Certification according to the EU Cybersecurity Act

Certification according to the EU Cybersecurity Act
One way for a company to strengthen its security and ensure compliance with legal and regulatory requirements is through certification. A significant milestone in the certification process was the adoption of the Regulation on the European Union Agency for Cybersecurity and on Cybersecurity Certification of Information and Communication Technologies (the "EU Cybersecurity Act"), which is the focus of this article.
What is certification?

Cybersecurity certification is a process that verifies whether specific products, services, or processes meet minimum security standards for a given category. The goal is to build trust in these products and services by ensuring their availability, confidentiality, and integrity.

To obtain a certificate company must first ensure that its products, services, or processes meet all requirements defined in the certification scheme. This involves implementing necessary security measures a přípravu dokumentace. and preparing documentation. The company then applies for certification with an accredited certification body, which evaluates compliance with the criteria. This evaluation may include audits, testing, or other verification methods to assess compliance with the established standard..

Obtaining the certificate is not the end of the process, as companies must continuously monitor and maintain security measures to ensure ongoing compliance with certification requirements.

What was before the EU Cybersecurity Act?

Before the EU Cybersecurity Act some EU Member States already operated their own certification schemesHowever, certification in cybersecurity was limited to specific industries, while some states lacked certification authorities altogether due to the high costs of building testing labs.

The absence of a unified regulatory frameworkthat provided consistent rules and security levels across the EU was particularly challenging for businesses offering products or services in multiple states. Often, they had to undergo certification separately in each Member State because certificates issued in one country were not automatically recognized in others. This led to significant financial and administrative burdens. While there was an international agreement called SOC-IT for mutual recognition, it included only a few EU Member States.

Certification according to the EU Cybersecurity Act

This changed with the introduction of the EU Cybersecurity Act, which took effect in June 2021. The regulation establishes a European framework for the cybersecurity certification of ICT products, services, and processes. It sets out rules and principles for the development of certification schemes. Under this framework, certification schemes adopted by the European Commission ensure that universally recognized certificates are issued based on approved processes for products, services, and processes across the EU.

Each certification scheme will specify the technical and organizational measures, needed to achieve certification in a specific cybersecurity area.

Accredited authorities in each Member State will issue these certificates.

The certificate will be universally valid across all EU Member States, meaning that companies need only obtain certification for a product or service in one country. While certification is not mandatory, it is an effective way to ensure high levels of ICT product and process security and regulatory compliance.

Timeline of the EU Cybersecurity Act adoption
Proposal for the EU Cybersecurity Act introduced.
7 June 2019
EU Cybersecurity Act enters into force.
25 February 2025
13 September 2017
Act published in the EU Official Journal.
27 June 2019
First implementing regulation (EUCC) for European cybersecurity certification schemes becomes effective.
Current certification schemes
Since the EU Cybersecurity Act came into force, several certification schemes have been adopted by the European Commission under the certification framework, including:

EUCC (European Common Criteria-based Certification Scheme)

Based on the international Common Criteria standard (ISO/IEC 15408), this scheme certifies ICT cybersecurity products. Certificates are valid for five years and can be renewed.

EUCS (European Cybersecurity Certification Scheme for Cloud Services)

Focused on certifying various types of cloud services.

EU5G

A certification scheme for 5G networks that ensures security standards for 5G infrastructure and services.

Certification for managed security services

This scheme certifies services such as incident response, penetration testing, security audits, and consulting.

In the coming years, additional certification schemes are expected to be adopted, which will be universally recognized across all EU Member States. Lastly, apart from the certification schemes under the EU Cybersecurity Act, companies can also choose to obtain other globally recognized certification standards, such as those from the ISO series (e.g., ISO 9001 – Quality Management Systems) or Common Criteria.

Get ready

We can help you to prepare your company for the new legislative requirements.

More articles

Even when working from home, you're not out of reach of cyber threats. How to protect yourself in the home office? Here are tips to help keep your company data safe.
Certification can also help companies strengthen their security. How can certification according to the EU Cybersecurity Act contribute to compliance?
The holiday season brings great discounts but also an increased risk of scams. How can you protect yourself? Here are 8 tips for safe online shopping.

Newsletter

Do you want to be sure that your company is protected from cyber threats and at the same time comply with the applicable legislation? Sign up for the newsletter and get practical advice from our legal consultants.

By clicking submit, you consent to the processing of your personal data for marketing purposes.