Skip to content

CSA

Cyber Security Act

What is the Cyber Security Act - EU CSA?

The EU Cyber Security Act is a regulation that improves cyber security in the EU by strengthening the role of the European Network and Information Security Agency (ENISA) and introducing an EU-wide certification system for IT products and services.

Ein halb zu sehender weißer Staubsaugerroboter. | TÜVIT

Who is affected by the Cyber Security Act?

The regulations of the EU CSA apply to:

  • Manufacturers of IT products and services
  • Certification bodies
  • Member states of the EU
  • ENISA (European Network and Information Security Agency)
  • Consumers and businesses (users of IT products and services)
Smart Home Lautsprecher in einem Wohnzimmer. | TÜVIT

What is the purpose of the Cyber Security Act?

The EU Cyber Security Act, also known as Regulation (EU) 2019/881, officially came into force on 27 June 2019. It represents a significant step by the European Union to strengthen cyber security across the EU.

Aim and purpose of the regulation: The main purpose of the Cyber Security Act is to create a harmonised framework for cybersecurity certification of products, services and processes within the EU. It aims to increase trust in digital technologies and improve resilience to cyber threats. The Act establishes the European Cybersecurity Agency (ENISA) as a central institution to support member states and develop certification schemes. ENISA has thus been given an extended mandate to further develop and maintain the European cybersecurity certification framework.

The EU Cyber Security Act is a decisive step towards harmonising cybersecurity standards in Europe and promoting a secure digital single market.

Current status of the EU CSA

The Cyber Security Act is in force across the EU and is continuously evolving to meet the changing requirements of cyber security. ENISA is actively working on the development and implementation of certification schemes that meet the requirements of the Act.

We will support you – no matter what

Get started at last!

We advise you


TÜV NORD IT Secure Communication I Berlin
Goal achieved?

We check that


TÜV Informationstechnik I Essen

Currently valid certification procedures

The Cyber Security Act provides for the development of EU-wide cyber security certification schemes. These schemes are intended to assess and certify the security of IT products, services and processes. ENISA already has several schemes in the pipeline, including those for cloud services and IoT devices. These certifications are voluntary, but are intended to be established as the standard for cybersecurity in the EU to ensure a high level of security and trust.

The following certification systems have been developed so far

EUCC (EU Common Criteria): The EU Common Criteria (EUCC) cybersecurity certification scheme was adopted on 31 January 2024. It is therefore the first European certification scheme and came into force on 27 February 2025. This certification system is based on the Common Criteria and is intended for the assessment and certification of the security of IT products. It provides a standardised methodology for assessing the security properties of products.

EUCS (EU Cloud Services): This certification system is specifically designed for cloud services and aims to ensure the security and trustworthiness of cloud services. It includes various security requirements that cloud providers must fulfil.

EU5G (EU 5G Security): This certification system focuses on the security of 5G networks and infrastructures. It aims to ensure that 5G technologies meet the required security standards and are resistant to threats.

What are the general requirements for the EU CSA?

Uniform certification standards

The CSA calls for the development of EU-wide certification systems that define uniform security standards for IT products, services and processes.

Transparency and trust

The certification systems should be transparent and strengthen the trust of consumers and companies in the security of digital products and services.

Voluntary participation

Participation in the certification systems is generally voluntary, unless specific EU or national legislation makes it mandatory.

Risk-based approach

The certification systems should be based on a risk-based approach that takes into account the different safety requirements depending on the risk and area of application.