First Union Rolling Work Programme for European cybersecurity certification

On 7. February 2024, the Commission published the first Union Rolling Work Programme for European cybersecurity certification.

The work programme fulfils the requirement of the Cybersecurity Act, Title III: the European Cybersecurity Certification Framework, for the establishment of voluntary European cybersecurity certification schemes.

While three European cybersecurity certification schemes under this framework are already at various stages of preparation and adoption, the present URWP outlines strategic priorities to be considered when preparing any scheme, as well as some areas for future cybersecurity certification. (The first EU-wide European cybersecurity certification scheme, the European Cybersecurity Scheme on Common Criteria (EUCC) was adopted on 31. January 2024.  The second scheme being developed, ‘EUCS’, covers cloud services and a third one, called ‘EU5G’, is on 5G networks.)

The URWP has taken into account the opinions of relevant stakeholders represented in the European Cybersecurity Certification Group (ECCG) and the Stakeholder Cybersecurity Certification Group (SCCG).

What are the identified strategic priorities for the future European cybersecurity certification schemes?
Security-by-design, lifecycle security and security-by-default
Risk-based assurance
Coherence, ‘composability’ and common processes
International cooperation
Measurement of scheme efficiency and improvement over time

Which are the areas this first URWP lists where the need for European cybersecurity certification schemes is possible based on European regulations and legislative initiatives (Cybersecurity Act, Cyber Resilience Act, European Digital Identity Regulation)?
Certification of European Digital Identity Wallets
Certification of managed security services

Which are the areas listed for consideration as areas for future certification schemes?
Concerning the Cyber Resilience Act (CRA): Internet of Things (IoT) and Industrial Automation Control Systems (IACS); Secure Development Lifecycle (SDL)
Cryptographic Mechanisms
Fixed-time Evaluation

You can download the full text of the “COMMISSION STAFF WORKING DOCUMENT – Union Rolling Work Programme for European cybersecurity certification” at

Leave a Reply