Skip to content

A Future to Prepare for: EU Cybersecurity Certification

Digitalisation and green energy have been set as the number one priority for the European Union. In the working group session hosted by Knowledge4Innovation on the 30th of June, viewers were consistently reminded of the need to cooperate and disseminate information in order to reach goals instated by the EU. COVID-19 has further reinforced these goals with the need to technologically adapt to new circumstances. During the pandemic, we have innovated and accepted novel technological developments. However, we have also realised how essential it is to continue this progress. 

 One remarkable comment from Susana Solis, Spanish EU parliamentarian of the REGI Committee, was the expectation of the EU Cybersecurity Act becoming the next EU document equivalent to the General Data Protection Regulation (GDPR). The EU Cybersecurity Act intends to promote trust in the European Single Market as well as tackle the issues of fragmentation in the EU. Companies and start-ups should begin considering its implementation into their digital products or to keep in mind,  just as they had for the GDPR.

 As the cybersecurity and the technological landscape continues to develop, so does the need for greater protections. The EU Agency for Network Information Security (ENISA) has identified a trend in more cybersecurity attacks and its increased monetisation. Naturally, with the EU’s focus on digitalisation, IOT devices and AI, companies will have to protect data and devices, making the digital environment safer. As a result, the EU Cybersecurity Act may take centre stage in regulating the digital environment.


The Digital Single Market is currently governed by what is known as the EU Cybersecurity Act, including a voluntary certification framework on ICT digital products and their services. This document has been in force since June 2019, and it plays a role in increasing trust and security in the services offered through connecting devices. In respect to the certification, its authority and regulating body only becomes enforceable in June 2021, particularly articles 58, 60, 61, 63, 64 and 65.

Prior to the EU wide certificate, EU Member States had been using such certificates which were only valid within their own territory. A unified cybersecurity certificate makes it easier for businesses to trade across borders as well as understanding the security features of the ICT devices from the start to end. With one system of certification, there is no need to certify each product in each EU Member State. 


The certificate is based on three levels of assurance that would be voluntarily performed by the requesting company. The first would be classified as ‘basic’, in which the ICT product is protected from basic cyber-incidents. This level can be determined through self-assessment. The second classification is titled ‘substantial’ in which more cyber-incidents are prevented with the ability, in a limited manner, to prevent cyber-attacks. Finally, the third classification is ‘high’ where the ICT product or service can best prevent cyber- incidents. When a company receives the accreditation, the accreditation would be issued for five years with the possibility of renewing.

Additionally, the certificate would include the categories of products and services covered, the cybersecurity requirements, the type of evaluation the intended level of assurance referred to in the previous paragraph.


Not only does the certification improve trust and facilitate trade between European companies, it also implements security by design. The framework ensures that manufacturers produce ICT products and services incorporating security measures from the early stages of the product. This will help reduce the vulnerability of products to cyber-attacks.

For EU citizens and end users, the certification allows individuals to make more informed choices. Guidance for products and services will be made available on the website of the EU Agency for Cybersecurity.

When new legislation is passed, start-ups and SMEs have more compliance requirements, which at first seems like a barrier. The framework helps reduce those barriers, through facilitating the certification process. The certification would be undergone once, which would then be applicable across the EU. The ‘basic’ voluntary certification can be conducted by the company itself, to demonstrate the security of their products. 


As consumers use more connected devices, greater protections need to be implemented. With the EU Cybersecurity Act, companies are compelled to increase security standards. Additionally these companies will need to reinvent the design of ICT products and services, to make them safe by design. These changes shall protect final consumers within the European Union market, creating greater trust in the use of these products. Although the certification will be voluntary, having the certification could give the company a competitive advantage. People increasingly are concerned over their personal data and want to ensure the products they use are safe from cyber-attacks.  

For more information about the EU Cybersecurity Act, please refer to the official EU documents:

EU Cybersecurity Act 

EU Parliament Briefing

European Commission