European Cybersecurity Certification Schemes
This new topic is needed to specifically address European cybersecurity certification schemes (EUCS) as referenced in NIS2, which establish a framework for certifying cloud services and other ICT products/services against defined security criteria.
cybersecurity certification European certification schemes EUCS certification framework security certification cybersecurity standards certification procedures certified products
Overview
Legal Framework
The topic of European Cybersecurity Certification Schemes (EUCS) is governed by the EU Cybersecurity Act (Regulation (EU) 2019/881) and referenced in the NIS2 Directive. Specifically, NIS2 Recital 138 establishes the framework for mandating the use of certified ICT products, services, and processes. It delegates power to the European Commission to adopt delegated acts specifying which categories of essential and important entities under NIS2 must use certain certified ICT products or obtain certification under an EUCS. The primary legal basis for these schemes themselves is the Cybersecurity Act, which creates a voluntary Union-wide certification framework to ensure a high level of cybersecurity for ICT products, services, and processes.
Practical Application
While EUCS are a distinct framework under the Cybersecurity Act, their practical relevance is significantly amplified by NIS2's mandate. The schemes are designed to create harmonized security standards, reducing fragmentation and building trust in the digital single market. For entities in scope of future NIS2 delegated acts, certification will shift from a voluntary market advantage to a compliance obligation. Although the first schemes are still under development (notably for cloud services - the EU Cloud Scheme), the legal interpretation from related frameworks is instructive. As highlighted in the authoritative commentary on the GDPR (Tekst & Commentaar), approved certification mechanisms are recognized as a valid means for a data controller to demonstrate compliance with certain obligations (GDPR Article 42). This principle underpins the EUCS logic: obtaining a certification under a recognized scheme serves as a concrete, auditable demonstration of adherence to defined cybersecurity requirements, which can be leveraged for both NIS2 and GDPR compliance purposes.
Key Considerations
- Monitor Delegated Acts: Organizations classified as essential or important entities under NIS2 must closely monitor forthcoming Commission delegated acts, which will definitively specify which entities must use certified ICT products/services and under which specific EUCS.
- Strategic Procurement and Certification: For entities likely to be in scope, procurement policies for ICT products and services (especially cloud) should be future-proofed to prioritize suppliers that are certified or are on a clear path to certification under the relevant EUCS once adopted.
- Leverage for Broader Compliance: Even where not yet mandated by NIS2, proactively obtaining or using EUCS-certified solutions can serve as a robust evidence-based measure to demonstrate security diligence, potentially satisfying requirements under the GDPR's security principle (Article 32) and other regulatory frameworks.
Laws (7)
Guidance (15)
Opinion 34/2025 on the draft decision of the Greek Supervisory Authority regarding C.E.C.L certification criteria
EDPB
Opinion 34/2025 on the draft decision of the Greek Supervisory Authority regarding C.E.C.L certification criteria
Versiegeschiedenis
guidelines accreditatie
Richtsnoeren 1/2019 voor gedragscodes en toezichthoudende organen in de zin van Verordening 2016/679
guidelines gedragscodes en toezichthoudende organen
Richtsnoeren 4/2019 inzake artikel 25 Gegevensbescherming door ontwerp en door standaardinstellingen
guidelines privacy by design en default
Richtsnoeren van 1/2018 voor certificering en het vaststellen van certificeringscriteria overeenkomstig de artikelen 42 en 43 van de verordening
guidelines certificering
Richtsnoeren 07/2022 voor certificering als doorgifte-instrument
Op grond van artikel 46 van de algemene verordening gegevensbescherming (AVG) moeten gegevensexporteurs passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die gegevensexporteurs overeenkomstig artikel 46 kunnen gebruiken als kader voor de doorgifte aan derde landen, onder meer door certificering in te voeren als nieuw doorgiftemechanisme (artikel 42, lid 2, en a...
Guidelines 07/2022 on certification as a tool for transfers
Guidelines on certification and identifying certification criteria
The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, amongst others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR). These guidelines provide guidance as to the applicati...
Richtsnoeren 07/2022 voor certificering als doorgifte-instrument
guidelines certificering
Op grond van artikel 46 van de algemene verordening gegevensbescherming (AVG) moeten gegevensexporteurs passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die gegevensexporteurs overeenkomstig artikel 46 kunnen gebruiken als kader voor de doorgifte aan derde landen, onder meer door certificering in te voeren als nieuw doorgiftemechanisme (artikel 42, lid 2, en a...
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation
Guidelines on certification and identifying certification criteria
Version history
Guidelines on the accreditation of certification bodies
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
Guidelines on codes of conduct and monitoring bodies
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Opinion 15/2025 on the draft decision of the Austrian Supervisory Authority (AT SA) regarding the certification criteria of BDO Consulting GmbH
EDPB
EDPB, Opinion 15/2025 on the draft decision of the Austrian Supervisory Authority (AT SA) regarding the certification criteria of BDO Consulting GmbH, 2025
Opinion 16/2025 regarding the draft decision of the German North Rhine Westphalia Supervisory Authority regarding Trusted Site Data Privacy (TÜV IT) certification criteria
EDPB
EDPB, Opinion 16/2025 regarding the draft decision of the German North Rhine Westphalia Supervisory Authority regarding Trusted Site Data Privacy (TÜV IT) certification criteria, 2025
Opinion 3/2025 on the draft decision of the French Supervisory Authority (FR SA) regarding the “Lexing GDPR certification criteria”
EDPB
EDPB, Opinion 3/2025 on the draft decision of the French Supervisory Authority (FR SA) regarding the “Lexing GDPR certification criteria”, 2025.
News (2)
UK data protection reform: How the UK's GDPR may change
> The current version of the Bill seeks to maintain the majority of key principles that underpin the UK data protection law framework, while at the same time modifying certain key provisions in relation to accountability, lawful grounds for processing, data subject access requests and cookies, amongst others. A [consolidated redline version of the UK GDPR by Hogan Lovells](https://www.engage.hoganlovells.com/knowledgeservices/attachment_dw.action?attkey=FRbANEucS95NMLRN47z%2BeeOgEFCt8EGQJsWJiCH
Hervorming van de privacywetgeving in het Verenigd Koninkrijk: Hoe de GDPR van het VK mogelijk zal veranderen.
De huidige versie van het wetsvoorstel streeft ernaar om de meeste belangrijke principes te behouden die ten grondslag liggen aan het Britse kader voor gegevensbescherming, terwijl tegelijkertijd bepaalde belangrijke bepalingen worden aangepast met betrekking tot onder meer verantwoordelijkheid, de wettelijke gronden voor gegevensverwerking, verzoeken van betrokkenen en cookies. Een [geconsolideerde versie met wijzigingen van de Britse GDPR, opgesteld door Hogan Lovells](https://www.engage.hoganlovells.com/knowledgeservices/attachment_dw.action?attkey=FRbANEucS95NMLRN47z%2BeeOgEFCt8EGQJsWJiCH)