The eu cybersecurity act: an overview

June 2019

The purpose of European cybersecurity certification

Increased digitization and connectivity increase cybersecurity risks, thus making society as a whole more vulnerable to cyber threats. To mitigate these risks, all necessary actions must be taken to improve cybersecurity at European Union level.

Currently, the cybersecurity certification of ICT products, ICT services and ICT processes is used only to a limited extent. It mostly occurs at Member State level; however, a certificate issued by a national cybersecurity certification is not in principle recognized in other Member States. Companies thus may have to certify their ICT products, ICT services and ICT processes in several Member States where they operate, with a significant increase of their costs.

Therefore, it has been necessary to adopt a common approach and to establish a European cybersecurity certification framework that lays down the main horizontal requirements for European cybersecurity certification schemes to be developed and allows European cybersecurity certificates and EU statements of conformity for ICT products, ICT services or ICT processes to be recognized and used in all Member States. The European cybersecurity certification framework should have a two-fold purpose: first, it should help increase trust in ICT products, ICT services and ICT processes that have been certified under European cybersecurity certification schemes and, secondly, it should have the effect to reduce costs for undertakings operating in the digital single market.