Guide to the CSA — EU-wide cybersecurity certification for ICT products, services, and processes.
The EU Cybersecurity Act (Regulation 2019/881) has two main pillars. First, it grants ENISA (the EU Agency for Cybersecurity) a permanent mandate and strengthened role. Second, it establishes a European cybersecurity certification framework for ICT products, services, and processes at three assurance levels: basic, substantial, and high. This framework enables EU-wide certification schemes, replacing fragmented national schemes. While certification is generally voluntary, other EU legislation (such as the CRA) can make specific schemes mandatory.
Manufacturers of ICT products seeking EU cybersecurity certification, conformity assessment bodies, national cybersecurity certification authorities, and trust service providers.
Article 1
Article 3
Article 4
Article 46
Article 49
Article 52
Article 54
Article 56
Article 58
Article 65
Applied since
27 Jun 2019CSA became applicable across all EU Member States.
Determined by Member States. Certification bodies face accreditation withdrawal for non-compliance.
The CSA creates a pan-European certification scheme for ICT products, services, and processes.
Law4Devs provides the full CSA as structured JSON. Query by assurance level, entity type, or certification topic. Cross-reference with the CRA and NIS2.
GET /v1/frameworks/csa/articles → 200 OK · structured JSON · official EUR-Lex source
The EU Cybersecurity Act (Regulation EU 2019/881) has two main pillars. First, it grants ENISA (the EU Agency for Cybersecurity) a permanent mandate and strengthened role in supporting Member States, EU institutions, and stakeholders in cybersecurity. Second, it establishes a European cybersecurity certification framework for ICT products, services, and processes. This framework enables the creation of EU-wide certification schemes at three assurance levels (basic, substantial, high), replacing fragmented national schemes.
The CSA applies to ENISA, establishing its objectives and tasks. The certification framework applies to manufacturers of ICT products, providers of ICT services, and providers of ICT processes who wish to (or are required to) obtain EU cybersecurity certification. Conformity assessment bodies (CABs) that carry out certifications must be accredited. National cybersecurity certification authorities (NCCAs) supervise compliance. While certification is generally voluntary, other EU legislation (such as the CRA) can make specific schemes mandatory.
The CSA defines three assurance levels for certification schemes: basic (self-assessment possible), substantial (third-party evaluation), and high (advanced third-party evaluation). Certification schemes specify the purpose, scope, evaluation criteria, and intended level of assurance. Certified ICT products receive an EU statement of conformity valid across all Member States, eliminating duplicate national certifications. The EUCC (Common Criteria based) scheme was the first adopted scheme. The CSA is being amended to enable managed security services certification.
Law4Devs provides the full CSA text as structured JSON via API. Query by topic area (ENISA mandate, certification framework), assurance level, or entity type (manufacturer, CAB, NCCA). Access specific provisions on certification scheme requirements, conformity assessment procedures, and supervisory powers. Cross-reference with the CRA for mandatory product certification requirements and with NIS2 for complementary cybersecurity obligations.
All articles, recitals, and amendments — queryable, filterable, and always up to date.