Cybersecurity Act

Regulation (2019/881) on ENISA and on ICT cybersecurity certification

Background and Scope

The Cybersecurity Act (EU 2019/881), aims to strengthen cybersecurity, resilience against cyber threats, and trust within the European Union. The regulation replaces the previous cybersecurity framework, Regulation (EU) No 526/2013, and grants the European Union Agency for Cybersecurity (ENISA) a permanent mandate with expanded responsibilities. ENISA plays a key role in developing and managing cybersecurity certification schemes while also informing the public about them.

In addition to strengthening ENISA’s mandate, the Cybersecurity Act introduces a framework for voluntary European cybersecurity certification for ICT products, services, and processes. This certification system aims to create a unified cybersecurity standard across the EU, making it easier for businesses and organizations to comply with security requirements and build trust with users.

Proposal for a Directive on Simplification Measures and Alignment with the Cybersecurity Act

In January 2026, The European Commission proposed a new cybersecurity package to strengthen the EU’s resilience against growing cyber threats. Key elements include a revised Cybersecurity Act, which enhances ICT supply chain security, simplifies the certification process for cyber-secure products, and reinforces ENISA’s role in supporting Member States in managing cybersecurity threats.

Key obligations

• ENISA obligations: ENISA shall carry out the tasks assigned to it by the regulation and shall, among other things, regularly compile and publish reports on incidents, provide guidelines and advice, and facilitate information exchange.
• Role of national authorities: The national supervisory authorities shall monitor and take measures if a provider that has received a certificate does not meet the requirements laid down in the relevant European cybersecurity certification scheme (for example, revoking the certificate).
• Obligation to inform about vulnerabilities: Holders of a European cybersecurity certificate shall inform their awarding authority or conformity assessment body of any new vulnerabilities discovered after the certificate has been issued, thereby underlining continuous compliance.