The EU Cybersecurity Act establishes a permanent mandate for ENISA and creates an EU-wide cybersecurity certification framework for ICT products, services, and processes.
Focus: EU certification framework, ENISA mandate, cybersecurity certification schemes, ICT security
Article 1 — Subject Matter and Scope
Article 3 — ENISA Objectives
Article 4 — ENISA Tasks
Article 46 — European Cybersecurity Certification Framework
Article 49 — Certification Schemes
Article 52 — Assurance Levels
Article 54 — Conformity Assessment
Article 56 — EU Statement of Conformity
Article 58 — National Cybersecurity Certification Authorities
Article 65 — Penalty Provisions
GET /v1/frameworks/csa/articles → 200 OK · structured JSON · official source
The EU Cybersecurity Act (Regulation EU 2019/881) has two main pillars. First, it grants ENISA (the EU Agency for Cybersecurity) a permanent mandate and strengthened role in supporting Member States, EU institutions, and stakeholders in cybersecurity. Second, it establishes a European cybersecurity certification framework for ICT products, services, and processes. This framework enables the creation of EU-wide certification schemes at three assurance levels (basic, substantial, high), replacing fragmented national schemes.
The CSA applies to ENISA, establishing its objectives and tasks. The certification framework applies to manufacturers of ICT products, providers of ICT services, and providers of ICT processes who wish to (or are required to) obtain EU cybersecurity certification. Conformity assessment bodies (CABs) that carry out certifications must be accredited. National cybersecurity certification authorities (NCCAs) supervise compliance. While certification is generally voluntary, other EU legislation (such as the CRA) can make specific schemes mandatory.
The CSA defines three assurance levels for certification schemes: basic (self-assessment possible), substantial (third-party evaluation), and high (advanced third-party evaluation). Certification schemes specify the purpose, scope, evaluation criteria, and intended level of assurance. Certified ICT products receive an EU statement of conformity valid across all Member States, eliminating duplicate national certifications. The EUCC (Common Criteria based) scheme was the first adopted scheme. The CSA is being amended to enable managed security services certification.
Law4Devs provides the full CSA text as structured JSON via API. Query by topic area (ENISA mandate, certification framework), assurance level, or entity type (manufacturer, CAB, NCCA). Access specific provisions on certification scheme requirements, conformity assessment procedures, and supervisory powers. Cross-reference with the CRA for mandatory product certification requirements and with NIS2 for complementary cybersecurity obligations.