EU Cyber Security Act—what is that and what rules apply?

Certification plays an important role in creating trust and security for products and services in the digital world. Today, several different security certification schemes exist in the EU for digital services and products. But without a common EU framework, there is a risk of creating trade barriers between EU Member States. 

ENISA will therefore create various cyber security certification schemes in the form of technical requirements, standards, and methodologies to be applied across the EU.  

Different conformity assessment bodies then have an opportunity to offer certifications that confirms that a product, process, or service has been certified in in different areas and levels, in accordance with a cybersecurity scheme.  

Currently, three cybersecurity schemes are under development by ENISA, these are:  

• Common criteria that cover ICT products  

• Cloud services  

• 5G network 

Each European cybersecurity scheme shall specifically specify: 

• The category or service covered 

• The cybersecurity requirements such as standards or technical requirements

• Evaluation methods such as self-certification or third party

• The current level of security

There are three levels of security that are designed to help users know what level of security a product can have. These three levels are basic, substantial, and high. 

These security levels correspond to the level of risk associated with the intended use of a product, service, or process, in terms of the likelihood and impact of an attack. Assurance level high, means that a product has passed the highest security tests. 

The certification will make it easier for companies to do business across borders and for customers to assess a product's security capabilities. 

Cybersecurity certification will be partly voluntary, based on level of assurance, and manufacturers and suppliers can therefore choose to certify their products and services and then select the appropriate security level. A certificate can be applied for at an accredited conformity assessment body. 

RISE is already today offering accredited certification services within several different fields.  
RISE is currently investigating the possibility of extending our certification services to also include the new upcoming EU certification schemes.   

It is expected that after a transitional period, existing national cybersecurity rules will be abandoned in favor of the EU certificate.  

For more information, please contact: