Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (Cybersecurity Act)

Author (Corporate) ,
Series Title
Series Details L 151
Publication Date 07/06/2019
Content Type


Regulation of the European Parliament and of the Council of 17 April 2019 strengthening the role of ENISA and setting up a European framework for cybersecurity certification.

Further information:

This Regulation establishes a European Cybersecurity Certification Framework for ICT products and services and specifies the essential functions and tasks of the European Union Agency for Network and Information Security (ENISA) in the field of cybersecurity certification.

The proposed Regulation was presented on 13 September 2017 by the European Commission. The Council of the European Union adopted its general approach regarding this proposal on 8 June 2018. The European Parliament's relevant committee adopted its position and mandate for negotiations on 10 July.


The proposal was announced as part of the European Union's overhaul of its cybersecurity strategy during the annual SOTEU 2017 address. It follows up on the announcement in 2016 that the European Commission had decided to review Regulation (EU) 526/2013, which provides the second mandate for the ENISA. Its strengthening would also acknowledge the agency's responsibilities under the NIS Directive.

The 2016 Communication on 'Strengthening Europe's cyber resilience system and fostering a competitive and innovative cybersecurity industry' – which announced the review of the role of ENISA – also put forward the idea of establishing a framework for security certification for ICT products and services in order to increase trust and security in the digital single market. The Commission identified ENISA as the natural body to take up the role regarding certification.

Source Link
Related Links
Commentary and Analysis
EPRS: Briefing, December 2017: EU Cybersecurity Agency and cybersecurity certification [Initial Appraisal of a European Commission Impact Assessment]
EPRS: Briefing, January 2018: ENISA and a new cybersecurity act

EUObserver, 13/09/2017: EU to beef up cybersecurity agency
EUObserver, 15/09/2017: Greece keen to keep EU cybersecurity agency
EUObserver, 19/09/2017: EU agency to fight election hacking
EUObserver, 09/01/2018: EU cyber chief says expectations exceed resources
EurActiv, 07/06/2018: Cybersecurity agency hopes for 24/7 crisis response centre in Brussels

EUR-Lex: COM(2017)477: Proposal for a Regulation on ENISA (the EU Cybersecurity Agency) and on information and communication technology cybersecurity certification (Cybersecurity Act)
EUR-Lex: SWD(2017)500: Impact assessment accompanying COM(2017)477
EUR-Lex: SWD(2017)501: Executive summary of the impact assessment accompanying COM(2017)477
EUR-Lex: SWD(2017)502: Evaluation of the European Union Agency for Network and Information Security (ENISA)
European Parliament: Legislative Observatory: Procedure file EU Cybersecurity Agency (ENISA) and information and communication technology cybersecurity certification (Cybersecurity Act)
European Parliament: Legislative Train: The EU Cybersecurity Agency and the Cybersecurity act
Council of the European Union: Press Release, 08/06/2018: EU to create a common cybersecurity certification framework and beef up its agency – Council agrees its position
European Commission: Statement, 08/06/2018: Joint Statement by Vice-President Ansip and Commissioner Gabriel on political agreement from the Council

Subject Categories
Subject Tags ,
International Organisations