Glossary · EU Cybersecurity Framework EU Cybersecurity Act (EU Cybersecurity Act (Regulation EU 2019/881))
The 2019 EU regulation establishing the foundational framework for EU cybersecurity certification — under which EUCC (products), EUCS (cloud services), and other sectoral certification schemes are adopted. Also expanded ENISA into a permanent EU cybersecurity agency. The constitutional layer underneath the entire EU cybersecurity-certification architecture.
## What the EU Cybersecurity Act actually is
The EU Cybersecurity Act (Regulation EU 2019/881, often abbreviated CSA) is the foundational EU regulation establishing the framework for EU cybersecurity certification of ICT products, services, and processes. Adopted in 2019 and in force since June 2019, it does two essential things:
1. **Establishes the EU cybersecurity certification framework** — the legal authority under which specific certification schemes ([EUCC](/en/glossary/eucc/) for products, [EUCS](/en/glossary/eucs/) for cloud services, others to come) are adopted via implementing regulation.
2. **Permanently establishes ENISA** as the EU cybersecurity agency — upgrading from time-limited mandates to permanent EU institutional status with expanded responsibilities including running the certification framework.
Without the EU Cybersecurity Act, none of the EUCC, EUCS, or other sectoral EU cybersecurity certification work would have legal basis. It is the constitutional layer of the entire architecture.
## What the Cybersecurity Act establishes
The regulation creates the operational framework across three pillars.
### Pillar 1: EU cybersecurity certification framework
The CSA defines:
- **Certification schemes** — specific certification programmes adopted via Commission Implementing Regulations under the CSA framework
- **Assurance levels** — basic, substantial, high (with high requiring NCA oversight)
- **Conformity Assessment Bodies (CABs)** — accredited laboratories performing evaluations
- **National Cybersecurity Certification Authorities (NCCAs)** — Member State authorities supervising certification
- **European Cybersecurity Certification Group (ECCG)** — coordination body of Member State authorities
- **Mutual recognition** — EU-wide validity of certifications issued under CSA-based schemes
### Pillar 2: ENISA's expanded mandate
Pre-CSA, ENISA operated under time-limited mandates. The CSA made ENISA's role permanent and expanded its responsibilities:
- **Operational coordination** — central role in EU cybersecurity policy implementation
- **Certification scheme development** — preparing candidate certification schemes for Commission adoption
- **Capacity building** — supporting Member State cybersecurity capability development
- **Cyber crisis management** — coordinating EU-level response to large-scale incidents
- **Standards and policy** — direct engagement in EU cybersecurity policymaking
- **Awareness raising** — educational and outreach activities at EU level
### Pillar 3: Cybersecurity certification adoption process
The CSA establishes a structured process for adopting new certification schemes:
1. **Commission request** — Commission requests ENISA to prepare a candidate scheme
2. **ENISA preparation** — multi-stakeholder consultation, scheme development (typically 18-36 months)
3. **Commission adoption** — Commission adopts via Implementing Regulation
4. **Member State implementation** — NCCAs operationalise the scheme nationally
5. **Continuous evolution** — periodic review and updates
This process is currently operational for EUCC (adopted 2024), EUCS (in progress, contested), and emerging schemes for 5G, AI, and other technology domains.
## Schemes adopted under the EU Cybersecurity Act
As of 2026, the following schemes are at various stages under the CSA framework:
| Scheme | Subject | Status |
|--------|---------|--------|
| **EUCC** | ICT products (Common Criteria-based) | Adopted February 2024 |
| **EUCS** | Cloud services | In process, politically contested |
| **EU 5G Cybersecurity Certification** | 5G networks and components | Preparation phase |
| **EU AI Cybersecurity Certification** | AI systems | Under discussion |
| **EU IoT Certification** | IoT products | Preparation phase |
Each scheme is adopted via Commission Implementing Regulation under the CSA framework. The CSA itself does not specify scheme content — it specifies the framework that schemes operate within.
## Why the Cybersecurity Act matters
### 1. Constitutional layer for EU cybersecurity certification
Without the CSA, EU cybersecurity certification would either not exist at EU level or operate without coherent framework. The CSA provides the constitutional structure that makes EUCC and EUCS legally possible.
### 2. ENISA institutional permanence
The CSA's elevation of ENISA from time-limited to permanent agency status is materially significant. ENISA can now make long-term strategic investments, hire permanent specialised staff, and operate as a peer to established EU agencies.
### 3. Mutual recognition mechanism
The CSA's mutual recognition provisions mean that a certification issued under a CSA-based scheme in one Member State has automatic legal validity across the EU. This is operationally significant — pre-CSA, national certification schemes did not automatically translate.
### 4. Coordination architecture
The ECCG creates a coordination mechanism for Member State cybersecurity certification authorities. This is the equivalent of the European Data Protection Board for cybersecurity certification — and operates similarly.
### 5. Sovereignty foundation
The CSA implicitly enables the sovereignty dimensions of EU cybersecurity certification — including the contested EUCS sovereignty criteria. Without the CSA framework, these debates would not be EU-level.
## How the Cybersecurity Act affects tech procurement
### For European technology vendors
CSA-based certifications (EUCC, eventual EUCS, sectoral schemes) provide credible procurement signals. Achieving certification opens public-sector and regulated-industry procurement opportunities that uncertified providers cannot access.
### For European public-sector buyers
CSA-based certifications are increasingly mandatory or preferred for sensitive procurement. Several Member States have integrated specific CSA schemes into procurement frameworks.
### For US-headquartered vendors
US vendors can pursue CSA-based certification but face specific challenges:
- **EUCC** is technically achievable (no sovereignty requirement for vendors)
- **EUCS High** sovereignty requirements may exclude US-vendor direct participation
- **Sectoral schemes** vary in sovereignty positioning
For US vendors seeking EU regulated-market access, CSA-based certification is increasingly a strategic prerequisite.
### For procurement teams
CSA-based certification status is an increasingly standard procurement criterion alongside ISO 27001, SOC 2, and country-specific certifications. The CSA framework is providing structured language for European cybersecurity procurement.
## Cybersecurity Act vs other EU cybersecurity regulation
| Regulation | Subject | Relationship |
|------------|---------|--------------|
| **EU Cybersecurity Act** | Certification framework + ENISA | Foundational |
| **NIS2** | Entity-level cybersecurity obligations | Builds on CSA capability |
| **Cyber Resilience Act** | Product-level cybersecurity requirements | References CSA certifications |
| **Cyber Solidarity Act** | Collective EU cybersecurity response | Coordinated with ENISA (CSA-empowered) |
| **CER Directive** | Critical-entity resilience (non-cyber) | Parallel framework |
| **DORA** | Financial-services operational resilience | Sector-specific |
The CSA is the foundational layer; the others build on or operate alongside.
## Cybersecurity Act 2.0 (under discussion 2026)
The European Commission has begun considering an updated EU Cybersecurity Act (informally CSA 2.0) to:
- **Streamline certification adoption** processes
- **Expand ENISA's mandate** further given operational experience
- **Address emerging certification needs** (AI, post-quantum, IoT scale)
- **Strengthen mutual recognition** mechanisms
- **Align with NIS2 implementation** experience
CSA 2.0 is at early discussion stage as of 2026; legislative process is unlikely to conclude before 2027-2028.
## Practical implications
- **For European technology vendors**: CSA-based certifications are increasingly procurement-relevant; track scheme availability for your product category
- **For public-sector procurement**: CSA-framework certifications provide structured evaluation criteria
- **For US vendors serving EU markets**: CSA-based certification is increasingly prerequisite for regulated-industry and public-sector procurement
- **For policy and compliance teams**: understand CSA as the constitutional layer beneath sectoral schemes
- **For ENISA-engagement**: CSA gives ENISA institutional authority that makes its policy work materially significant
The EU Cybersecurity Act is the most consequential single regulation in the EU cybersecurity-certification architecture. Its specific provisions matter less than the framework it establishes — under which the operational cybersecurity-certification ecosystem (EUCC, EUCS, sectoral schemes) actually operates.
Was this helpful?
Thanks for your feedback!