The Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No526/2013 (Cybersecurity Regulation) entered into force on 27 June 2019. The Cybersecurity Regulation introduces for the first time EU wide rules for the cybersecurity certification of products, processes and services. In addition, the Regulation sets a new permanent mandate for the EU Agency for Cybersecurity (ENISA), as well as more resources allocated to the Agency to enable it to fulfil its goals.
Each European scheme should specify the categories of products and services covered, the cybersecurity requirements, the type of evaluation (self-assessment or third party evaluation), and the intended level of assurance (basic, substantial, high).
The three assurance levels of the certificate are commensurate with the level of the risk associated with the intended use of the product, service or process, in terms of the probability and impact of an incident. The resulting certificate will be recognised in all Member States, making it easier for businesses to trade across borders and for users to understand the security features of the product or service.
For the time being, the process of certification is voluntary for vendors. They can decide themselves whether they would like their product to be certified under the European scheme. However, in accordance with the Cybersecurity Regulation, the European Commission will assess the efficiency and the use of the certificate and then decide whether it should become mandatory at EU-wide.