EU cybersecurity certification faces delays amid political disputes
Industry groups urge action on EU security standards.
Progress on the EU Cybersecurity Certification Scheme (EUCS), stuck in a deadlock since 2019, remains uncertain as discussions are unlikely to advance in the first half of 2025. Despite efforts by Poland, which is leading the EU ministerial meetings until July, disagreements over sovereignty requirements continue to stall the process. The EUCS aims to help companies demonstrate that their ICT solutions meet cybersecurity standards for the EU market but has faced resistance, particularly from France, which wants to preserve its certification system, SecNum Cloud.
The European Cybersecurity Certification Group (ECCG) from ENISA has yet to provide an opinion on the scheme, with its next meeting possibly taking place in February. Poland plans to prioritise cybersecurity during its presidency, hosting key events like an informal telecom minister meeting in March and a conference on ENISA standardisation, though industry groups remain sceptical about a breakthrough.
Lobbyists, including the global software industry group BSA, have criticised the delays. They argue that cybersecurity standards should focus on technical protections rather than political considerations and have urged the Commission to adopt the scheme quickly to strengthen Europe’s cybersecurity resilience.
Further complicating matters, the EU Cybersecurity Act (CSA), which underpins ENISA’s authority to create certification schemes, is under evaluation but has not yet been revised. Of the three certification schemes proposed since 2019, only one has been adopted, with another for 5G still in progress. New EU Commissioner Henna Virkkunen has pledged to improve the adoption process for cybersecurity certification schemes as part of her mission to bolster Europe’s technological sovereignty and security.