TLDR;
The EU Cybersecurity Act (“CSA”) the European Union Agency for Cybersecurity (ENISA) permanently and creates a Union-wide framework for voluntary cybersecurity certification of ICT products, ICT services, ICT processes and (since the 2025 amendment) managed security services.
The framework is addresses ENISA, the EU Member States, national accreditation bodies and conformity assessment bodies. Its practical reach extends to any organization that develops, delivers or operates ICT products, services, processes or managed security services for the EU market, because customers, regulators and public buyers increasingly treat certification under the framework as credible evidence of cybersecurity assurance.
Software product teams that sell to regulated customers in the EU should assess whether certification under one of the European schemes supports their compliance strategy under NIS2, the Cyber Resilience Act and DORA (notably for cloud services and 5G). A proposed revision of the Cybersecurity Act published in January 2026 would further raise the value of certification and introduce supply-chain security measures with significant financial penalties.
Who does the EU Cybersecurity Act apply to?
The Cybersecurity Act imposes obligations on several categories of parties:
- the European Union Agency for Cybersecurity (ENISA), which has a permanent mandate to support cybersecurity capacity-building, operational cooperation, standardization, certification scheme development and awareness-raising across the Union.
- Member States, which must designate one or more national cybersecurity certification authorities (NCCAs), facilitate the accreditation and notification of conformity assessment bodies, and adopt national rules on penalties.
- National accreditation bodies and conformity assessment bodies (CABs), which assess whether ICT products, services, processes or managed security services meet the requirements of a European cybersecurity certification scheme.
- Manufacturers and providers of ICT products, ICT services, ICT processes and (following the 2025 amendment) managed security services, including non-EU suppliers that seek European cybersecurity certification for the EU market.
ICT vendors, software product teams, managed service providers and their customers are not directly addressed and affected indirectly. European cybersecurity certification is currently voluntary, but creates a presumption of conformity under other EU acts (notably the Cyber Resilience Act) and influences procurement and contracting requirements in sectors within the scope of NIS2, DORA and related laws. In practice, certification is increasingly a market-access and assurance condition rather than a quality mark.
What are the most important obligations for organizations under the EU Cybersecurity Act?
The Cybersecurity Act creates a framework rather than a single set of substantive obligations. The obligations that apply depend on the role of an organization in this framework:
- ENISA must execute its Union-level tasks, including supporting the Commission and Member States on policy and legal development, coordinating operational cooperation at Union level (in cooperation with CERT-EU), preparing candidate certification schemes at the Commission’s request, and organizing biennial Union-level cybersecurity exercises.
- Member States must designate and resource NCCAs with powers to supervise the certification framework, authorize and monitor CABs, handle complaints and appeals, and enforce penalties. National penalties must be effective, proportionate and dissuasive.
- CABs must be accredited by the national accreditation body and notified to the Commission. They must issue European cybersecurity certificates only for products, services, processes or managed security services that fall within their accreditation scope and comply with the requirements of the applicable certification scheme.
- Holders of European cybersecurity certificates or EU statements of conformity must comply with the obligations set out in the applicable scheme. These include for example handling newly discovered vulnerabilities, maintaining the conditions on which the certificate was issued, and notifying non-conformities.
How is compliance with the EU Cybersecurity Act supervised and enforced?
The EU Cybersecurity Act is a Regulation and directly applicable. It does not need to be transposed by Member States. Member States had to designate one or more national cybersecurity certification authorities (NCCAs) by 28 June 2021.
NCCAs supervise compliance with the certification framework in their territory, monitor the CABs operating there, investigate complaints, and can suspend or withdraw certificates where products or services no longer meet scheme requirements.
The European Cybersecurity Certification Group (ECCG), composed of NCCA representatives, advises the European Commission on the development and implementation of the framework. ENISA supports the system technically and publishes public information on European cybersecurity certification schemes.
Assurance under specific schemes depends on independent evaluation. The EUCC scheme (Commission Implementing Regulation (EU) 2024/482) requires third-party assessment by an accredited evaluation facility; conformity self-assessment is not permitted under EUCC. Certification bodies issue certificates at either the “substantial” or the “high” assurance level based on the depth of evaluation performed against the Common Criteria.
ENISA, the Commission and the Member States monitor the functioning of schemes and can amend them where practice, the threat landscape or standards require it.
What are the consequences of (non)compliance with the EU Cybersecurity Act?
Although European cybersecurity certification under the Cybersecurity Act is currently voluntary, the framework already has commercial and legal consequences for software vendors and their customers. These consequences are expected to intensify if the proposed 2026 revision is adopted.
License to operate: Market access for ICT products, services and managed security services increasingly depends on demonstrable cybersecurity assurance. Customers in regulated sectors and public procurement in several Member States progressively ask for European cybersecurity certification or credible equivalents. Organizations without a coherent certification or assurance strategy risk lengthening their sales cycles and even being excluded from tenders or critical contracts.
Financial valuation: Credible cybersecurity assurance materially affects deal cycles, insurance underwriting, supplier due diligence and acquisition valuations. As certifications shift from a quality label toward a core compliance and risk-management tool, their absence acts as a drag on financial valuation in sensitive market segments.
Compliance overhead: European cybersecurity certification imposes real costs. Third-party evaluation under EUCC requires substantial documentation, engagement with an accredited evaluation facility, and ongoing commitments to vulnerability handling and monitoring across the product lifecycle. A compliance-by-design approach reduces but does not eliminate this overhead: the earlier a product team aligns its security engineering, documentation and evidence base with the applicable scheme, the lower the cost of initial certification and subsequent re-certification.
Investigations: NCCAs can open inquiries into certificate holders, CABs and the operation of schemes. Investigations may interfere with the normal course of business and require significant staff capacity to respond adequately. Where a certificate is found to have been issued or maintained improperly, suspension or withdrawal can follow.
Fines/penalties: Member States determine national penalties for breach of the Cybersecurity Act and of scheme-specific obligations. Penalties vary by jurisdiction. In Germany, for example, administrative fines of up to €500,000 are available against EUCC certificate holders that fail to report detected vulnerabilities. The proposed 2026 revision contemplates fines of up to 7% of worldwide annual turnover for breaches of new ICT supply-chain security measures, representing a significant escalation if adopted in the current form.
Liabilities: Misrepresentations about certification status, assurance level or scope can trigger regulatory measures (including suspension or withdrawal of certificates) and private-law claims (misrepresentation, breach of contract, unfair commercial practices). Certification does not eliminate ordinary product liability, and product teams remain responsible for cybersecurity risk management regardless of assurance claims.
Consolidated publication | Latest amendment | Initial legal act
Informal name: EU Cybersecurity Act / CSA
Formal name: Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)
Jurisdiction: The regulation applies directly across the European Union and does not require transposition into national law. It has practical extraterritorial effects where non-EU manufacturers or service providers seek European cybersecurity certification for the EU market. It does not affect Member States’ responsibilities for public security, defence, national security or criminal law.
Adoption date (latest amendment): 19 December 2024 (Regulation (EU) 2025/37, amending the Cybersecurity Act as regards managed security services)
Publication date (latest amendment):: 15 January 2025 (official publication)
Applicability date(s):
- 27 June 2019: Regulation (EU) 2019/881 applies across the European Union.
- 28 June 2021: Articles on designation of national cybersecurity certification authorities, accreditation and notification of conformity assessment bodies, complaints, judicial remedy and penalties apply.
- 4 February 2025: Regulation (EU) 2025/37 (managed security services amendment) enters into force.
- 27 February 2025: The EUCC scheme under Commission Implementing Regulation (EU) 2024/482 becomes fully operational; national cybersecurity certification schemes covering matters within the EUCC scope cease to produce effects within twelve months of the scheme’s entry into force.
Enforcement date: The Cybersecurity Act entered into force on 27 June 2019. National penalty regimes under Article 65 have applied since 28 June 2021. A proposal for a revised Cybersecurity Act (COM(2026) 11) was published on 20 January 2026 as part of the Commission’s broader cybersecurity package. This is undergoing trilogue negotiations, with political agreement targeted for 2027.