As vendors flood the market with new digital products and services, it is increasingly difficult for consumers to discern which solutions are the most secure. Cybersecurity certifications help to address this issue by providing visible and concrete assurance to consumers that solutions meet key cybersecurity benchmarks. 

To drive harmonization of these cybersecurity certifications across the continent, the European Union (EU) adopted the Cybersecurity Act (CSA) in June 2019. The CSA provided the European Union Agency for Cybersecurity (ENISA) with the mandate to create and maintain the European Cybersecurity Certification Framework (ECCF), which could be used to create EU-wide certification schemes for ICT products and services. Once these certification schemes gain prominence, they can enable vendors and service providers to reach more customers and establish a stronger foundation of trust for those customers. 

The first scheme to be developed using the ECCF is the EU Cybersecurity Certification Scheme on Common Criteria (EUCC), which became available to vendors on 27 February 2025. The EUCC is voluntary - like all ECCF certification schemes - and focuses on certifying the cybersecurity of several ICT products including biometric systems, firewalls, detection and response platforms, routers, switches, specialised software (e.g., SIEM and IDS/IDP systems), data diodes, operating systems, encrypted storage, databases and smart cards. 

To discuss the future of European Cybersecurity Certifications, the Cybersecurity Coalition and Cyber Threat Alliance in Brussels for the second annual CyberNext BRU conference on 5 March at the Stanhope Hotel. The event offers a range of sessions addressing today’s most pressing cybersecurity challenges, including a panel entitled The Future of the Cybersecurity Act & EU Certifications. 

During the session, panelists will discuss the December 2024 targeted amendments to the CSA, which enable ENISA to adopt European certification schemes for “managed security services,” for example, incident handling, penetration testing, security audits and consulting related to technical support. 

Panelists will also deliberate the use of European certification schemes in the context of the NIS 2 Directive implementation. While the schemes are voluntary for ICT vendors to adopt, the European Commission’s October 2024 NIS 2 Implementing Regulation requires “essential” and “important” entities – i.e., critical infrastructure owners and operators – to use ICT products and services that “achieve certain cybersecurity protection.” The Regulation suggests that these covered entities use European Cybersecurity Certificates to fulfil this requirement. 

‍