsArticles 1 — 2
TITLE II — CHAPTER I
Mandate and objectivesArticles 3 — 4
TITLE II — CHAPTER II
TasksArticles 5 — 12
TITLE II — CHAPTER III
Organisation of ENISAArticles 13 — 28
TITLE II — CHAPTER IV
Establishment and structure of ENISA’s budgetArticles 29 — 33
TITLE II — CHAPTER V
StaffArticles 34 — 37
TITLE II — CHAPTER VI
General provisions concerning ENISAArticles 38 — 45
TITLE III
Cybersecurity certification frameworkArticles 46 — 65
TITLE IV
Final provisionsArticles 66 — 69
ANNEXES
CSA Article 54. Elements of European cybersecurity certification schemes
- 1.A European cybersecurity certification scheme shall include at least the following elements:
- (a)the subject matter and scope of the certification scheme, including the type or categories of ICT products, ICT services and ICT processes covered;
- (b)a clear description of the purpose of the scheme and of how the selected standards, evaluation methods and assurance levels correspond to the needs of the intended users of the scheme;
- (c)references to the international, European or national standards applied in the evaluation or, where such standards are not available or appropriate, to technical specifications that meet the requirements set out in Annex II to Regulation (EU) No 1025/2012 or, if such specifications are not available, to technical specifications or other cybersecurity requirements defined in the European cybersecurity certification scheme;
- (d)where applicable, one or more assurance levels;
- (e)an indication of whether conformity self-assessment is permitted under the scheme;
- (f)where applicable, specific or additional requirements to which conformity assessment bodies are subject in order to guarantee their technical competence to evaluate the cybersecurity requirements;
- (g)the specific evaluation criteria and methods to be used, including types of evaluation, in order to demonstrate that the security objectives referred to in Article 51 are achieved;
- (h)where applicable, the information which is necessary for certification and which is to be supplied or otherwise be made available to the conformity assessment bodies by an applicant;
- (i)where the scheme provides for marks or labels, the conditions under which such marks or labels may be used;
- (j)rules for monitoring compliance of ICT products, ICT services and ICT processes with the requirements of the European cybersecurity certificates or the EU statements of conformity, including mechanisms to demonstrate continued compliance with the specified cybersecurity requirements;
- (k)where applicable, the conditions for issuing, maintaining, continuing and renewing the European cybersecurity certificates, as well as the conditions for extending or reducing the scope of certification;
- (l)rules concerning the consequences for ICT products, ICT services and ICT processes that have been certified or for which an EU statement of conformity has been issued, but which do not comply with the requirements of the scheme;
- (m)rules concerning how previously undetected cybersecurity vulnerabilities in ICT products, ICT services and ICT processes are to be reported and dealt with;
- (n)where applicable, rules concerning the retention of records by conformity assessment bodies;
- (o)the identification of national or international cybersecurity certification schemes covering the same type or categories of ICT products, ICT services and ICT processes, security requirements, evaluation criteria and methods, and assurance levels;
- (p)the content and the format of the European cybersecurity certificates and the EU statements of conformity to be issued;
- (q)the period of the availability of the EU statement of conformity, technical documentation, and all other relevant information to be made available by the manufacturer or provider of ICT products, ICT services or ICT processes;
- (r)maximum period of validity of European cybersecurity certificates issued under the scheme;
- (s)disclosure policy for European cybersecurity certificates issued, amended or withdrawn under the scheme;
- (t)conditions for the mutual recognition of certification schemes with third countries;
- (u)where applicable, rules concerning any peer assessment mechanism established by the scheme for the authorities or bodies issuing European cybersecurity certificates for assurance level ‘high��’ pursuant to Article 56(6). Such mechanism shall be without prejudice to the peer review provided for in Article 59;
- (v)format and procedures to be followed by manufacturers or providers of ICT products, ICT services or ICT processes in supplying and updating the supplementary cybersecurity information in accordance with Article 55.
- 2.The specified requirements of the European cybersecurity certification scheme shall be consistent with any applicable legal requirements, in particular requirements emanating from harmonised Union law.
- 3.Where a specific Union legal act so provides, a certificate or an EU statement of conformity issued under a European cybersecurity certification scheme may be used to demonstrate the presumption of conformity with requirements of that legal act.
- 4.In the absence of harmonised Union law, Member State law may also provide that a European cybersecurity certification scheme may be used for establishing the presumption of conformity with legal requirements.
Relevant Recitals for this Article
The provisions of this Regulation should be without prejudice to Union law providing specific rules on the certification of ICT products, ICT services and ICT processes. In particular, Regulation (EU) 2016/679 lays down provisions for the establishment of certification mechanisms and of data protection seals and marks, for the purpose of demonstrating the compliance of processing operations by controllers and processors with that Regulation. Such certification mechanisms and data protection seals and marks should allow data subjects to quickly assess the level of data protection of the relevant ICT products, ICT services and ICT processes. This Regulation is without prejudice to the certification of data processing operations under Regulation (EU) 2016/679, including when such operations are embedded in ICT products, ICT services and ICT processes.
The technical specifications to be used in European cybersecurity certification schemes should respect the requirements set out in Annex II to Regulation (EU) No 1025/2012 of the European Parliament and of the Council . Some deviations from those requirements could, however, be considered to be necessary in duly justified cases where those technical specifications are to be used in a European cybersecurity certification scheme referring to assurance level ‘high’. The reasons for such deviations should be made publicly available.
The Commission should prepare, with the support of the European Cybersecurity Certification Group (the ‘ECCG’) and the Stakeholder Cybersecurity Certification Group and after an open and wide consultation, a Union rolling work programme for European cybersecurity certification schemes and should publish it in the form of a non-binding instrument. The Union rolling work programme should be a strategic document that allows industry, national authorities and standardisation bodies, in particular, to prepare in advance for future European cybersecurity certification schemes. The Union rolling work programme should include a multiannual overview of the requests for candidate schemes which the Commission intends to submit to ENISA for preparation on the basis of specific grounds. The Commission should take into account the Union rolling work programme while preparing its Rolling Plan for ICT Standardisation and standardisation requests to European standardisation organisations. In light of the rapid introduction and uptake of new technologies, the emergence of previously unknown cybersecurity risks, and legislative and market developments, the Commission or the ECCG should be entitled to request ENISA to prepare candidate schemes which have not been included in the Union rolling work programme. In such cases, the Commission and the ECCG should also assess the necessity of such a request, taking into account the overall aims and objectives of this Regulation and the need to ensure continuity as regards ENISA’s planning and use of resources.
European cybersecurity certification schemes should take into account current software and hardware development methods and, in particular, the impact of frequent software or firmware updates on individual European cybersecurity certificates. European cybersecurity certification schemes should specify the conditions under which an update may require that an ICT product, ICT service or ICT process be recertified or that the scope of a specific European cybersecurity certificate be reduced, taking into account any possible adverse effects of the update on compliance with the security requirements of that certificate.
In order to further facilitate trade, and recognising that ICT supply chains are global, mutual recognition agreements concerning European cybersecurity certificates may be concluded by the Union in accordance with Article 218 of the Treaty on the Functioning of the European Union (TFEU). The Commission, taking into account the advice from ENISA and the European Cybersecurity Certification Group, may recommend the opening of relevant negotiations. Each European cybersecurity certification scheme should provide specific conditions for such mutual recognition agreements with third countries.