The European Commission puts forward the creation of a EU certification framework for ICT security products in its 2017 proposal for a regulation.

On 13 September 2017 the Commission issued a proposal for a regulation on ENISA, the "EU Cybersecurity Agency", and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'').

Certification plays a critical role in increasing trust and security in products and services that are crucial for the digital single market. At the moment, a number of different security certification schemes for ICT products exist in the EU. Without a common framework for EU-wide valid cybersecurity certificates, there is an increasing risk of fragmentation and barriers in the single market.

The proposed certification framework will provide EU-wide certification schemes as a comprehensive set of rules, technical requirements, standards and procedures. This will be based on agreement at EU level for the evaluation of the security properties of a specific ICT-based product or service e.g. smart cards.

The certification will attest that ICT products and services that have been certified in accordance with such a scheme comply with specified cybersecurity requirements. The resulting certificate will be recognized in all Member States, making it easier for businesses to trade across borders and for purchasers to understand the security features of the product or service.

The schemes proposed in the future European framework will rely as much as possible on international standards as a way to avoid creating trade barriers and ensuring coherence with international initiatives.

Please read the Questions & Answers document.