Commission proposes EU-wide cybersecurity certification system

Ministry of Transport and Communications
Publication date 19.10.2017 13.41
Press release

Finland supports the European Commission's proposal on granting the European Union Agency for Network and Information Security ENISA a permanent status and extending the scope of its mandate. In future, the Agency would be responsible for promoting the uptake of EU-level certification of ICT products and services. The goal is to increase public trust in digital services.

On 13 September 2017, the Commission put forward a proposal for a regulation under which the European Union Agency for Network and Information Security ENISA would become a permanent European Cybersecurity Agency. The regulation would also lay down a general framework for certification of ICT products and services.

The purpose with the proposed EU-level certification system is to improve the information security and availability of ICT products intended for citizens and businesses. The objective is to provide citizens and businesses with information which would make the security features of ICT products more transparent and mutually comparable. This would increase trust in digital services.

The proposed certification system would primarily function on a voluntary basis. The proposal does, however, provide for a possibility to later enact national or EU legislation prescribing a certificate as a mandatory requirement. The proposal would restrict Member States' possibilities to introduce their own national certification schemes if these overlapped with the certification schemes established under the proposed regulation. The proposal requires Member States to appoint a national certification supervisory authority.

The Government considers it important that information security and the availability of cyber-secure products and services in the Single Market is improved and that innovations are promoted across the EU. The objectives of the proposal are in line with the Finnish Government Programme, the National Information Security Strategy and the National Cybersecurity Strategy, as well as with the Government key project aiming to create a growth environment for digital business operations.

Furthermore, the Government considers that granting ENISA the status of a permanent agency would improve its operating conditions. The activities and objectives of ENISA should, however, be regularly assessed to enable it to serve the fast-changing and developing Digital Single Market in the best possible manner.

The Government supports the proposal on the establishment of a certification system for ICT products and services in so far as the regulation would increase trust in the Digital Single Market. The impacts, scope and expediency of the proposed regulation and other legislation to be enacted under it must, however, be further assessed. Further assessment is needed to ensure that the certifications will not place operators in an unequal position or cause any additional administrative burden which could harm competitiveness.

Moreover, the Government is of the opinion that ENISA should in its activities avoid overlaps with the activities of the national authorities.

The European Union Agency for Network and Information Security ENISA was set up in 2004 for a period of five years to improve the preparedness of the Union, Member States and businesses to prevent, detect and respond to network and information security problems. The mandate of the Agency has been extended twice. The current mandate expires in June 2020.


Piia Nyström, Ministerial Adviser, tel. 0295 34 2969

Timo Kievari, Director of Unit, tel. 0295 34 2620