October 6, 2025
5 mins read

EU Cybersecurity Act

EU Cybersecurity Act,Lawforeverything

On this page you will read detailed information about EU Cybersecurity Act.

Introduction

Cybersecurity is no longer an afterthought—it’s infrastructure. From connected devices (IoT) to cloud services and critical infrastructure, the EU aims to unify and heighten the baseline of cybersecurity across the bloc. The EU Cybersecurity Act (Regulation (EU) 2019/881) is central to this goal: it strengthens the role of the EU Agency for Cybersecurity (ENISA) and establishes a framework for EU-wide cybersecurity certification.

In 2025, the Cybersecurity Act is evolving: a targeted amendment adopted on 15 January 2025 expands the scope to include Managed Security Services (MSS) certification schemes. Meanwhile, the European Commission is consulting on further reforms to simplify certification and reporting obligations.

What Is the EU Cybersecurity Act?

Origins & Purpose

The EU Cybersecurity Act (CSA) was adopted in 2019 and came into force on 27 June 2019. Its two core objectives:

  1. Strengthen ENISA (the EU agency for cybersecurity) by giving it permanent status and resources.
  2. Create a European Cybersecurity Certification Framework (ECCF)—to develop common certification schemes for ICT products, services, and processes across the EU.

Before the Act, cybersecurity certification was fragmented across member states. The CSA seeks interoperability and trust across borders, making it easier for organizations and consumers to evaluate the security of ICT products and services.

Key Features & Structure

  • Voluntary and mandatory certification schemes
    Under the CSA, the EU can designate certain schemes as mandatory for high-risk product categories, while others remain voluntary.
  • Role of ENISA
    ENISA is tasked to assist with the development of certification schemes, assess conformity, provide technical expertise, and maintain the European cybersecurity certification framework.
  • Certification scope
    Certification under the CSA can cover ICT products, ICT services, and ICT processes. For example, a cloud service or a security audit process could be certified under an appropriate scheme.

However, until recently, certified schemes under the CSA were mostly about products or components—not managed security services. That’s changing.


2025 Updates & Key Developments

Amendment Adding Managed Security Services

On 15 January 2025, a targeted amendment to the Cybersecurity Act was adopted. This amendment enables the creation of certification schemes for Managed Security Services (MSS)—such as incident response, penetration testing, security audits, and consultancy.

This is a big step: many organizations outsource security tasks to MSS providers. Under the amendment, MSS providers will be able (or in some cases required) to be certified under the EU scheme, raising the bar for service quality and trust.

ENISA has already launched a call for expression of interest to participate in the working group that will draft the candidate certification scheme for MSS.

Under this change, organizations that hire MSS providers should look for certified providers—or pressure them to obtain certification once the scheme is operational.

Ongoing Review & Consultation

The European Commission is conducting a public consultation (until 20 June 2025) to review the implementation of the Cybersecurity Act and propose legislative updates, especially around simplification and incident reporting.

Key issues under debate include:

  • Whether certification obligations should be mandatory or stay voluntary
  • How to simplify and harmonize incident reporting under multiple cyber laws
  • How to reduce overlap between certifications, NIS2 compliance, and national rules

By late 2025 or early 2026, we may see a new proposal to amend the CSA more fundamentally.


How the Cybersecurity Act Connects to Other EU Cyber Rules

The Cybersecurity Act doesn’t stand alone. It integrates into a broader landscape of EU cyber policy:

NIS2 Directive

NIS2 (Directive (EU) 2022/2555), which came into force in 2023, imposes mandatory cybersecurity and incident reporting obligations on essential and important entities across sectors.

Under NIS2, member states may require entities to use certified ICT products, services, or processes under CSA schemes to demonstrate compliance.

Put simply: NIS2 sets obligations; the CSA provides tools (certification) to meet those obligations.

Cyber Resilience Act (CRA)

The Cyber Resilience Act, adopted in 2024, focuses on hardware and software products (products with “digital elements”) placed on the EU market. It imposes mandatory cybersecurity requirements for such products.

While CRA is about product security, CSA is about certification and oversight of products, services, and processes. The two will increasingly complement each other.

Cyber Solidarity Act & Crisis Frameworks

Another regulation is the Cyber Solidarity Act (CSoA), which aims to coordinate EU-wide responses to cyber crises (shared detection, response, infrastructure resilience). CSA certification and trust frameworks support reliability and shared capabilities.

Industry Calls & Certification Strategy

Industry groups are pushing the Commission to adopt draft cybersecurity certification schemes—particularly EUCS (European Cybersecurity Certification Scheme) for cloud services—arguing it should be quickly adopted under the CSA framework.

The concern: if certification leans too favorably toward large incumbents (Amazon, Microsoft), it may create barriers for smaller providers.


Benefits, Challenges & Risks

Benefits

  • Greater trust & interoperability across member states: a certification label gives confidence to customers and regulators.
  • Clear benchmark: standardized requirements across the EU reduce fragmentation.
  • Competitive advantage: certified products or services may have market preference, especially in public procurement.
  • Vendor accountability: buyers can demand certification from service providers (especially MSS providers).

Challenges & Risks

  • Voluntary vs mandatory tension: if most certifications stay voluntary, uptake may remain low unless mandates are introduced.
  • Complexity & cost: obtaining certification can be technically expensive, especially for SMEs.
  • Overlapping requirements: navigating CSA, NIS2, CRA, national laws can be confusing.
  • Regulatory uncertainty: because certifications and amendments are still in development, entities may hesitate to invest.
  • Mismatch with fast tech change: certification schemes may lag behind new threats or technologies.

In the previous post, we had shared information about Privacy and Electronic Communications Regulations 2003, so read that post also.


What Organizations Should Do Now (2025 Checklist)

If you operate in the EU or with EU clients, here’s a roadmap to prepare under the CSA:

  1. Map your ICT products, services, and processes
    Identify which offerings may fall under CSA certification (or MSS schemes in development).
  2. Monitor MSS certification rollout
    When the MSS scheme is published, evaluate your security service providers for readiness.
  3. Engage in public consultations
    Participate in the CSA revision consultation, comment on simplification and reporting regimes.
  4. Adopt good security practices now
    Even before certification, align with recognized standards (ISO 27001, ETSI, ENISA guidelines) to ease certification path.
  5. Use certified components
    Where available, prefer software, hardware, services already certified under CSA schemes to reduce burden.
  6. Plan for audit readiness and documentation
    Certification processes will demand strong documentation, traceability, security testing, and accountability.
  7. Collaborate with partners and vendors
    Encourage or require your supply chain to adopt certification where relevant to prevent weak links.
  8. Watch national transpositions and incentives
    Some member states may require or encourage certification (e.g. in public procurement). Be aware of national rules.

What to Expect Ahead

  • Adoption of MSS certification: 2025 and 2026 will see development of MSS schemes; providers will begin applying.
  • CSA amendment: following the consultation, the Commission may propose changes (e.g. streamlining, harmonized certification, tighter mandates).
  • Mandatory certification categories: over time, EU may declare certain high-risk products, critical infrastructure services or MSS functions as mandatory certified under CSA.
  • Increased enforcement & uptake: certification may gain traction in regulated sectors and public sector procurement.
  • Harmonization across EU legislation: better alignment between CSA, NIS2, CRA, DORA, CSoA and national laws will evolve for coherence.

Conclusion

The EU Cybersecurity Act is evolving from a framework law toward a central pillar of Europe’s cyber assurance infrastructure. With managed security service certification now in scope and proposals underway to refine reporting and obligations, 2025 is a turning point.

For organizations in or serving the EU: don’t wait for mandates. Map your products and services, align with good security practices, engage in the certification process, and partner with compliant vendors. Certification under CSA will increasingly become a signal of credibility, trust, and compliance—and early movers will benefit.

Disclaimer

The information and services on this website are not intended to and shall not be used as legal advice. You should consult a Legal Professional for any legal or solicited advice. While we have good faith and our own independent research to every information listed on the website and do our best to ensure that the data provided is accurate. However, we do not guarantee the information provided is accurate and make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability, or completeness of any information on the Site. UNDER NO CIRCUMSTANCES SHALL WE HAVE ANY LIABILITY TO YOU FOR ANY LOSS OR DAMAGE OF ANY KIND INCURRED AS A RESULT OR RELIANCE ON ANY INFORMATION PROVIDED ON THE SITE. YOUR USE OF THE SITE AND YOUR RELIANCE ON ANY INFORMATION ON THE SITE IS SOLELY AT YOUR OWN RISK. Comments on this website are the sole responsibility of their writers so the accuracy, completeness, veracity, honesty, factuality and politeness of comments are not guaranteed.

So friends, today we talked about EU Cybersecurity Act, hope you liked our post.

If you liked the information about EU Cybersecurity Act, then definitely share this article with your friends.

Adv. Viraj Patil Co-Founder & Senior Partner of ParthaSaarathi Disputes Resolution LLP is a Gold Medalist in Law LLB (2008) & Master in Laws LLM specializing in Human Rights & International Laws from National Law School of India University (NLSIU) Bangalore, India’s Premiere Legal Institution.

Leave a Reply

Your email address will not be published.

Fighting Internet and Wireless Spam Act (CASL),Lawforeverything
Previous Story

Fighting Internet and Wireless Spam Act (CASL)

Personal Information Protection and Electronic Documents Act PIPEDA,Lawforeverything
Next Story

Personal Information Protection and Electronic Documents Act (PIPEDA)

Latest from Blog

Critical Cyber Systems Protection Act CCSPA,Lawforeverything

Critical Cyber Systems Protection Act (CCSPA)

On this page you will read detailed information about Critical Cyber Systems Protection Act (CCSPA). Canada’s effort to set binding, cross-sector cybersecurity rules for critical infrastructure has been in motion for several…
Fighting Internet and Wireless Spam Act (CASL),Lawforeverything

Fighting Internet and Wireless Spam Act (CASL)

On this page you will read detailed information about Fighting Internet and Wireless Spam Act (CASL). What Is CASL & Why It Exists The Canadian Anti-Spam Legislation (CASL)—officially the Fighting Internet and…
Integrated Circuit Topography Act (ICTA), Lawforeverything

Integrated Circuit Topography Act (ICTA)

On this page you will read detailed information about Integrated Circuit Topography Act (ICTA) In Canada, innovation in semiconductor and microchip design is protected not just by patents or trade secrets—but also…
Go toTop
Did you know it is illegal to drive shirtless in Thailand? Law and Order: Canada’s Top 10 Legal Landmarks “In the Shadows of the Cubicles: Unveiling Workplace Sexual Harassment In USA Forbidden Brews: Exploring 10 Countries Where Alcohol is Banned Unveiling Injustice: Stories of Human Rights Violations in 10 Countries Behind Bars: Exploring the World’s Most Notorious Prisons Masterminds of Mayhem: Unveiling the Top 10 Criminals Worldwide Behind the Curtain: Unveiling 10 Fascinating Truths About North Korea Exploring the 10 Most Censored Countries Green Havens: Exploring Countries Where Cannabis is Legal