Status: In force since 27 June 2019.
EUR-Lex-link: Adopted and published version, including other language versions, can also be found here.
Full name: Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
Type: Regulation
Objective and key elements:
Relevant to: Mainly ENISA, relevant local authorities, certification actors, and suppliers of ICT products, services and processes
Status: In force since 27 June 2019.
Notable amendment:
The targeted amendment aims to strengthen the EU’s cyber resilience by enabling the adoption of European certification schemes for managed security services. Recognizing the critical role of these services—such as incident handling, penetration testing, security audits, and technical consulting—the amendment seeks to enhance their quality and comparability. This initiative intends to promote trusted cybersecurity service providers, prevent market fragmentation, and harmonize efforts across member states, some of which have already introduced national certification schemes.
Other amendments:
On 20 January 2026, after a series of consultations and the call for evidence, the Commission has proposed a new Regulation, revising the EU Cybersecurity Act (The Cybersecurity Act 2). The Regulation proposes a full reform of the mandate of the European Union Agency for Cybersecurity (ENISA), enhancement of the security of the ICT supply chain and introduces a simpler product certification process.
(Last Updated 23 January 2026)
Previous article
Next article