The European Union Agency for Cybersecurity (ENISA) has been working to make Europe cyber secure since 2004. The Agency is located in Athens, Greece and has a second office in Heraklion, Greece.

ENISA is actively contributing to European cybersecurity policy, supporting Member States and European Union stakeholders to support a response to large-scale cyber incidents that take place across borders in cases where two or more EU Member States have been affected. This work also contributes to the proper functioning of the Digital Single Market.

The Agency works closely together with Member States and private sector to deliver advice and solutions as well as improving their capabilities. This support includes inter alia:

  • Recommendations on cybersecurity and independent advice,
  • Development and evaluation of National Cybersecurity Strategies,
  • Activities that support policy making and implementation,
  • CSIRTs cooperation and capacity building,
  • studies on IoT and smart infrastructures, addressing data protection issues, privacy enhancing technologies and privacy on emerging technologies, eIDs and trust services, identifying the cyber threat landscape, and others. 
  • ‘Hands On’ work, where ENISA collaborates directly with operational teams throughout the EU
  • Bringing together EU Communities and coordinating the response to large large scale cross-border cybersecurity incidents
  • Drawing up cybersecurity certification schemes

ENISA also supports the development and implementation of the European Union's policy and law on matters relating to network and information security (NIS) and assists Member States and European Union institutions, bodies and agencies in establishing and implementing vulnerability disclosure policies on a voluntary basis.

Since 2019, following the bringing into force of the Cybersecurity Act (Regulation 2019/881), ENISA has been tasked to prepare the ‘European cybersecurity certification schemes’ that serve as the basis for certification of products, processes and services that support the delivery of the Digital Single Market.

The European Union's Cybersecurity Act became effective on June 27, 2019.

The Act will strengthen the ability of the European Union Agency for Network and Information Security ("ENISA") to help Member States address cybersecurity threats.

Businesses initially will be able to certify that their products meet EU cybersecurity standards on a voluntary basis, but the certification eventually may become mandatory.

The Cybersecurity Act has two main objectives: (i) strengthening the mandate of the EU cybersecurity watchdog, ENISA to support EU Member States with tackling cybersecurity threats and attacks; and (ii) establishing an EU‐wide cybersecurity certification framework ("Framework") in which ENISA will play a key role.

Under the new Framework, ENISA will coordinate the preparation of candidate cybersecurity certification schemes to be submitted to the European Commission for adoption. The Framework will enable the issuance of European cybersecurity certificates and statements of conformity for information and communication technology ("ICT") products, services, and processes to be recognized in all EU Member States.

The Cybersecurity Act offers businesses the opportunity to certify that their products meet EU cybersecurity standards. The cybersecurity certification will be voluntary, unless otherwise specified by EU or Member State law. The EU Commission will regularly assess whether a specific scheme is to be made mandatory.

The certification scheme may specify one or more of the following security assurance levels: basic, substantial, or high. For the basic level, it will be possible for ICT manufacturers or service providers to carry out the conformity assessment themselves. For substantial or high levels, the assessment will be done by national cybersecurity certification authorities.

EU Member States will develop rules on penalties for infringements of the Framework and for infringements of EU cybersecurity certification schemes.

The Cybersecurity Act is part of the European Union's overall cyber ecosystem aiming to increase the safety of the European Union's digital environment. This legislative framework includes the Directive on Security of Network and Information Systems establishing notification and security requirements for operators of essential services and digital service providers such as cloud providers. The proposed ePrivacy Regulation strives to protect the rights to privacy and confidentiality of communications and promote trusted and secure internet of things applications in the digital single market. The General Data Protection Regulation requires controllers and processors across all industry sectors to implement appropriate data security measures.

  1. The Cybersecurity Act lays down the main requirements for European cybersecurity certification schemes to be developed. It will allow European cybersecurity certificates and EU statements of conformity for ICT products, services, or processes to be recognized in all EU Member States.
  2. Initially, certification pursuant to the cybersecurity schemes will be voluntary but may gradually become mandatory in the European Union for critical products or activities.
  3. Businesses designing, manufacturing, or implementing ICT products, services, or processes should monitor the upcoming discussions for the adoption of cybersecurity certification schemes, assess their level of compliance with respect to such schemes, and/or consider certification once the schemes are available.

Add new comment