The EU regulation establishing ENISA's permanent mandate and the European cybersecurity certification framework for ICT products, services, and processes.
The EU Cybersecurity Act (Regulation 2019/881) strengthens the role of ENISA as the European Union Agency for Cybersecurity and creates a comprehensive, pan-European cybersecurity certification framework. The regulation provides a structured approach to evaluating the security of ICT products, services, and processes across the single market.
The EUCC (European Common Criteria-based) scheme is the first certification scheme adopted under the framework, enabling the certification of ICT products against internationally recognized security standards. For PKI, this means certification of CA software, hardware security modules (HSMs), and trust services becomes a tangible requirement for high-assurance environments.
Organizations can demonstrate their security posture through certified infrastructure, gaining a competitive advantage in procurement processes and building trust with partners and customers across the EU. The framework also supports sector-specific schemes for cloud, 5G, and other critical technologies.
ENISA oversees the development and maintenance of a pan-European cybersecurity certification framework, ensuring consistent security evaluation across member states.
The European Common Criteria-based certification scheme evaluates ICT products against internationally recognized security standards, including CA software and HSMs.
Three assurance levels — Basic, Substantial, and High — define the depth of security evaluation required depending on the risk profile and intended use of ICT products.
For Basic assurance level, manufacturers can perform self-assessments under the framework, reducing costs while maintaining accountability for security claims.
Each member state designates national cybersecurity certification authorities responsible for supervising and enforcing certification schemes within their jurisdiction.
Cybersecurity certificates issued under EU schemes are recognized in all member states, eliminating the need for repeated certifications and facilitating cross-border trade.
The European Commission proposes the Cybersecurity Act to strengthen ENISA and establish an EU-wide cybersecurity certification framework.
Regulation (EU) 2019/881 enters into force in June 2019, granting ENISA a permanent mandate and laying the groundwork for certification schemes.
ENISA assumes its expanded, permanent role as the EU Agency for Cybersecurity with enhanced operational capacity.
The European Common Criteria-based cybersecurity certification scheme (EUCC) is formally adopted for ICT products.
Development and adoption of sector-specific certification schemes for cloud services, 5G networks, and other critical technologies.
The EU Cybersecurity Act has significant implications for PKI infrastructure, particularly through the EUCC certification scheme. Organizations relying on digital certificates must consider the following areas:
Certificate Authority software and hardware security modules can be certified under the EUCC scheme, providing formal assurance of their security properties for high-trust environments.
Organizations in critical sectors increasingly require certified PKI components to meet procurement standards and demonstrate security posture to regulators and partners.
Maintaining certified status requires ongoing certificate lifecycle management — tracking validity, ensuring timely renewals, and documenting compliance continuously.
PKI-based trust services must align their infrastructure with EU certification expectations, ensuring that underlying components meet the required assurance levels.
ANSSI-certified PKI aligned with EUCC — Stream's ANSSI-certified PKI infrastructure aligns with EUCC expectations, providing a foundation of formally evaluated security for your trust services.
Certification status tracking — Horizon tracks the certification status of all PKI components across your infrastructure, ensuring you maintain visibility over your certified assets.
Policy enforcement for certified configurations — Enforce certificate policies that ensure only certified algorithms, key sizes, and configurations are used across your infrastructure.
Audit trails for certification maintenance — Generate comprehensive audit trails and compliance reports that support ongoing certification assessments and renewals.
