Data & Privacy
- Data Act
- Data Governance Act
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
Cybersecurity
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
Cybersecurity Act
- Recitals
TITLE I
General provisionsArticles 1 — 2
TITLE II — CHAPTER I
Mandate and objectivesArticles 3 — 4
TITLE II — CHAPTER II
TasksArticles 5 — 12
TITLE II — CHAPTER III
Organisation of ENISAArticles 13 — 28
TITLE II — CHAPTER IV
Establishment and structure of ENISA’s budgetArticles 29 — 33
TITLE II — CHAPTER V
StaffArticles 34 — 37
TITLE II — CHAPTER VI
General provisions concerning ENISAArticles 38 — 45
TITLE III
Cybersecurity certification frameworkArticles 46 — 65
TITLE IV
Final provisionsArticles 66 — 69
ANNEXES
CSA Article 56. Cybersecurity certification
- 1.ICT products, ICT services and ICT processes that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 49 shall be presumed to comply with the requirements of such scheme.
- 2.The cybersecurity certification shall be voluntary, unless otherwise specified by Union law or Member State law.
- 3.The Commission shall regularly assess the efficiency and use of the adopted European cybersecurity certification schemes and whether a specific European cybersecurity certification scheme is to be made mandatory through relevant Union law to ensure an adequate level of cybersecurity of ICT products, ICT services and ICT processes in the Union and improve the functioning of the internal market. The first such assessment shall be carried out by 31 December 2023, and subsequent assessments shall be carried out at least every two years thereafter. Based on the outcome of those assessments, the Commission shall identify the ICT products, ICT services and ICT processes covered by an existing certification scheme which are to be covered by a mandatory certification scheme. As a priority, the Commission shall focus on the sectors listed in Annex II to Directive (EU) 2016/1148, which shall be assessed at the latest two years after the adoption of the first European cybersecurity certification scheme. When preparing the assessment the Commission shall:
- (a)take into account the impact of the measures on the manufacturers or providers of such ICT products, ICT services or ICT processes and on the users in terms of the cost of those measures and the societal or economic benefits stemming from the anticipated enhanced level of security for the targeted ICT products, ICT services or ICT processes;
- (b)take into account the existence and implementation of relevant Member State and third country law;
- (c)carry out an open, transparent and inclusive consultation process with all relevant stakeholders and Member States;
- (d)take into account any implementation deadlines, transitional measures and periods, in particular with regard to the possible impact of the measure on the manufacturers or providers of ICT products, ICT services or ICT processes, including SMEs;
- (e)propose the most speedy and efficient way in which the transition from a voluntary to mandatory certification schemes is to be implemented.
- 4.The conformity assessment bodies referred to in Article 60 shall issue European cybersecurity certificates pursuant to this Article referring to assurance level ‘basic’ or ‘substantial’ on the basis of criteria included in the European cybersecurity certification scheme adopted by the Commission pursuant to Article 49.
- 5.By way of derogation from paragraph 4, in duly justified cases a European cybersecurity certification scheme may provide that European cybersecurity certificates resulting from that scheme are to be issued only by a public body. Such body shall be one of the following:
- (a)a national cybersecurity certification authority as referred to in Article 58(1); or
- (b)a public body that is accredited as a conformity assessment body pursuant to Article 60(1).
- 6.Where a European cybersecurity certification scheme adopted pursuant to Article 49 requires an assurance level ‘high’, the European cybersecurity certificate under that scheme is to be issued only by a national cybersecurity certification authority or, in the following cases, by a conformity assessment body:
- (a)upon prior approval by the national cybersecurity certification authority for each individual European cybersecurity certificate issued by a conformity assessment body; or
- (b)on the basis of a general delegation of the task of issuing such European cybersecurity certificates to a conformity assessment body by the national cybersecurity certification authority.
- 7.The natural or legal person who submits ICT products, ICT services or ICT processes for certification shall make available to the national cybersecurity certification authority referred to in Article 58, where that authority is the body issuing the European cybersecurity certificate, or to the conformity assessment body referred to in Article 60 all information necessary to conduct the certification.
- 8.The holder of a European cybersecurity certificate shall inform the authority or body referred to in paragraph 7 of any subsequently detected vulnerabilities or irregularities concerning the security of the certified ICT product, ICT service or ICT process that may have an impact on its compliance with the requirements related to the certification. That authority or body shall forward that information without undue delay to the national cybersecurity certification authority concerned.
- 9.A European cybersecurity certificate shall be issued for the period provided for in the European cybersecurity certification scheme and may be renewed, provided that the relevant requirements continue to be met.
- 10.A European cybersecurity certificate issued pursuant to this Article shall be recognised in all Member States.
Relevant Recitals for this Article
A conformity assessment is a procedure for evaluating whether specified requirements relating to an ICT product, ICT service or ICT process have been fulfilled. That procedure is carried out by an independent third party that is not the manufacturer or provider of the ICT products, ICT services or ICT processes that are being assessed. A European cybersecurity certificate should be issued following the successful evaluation of an ICT product, ICT service or ICT process. A European cybersecurity certificate should be considered to be a confirmation that the evaluation has been properly carried out. Depending on the assurance level, the European cybersecurity certification scheme should indicate whether the European cybersecurity certificate is to be issued by a private or public body. Conformity assessment and certification cannot guarantee per se that certified ICT products, ICT services and ICT processes are cyber secure. They are instead procedures and technical methodologies for attesting that ICT products, ICT services and ICT processes have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example in technical standards.
Recourse to European cybersecurity certification and to EU statements of conformity should remain voluntary, unless otherwise provided for in Union law, or in Member State law adopted in accordance with Union law. In the absence of harmonised Union law, Member States are able to adopt national technical regulations providing for mandatory certification under a European cybersecurity certification scheme in accordance with Directive (EU) 2015/1535 of the European Parliament and of the Council . Member States also have recourse to European cybersecurity certification in the context of public procurement and of Directive 2014/24/EU of the European Parliament and of the Council .
In some areas, it could be necessary in the future to impose specific cybersecurity requirements and make the certification thereof mandatory for certain ICT products, ICT services or ICT processes, in order to improve the level of cybersecurity in the Union. The Commission should regularly monitor the impact of adopted European cybersecurity certification schemes on the availability of secure ICT products, ICT services and ICT processes in the internal market and should regularly assess the level of use of the certification schemes by the manufacturers or providers of ICT products, ICT services or ICT processes in the Union. The efficiency of the European cybersecurity certification schemes, and whether specific schemes should be made mandatory, should be assessed in light of the cybersecurity-related legislation of the Union, in particular Directive (EU) 2016/1148, taking into consideration the security of the network and information systems used by operators of essential services.