The Cybersecurity Act (EU Regulation 2019/881) was adopted on 17 April 2019 and entered into force on 27 June 2019. It strengthens ENISA's role with a permanent mandate and establishes a European cybersecurity certification framework for information and communication technology products, services and processes.
Faced with the rise in cyberthreats and the lack of harmonisation in the field of certification, the EU has adopted this regulation to strengthen digital confidence, support the internal market and guarantee a common level of cybersecurity in all Member States.
| THE PILLARS | WHAT IMPACT? |
|---|---|
| Strengthening the role of ENISA | The European Union Agency for Cyber Security has been given a permanent mandate. At the heart of cyber issues, the agency provides support for cyber security policies and coordination between Member States. ENISA also organises incident response exercises and manages European certification schemes. |
| European Cybersecurity Certification Framework | This framework aims to create common reference frameworks for assessing the security of IT products, services and processes. The schemes have different levels of assurance - basic, substantial and high. At this stage, the scheme is voluntary for companies. |
| Focus EUCS | The project for a certification scheme for cloud services launched in 2020 has been the subject of heated debate, with the result that it has not yet been adopted. EUCS aims to create a common cybersecurity framework for cloud services with different levels of assurance. France has defended the introduction of immunity criteria to guarantee a secure environment for the most sensitive and strategic data within the EU. |
"In order to compete with the world's major powers, particularly the United States and China, the Member States of the European Union have every interest in pooling their cybersecurity skills and strengthening their cooperation. This text is part of this dynamic, providing in particular for the strengthening of ENISA's prerogatives, the promotion of Europe-wide certification schemes and the consolidation of synergies between Member States".
Public consultations on this new text ended on 20 June 2025. The Directorate-General for Communication Networks, Content and Technologies is currently analysing the feedback from these consultations and finalising its technical proposals before sending them to Parliament.