Awareness Training - Save 60% on Yearly Plan.
Prices
Book Demo

Article 24

Use of European cybersecurity certification schemes

1.   In order to demonstrate compliance with particular requirements of Article 21, Member States may require essential and important entities to use particular ICT products, ICT services and ICT processes, developed by the essential or important entity or procured from third parties, that are certified under European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. Furthermore, Member States shall encourage essential and important entities to use qualified trust services.

2.   The Commission is empowered to adopt delegated acts, in accordance with Article 38, to supplement this Directive by specifying which categories of essential and important entities are to be required to use certain certified ICT products, ICT services and ICT processes or obtain a certificate under a European cybersecurity certification scheme adopted pursuant to Article 49 of Regulation (EU) 2019/881. Those delegated acts shall be adopted where insufficient levels of cybersecurity have been identified and shall include an implementation period.

Before adopting such delegated acts, the Commission shall carry out an impact assessment and shall carry out consultations in accordance with Article 56 of Regulation (EU) 2019/881.

3.   Where no appropriate European cybersecurity certification scheme for the purposes of paragraph 2 of this Article is available, the Commission may, after consulting the Cooperation Group and the European Cybersecurity Certification Group, request ENISA to prepare a candidate scheme pursuant to Article 48(2) of Regulation (EU) 2019/881.

Frequently Asked Questions

The European cybersecurity certification schemes under NIS2 help entities show they meet specific cybersecurity requirements by using certified information and communication technologies (ICT). This means critical businesses must use certified digital products, services, or processes, either created internally or from suppliers, ensuring stronger and consistent cyber protections across the European Union.
Under NIS2, ‘essential’ and ‘important’ entities, such as vital businesses and public services, may be obligated by member countries to use specific ICT products and services that carry cybersecurity certification. These groups are prioritized because their operations have significant impacts if compromised, making certified cybersecurity practices crucial for wider societal security.
The European Commission can set detailed guidelines about which categories of essential or important entities must adopt certified ICT products and services when security levels are inadequate. Before setting these requirements, the Commission must analyze potential impacts and consult experts and stakeholders, allowing sufficient preparation time for entities to adapt.
If there isn’t an appropriate EU-level cybersecurity scheme available, the European Commission can ask ENISA, Europe’s cybersecurity agency, to develop a suitable certification scheme. Before making this request, the Commission consults with specialized cybersecurity groups to ensure the new scheme appropriately covers current cybersecurity threats and practical needs within the EU community.

NIS2 Training

Start Training

Book Demo

We will get back to you via email as soon as possible.