On this page you will read detailed information about EU Cybersecurity Act.
Introduction
Cybersecurity is no longer an afterthought—it’s infrastructure. From connected devices (IoT) to cloud services and critical infrastructure, the EU aims to unify and heighten the baseline of cybersecurity across the bloc. The EU Cybersecurity Act (Regulation (EU) 2019/881) is central to this goal: it strengthens the role of the EU Agency for Cybersecurity (ENISA) and establishes a framework for EU-wide cybersecurity certification.
In 2025, the Cybersecurity Act is evolving: a targeted amendment adopted on 15 January 2025 expands the scope to include Managed Security Services (MSS) certification schemes. Meanwhile, the European Commission is consulting on further reforms to simplify certification and reporting obligations.
What Is the EU Cybersecurity Act?
Origins & Purpose
The EU Cybersecurity Act (CSA) was adopted in 2019 and came into force on 27 June 2019. Its two core objectives:
- Strengthen ENISA (the EU agency for cybersecurity) by giving it permanent status and resources.
- Create a European Cybersecurity Certification Framework (ECCF)—to develop common certification schemes for ICT products, services, and processes across the EU.
Before the Act, cybersecurity certification was fragmented across member states. The CSA seeks interoperability and trust across borders, making it easier for organizations and consumers to evaluate the security of ICT products and services.
Key Features & Structure
- Voluntary and mandatory certification schemes
Under the CSA, the EU can designate certain schemes as mandatory for high-risk product categories, while others remain voluntary. - Role of ENISA
ENISA is tasked to assist with the development of certification schemes, assess conformity, provide technical expertise, and maintain the European cybersecurity certification framework. - Certification scope
Certification under the CSA can cover ICT products, ICT services, and ICT processes. For example, a cloud service or a security audit process could be certified under an appropriate scheme.
However, until recently, certified schemes under the CSA were mostly about products or components—not managed security services. That’s changing.
2025 Updates & Key Developments
Amendment Adding Managed Security Services
On 15 January 2025, a targeted amendment to the Cybersecurity Act was adopted. This amendment enables the creation of certification schemes for Managed Security Services (MSS)—such as incident response, penetration testing, security audits, and consultancy.
This is a big step: many organizations outsource security tasks to MSS providers. Under the amendment, MSS providers will be able (or in some cases required) to be certified under the EU scheme, raising the bar for service quality and trust.
ENISA has already launched a call for expression of interest to participate in the working group that will draft the candidate certification scheme for MSS.
Under this change, organizations that hire MSS providers should look for certified providers—or pressure them to obtain certification once the scheme is operational.
Ongoing Review & Consultation
The European Commission is conducting a public consultation (until 20 June 2025) to review the implementation of the Cybersecurity Act and propose legislative updates, especially around simplification and incident reporting.
Key issues under debate include:
- Whether certification obligations should be mandatory or stay voluntary
- How to simplify and harmonize incident reporting under multiple cyber laws
- How to reduce overlap between certifications, NIS2 compliance, and national rules
By late 2025 or early 2026, we may see a new proposal to amend the CSA more fundamentally.
How the Cybersecurity Act Connects to Other EU Cyber Rules
The Cybersecurity Act doesn’t stand alone. It integrates into a broader landscape of EU cyber policy:
NIS2 Directive
NIS2 (Directive (EU) 2022/2555), which came into force in 2023, imposes mandatory cybersecurity and incident reporting obligations on essential and important entities across sectors.
Under NIS2, member states may require entities to use certified ICT products, services, or processes under CSA schemes to demonstrate compliance.
Put simply: NIS2 sets obligations; the CSA provides tools (certification) to meet those obligations.
Cyber Resilience Act (CRA)
The Cyber Resilience Act, adopted in 2024, focuses on hardware and software products (products with “digital elements”) placed on the EU market. It imposes mandatory cybersecurity requirements for such products.
While CRA is about product security, CSA is about certification and oversight of products, services, and processes. The two will increasingly complement each other.
Cyber Solidarity Act & Crisis Frameworks
Another regulation is the Cyber Solidarity Act (CSoA), which aims to coordinate EU-wide responses to cyber crises (shared detection, response, infrastructure resilience). CSA certification and trust frameworks support reliability and shared capabilities.
Industry Calls & Certification Strategy
Industry groups are pushing the Commission to adopt draft cybersecurity certification schemes—particularly EUCS (European Cybersecurity Certification Scheme) for cloud services—arguing it should be quickly adopted under the CSA framework.
The concern: if certification leans too favorably toward large incumbents (Amazon, Microsoft), it may create barriers for smaller providers.
Benefits, Challenges & Risks
Benefits
- Greater trust & interoperability across member states: a certification label gives confidence to customers and regulators.
- Clear benchmark: standardized requirements across the EU reduce fragmentation.
- Competitive advantage: certified products or services may have market preference, especially in public procurement.
- Vendor accountability: buyers can demand certification from service providers (especially MSS providers).
Challenges & Risks
- Voluntary vs mandatory tension: if most certifications stay voluntary, uptake may remain low unless mandates are introduced.
- Complexity & cost: obtaining certification can be technically expensive, especially for SMEs.
- Overlapping requirements: navigating CSA, NIS2, CRA, national laws can be confusing.
- Regulatory uncertainty: because certifications and amendments are still in development, entities may hesitate to invest.
- Mismatch with fast tech change: certification schemes may lag behind new threats or technologies.
In the previous post, we had shared information about Privacy and Electronic Communications Regulations 2003, so read that post also.
What Organizations Should Do Now (2025 Checklist)
If you operate in the EU or with EU clients, here’s a roadmap to prepare under the CSA:
- Map your ICT products, services, and processes
Identify which offerings may fall under CSA certification (or MSS schemes in development). - Monitor MSS certification rollout
When the MSS scheme is published, evaluate your security service providers for readiness. - Engage in public consultations
Participate in the CSA revision consultation, comment on simplification and reporting regimes. - Adopt good security practices now
Even before certification, align with recognized standards (ISO 27001, ETSI, ENISA guidelines) to ease certification path. - Use certified components
Where available, prefer software, hardware, services already certified under CSA schemes to reduce burden. - Plan for audit readiness and documentation
Certification processes will demand strong documentation, traceability, security testing, and accountability. - Collaborate with partners and vendors
Encourage or require your supply chain to adopt certification where relevant to prevent weak links. - Watch national transpositions and incentives
Some member states may require or encourage certification (e.g. in public procurement). Be aware of national rules.
What to Expect Ahead
- Adoption of MSS certification: 2025 and 2026 will see development of MSS schemes; providers will begin applying.
- CSA amendment: following the consultation, the Commission may propose changes (e.g. streamlining, harmonized certification, tighter mandates).
- Mandatory certification categories: over time, EU may declare certain high-risk products, critical infrastructure services or MSS functions as mandatory certified under CSA.
- Increased enforcement & uptake: certification may gain traction in regulated sectors and public sector procurement.
- Harmonization across EU legislation: better alignment between CSA, NIS2, CRA, DORA, CSoA and national laws will evolve for coherence.
Conclusion
The EU Cybersecurity Act is evolving from a framework law toward a central pillar of Europe’s cyber assurance infrastructure. With managed security service certification now in scope and proposals underway to refine reporting and obligations, 2025 is a turning point.
For organizations in or serving the EU: don’t wait for mandates. Map your products and services, align with good security practices, engage in the certification process, and partner with compliant vendors. Certification under CSA will increasingly become a signal of credibility, trust, and compliance—and early movers will benefit.
Disclaimer
The information and services on this website are not intended to and shall not be used as legal advice. You should consult a Legal Professional for any legal or solicited advice. While we have good faith and our own independent research to every information listed on the website and do our best to ensure that the data provided is accurate. However, we do not guarantee the information provided is accurate and make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability, or completeness of any information on the Site. UNDER NO CIRCUMSTANCES SHALL WE HAVE ANY LIABILITY TO YOU FOR ANY LOSS OR DAMAGE OF ANY KIND INCURRED AS A RESULT OR RELIANCE ON ANY INFORMATION PROVIDED ON THE SITE. YOUR USE OF THE SITE AND YOUR RELIANCE ON ANY INFORMATION ON THE SITE IS SOLELY AT YOUR OWN RISK. Comments on this website are the sole responsibility of their writers so the accuracy, completeness, veracity, honesty, factuality and politeness of comments are not guaranteed.
So friends, today we talked about EU Cybersecurity Act, hope you liked our post.
If you liked the information about EU Cybersecurity Act, then definitely share this article with your friends.