The Cybersecurity Act is a European regulation (EU 2019/881) that took effect in June 2019. Its goal is to strengthen cybersecurity across the EU by granting ENISA a permanent mandate and establishing an EU-wide cybersecurity certification framework for ICT products, services, and processes.

While earlier EU cybersecurity efforts focused on national strategies and incident reporting, the Cybersecurity Act shifts the focus toward trust, transparency, and harmonized certification across the digital single market.

Two main pillars of the Cybersecurity Act

1. Empowering ENISA
   The Act gives ENISA a permanent and extended role, making the agency responsible for:
   • supporting EU cybersecurity policy development;
   • coordinating cooperation between member states;
   • collecting and sharing threat intelligence;
   • organizing large-scale crisis simulations;
   • and managing cybersecurity certification schemes.
2. EU cybersecurity certification framework
   One of the core innovations is a unified EU cybersecurity certification framework. This allows vendors to demonstrate that their ICT products or services meet clearly defined cybersecurity requirements — a crucial element in sectors like healthcare, energy, telecom, and finance.

The certification framework includes three levels of assurance:

• Basic: protection against common, low-level threats;
• Substantial: protection against more sophisticated threats;
• High: protection against highly targeted and advanced attacks.

Certification is voluntary unless otherwise mandated by legislation like NIS2 or DORA.

Why the Cybersecurity Act matters

In a digital economy, trust is key. The Cybersecurity Act offers:

• Assurance that certified products meet minimum cybersecurity standards;
• Transparency about the security level of products and services;
• Simplified access to EU markets, avoiding fragmented national rules;
• Incentives for vendors to adopt security-by-design practices.

For organizations sourcing ICT products, the Act simplifies risk-based decision-making using standardized, EU-recognized certifications.

How RiskStudio supports the Cybersecurity Act

While RiskStudio does not issue certifications, the platform helps organizations meet the expectations and requirements introduced by the Cybersecurity Act.

RiskStudio allows you to:

• Monitor whether vendors use certified ICT components;
• Identify misconfigurations or vulnerabilities that contradict certification standards;
• Evaluate critical suppliers based on real-world signals — including cyber ratings, known breaches, and public exposure.

With these insights, RiskStudio supports both regulatory compliance and smarter decision-making in the selection and oversight of suppliers and digital tools — even when formal certification is not yet in place.