CSA
What is the Cyber Security Act - EU CSA?
The EU Cyber Security Act is a regulation that improves cyber security in the EU by strengthening the role of the European Network and Information Security Agency (ENISA) and introducing an EU-wide certification system for IT products and services.
The EU Cyber Security Act, also known as Regulation (EU) 2019/881, officially came into force on 27 June 2019. It represents a significant step by the European Union to strengthen cyber security across the EU.
Aim and purpose of the regulation: The main purpose of the Cyber Security Act is to create a harmonised framework for cybersecurity certification of products, services and processes within the EU. It aims to increase trust in digital technologies and improve resilience to cyber threats. The Act establishes the European Cybersecurity Agency (ENISA) as a central institution to support member states and develop certification schemes. ENISA has thus been given an extended mandate to further develop and maintain the European cybersecurity certification framework.
The EU Cyber Security Act is a decisive step towards harmonising cybersecurity standards in Europe and promoting a secure digital single market.
The Cyber Security Act is in force across the EU and is continuously evolving to meet the changing requirements of cyber security. ENISA is actively working on the development and implementation of certification schemes that meet the requirements of the Act.
The Cyber Security Act provides for the development of EU-wide cyber security certification schemes. These schemes are intended to assess and certify the security of IT products, services and processes. ENISA already has several schemes in the pipeline, including those for cloud services and IoT devices. These certifications are voluntary, but are intended to be established as the standard for cybersecurity in the EU to ensure a high level of security and trust.
The following certification systems have been developed so far
EUCC (EU Common Criteria): The EU Common Criteria (EUCC) cybersecurity certification scheme was adopted on 31 January 2024. It is therefore the first European certification scheme and came into force on 27 February 2025. This certification system is based on the Common Criteria and is intended for the assessment and certification of the security of IT products. It provides a standardised methodology for assessing the security properties of products.
EUCS (EU Cloud Services): This certification system is specifically designed for cloud services and aims to ensure the security and trustworthiness of cloud services. It includes various security requirements that cloud providers must fulfil.
EU5G (EU 5G Security): This certification system focuses on the security of 5G networks and infrastructures. It aims to ensure that 5G technologies meet the required security standards and are resistant to threats.