European Cybersecurity Certification Conference, 15 Apr 2026

On 15 April 2026 ENISA held its European Cybersecurity Certification Conference in Ayia Napa, Cyprus, co-organised with the Cyprus Presidency and the European Commission. One day, hybrid format, six tracks: EUCC in year one of operation, the proposed CSA2 and its revised European Cybersecurity Certification Framework (ECCF), certification's role under the CRA, a new NIS2 route through the cyber posture scheme, the EU Digital Identity Wallet scheme now in public consultation, and the EU Managed Security Services (MSS) scheme at draft v4.

The audience concern that dominated the day, by vote count on the online Q&A, was not any single scheme. It was whether certification results can or should be used to infer NIS2 compliance, given that NIS2 supervision sits with different authorities. Five of the seven top-voted questions circled that one tension. We address it in its own section below.

What follows is a structured readout of what was actually said, with speaker attribution kept to where the programme and transcripts agree.

Summary

• CSA2 is a proposed regulation that revises the European Cybersecurity Certification Framework and amends the NIS2 directive. Draft length: 271 pages, per panellists.
• ECCF replaces the current certification framework with model provisions, formal maintenance mechanisms, and a 12-month default timeline for candidate scheme development.
• EUCC live counts (Juhan Lepassaar, Executive Director, ENISA): 29 certificates issued, 28 conformity assessment bodies across the EU, Europe accounts for more than 60% of ~350 global Common Criteria certificates issued yearly, and all EU CC certificates are at CC-1 as of February 2026.
• CRA conformity infrastructure is this year's biggest CRA implementation milestone, per Maika Fohrenbach (DG CONNECT): Member States must designate competent authorities by June 2026, and sufficient notified bodies should be in place by December 2026, one year ahead of CRA's full application.
• EUDI Wallet scheme public consultation launched 3 April 2026; next anchor dates run from AHWG draft validation on 16–17 April 2026 through ECCG finalisation in September–October 2026.
• EU MSS scheme is at draft v4, sent to the ad hoc working group on 9 April 2026; draft v3 (sent 20 March 2026) received 250 comments across nine themes. Public consultation is planned for early July 2026.
• Industry pushback on proliferation was sharp. Steffen Zimmermann (VDMA) put numbers on it: around 80% of VDMA members are SMEs, of whom roughly 90% are affected by NIS2 and the CRA.
• Audience priority of the day was not any single scheme. It was the tension between using certification results to infer NIS2 compliance and the fact that NIS2 supervision is mandatory and sits with different authorities (five of seven top-voted questions).

29

Certificates issued

under EUCC, year one

28

Conformity bodies

accredited across the EU

60%+

Global CC share

of ~350 certs issued yearly

CC-1

Assurance level

all EU CC certs, Feb 2026

Source: Juhan Lepassaar, Executive Director, ENISA, opening keynote.

CSA2 and the new ECCF

Maika Fohrenbach (DG CONNECT) presented the Commission's proposal. It is structured around four pillars:

1. A harmonised ICT supply chain risk management framework, at EU level for the first time.
2. A revised European Cybersecurity Certification Framework (ECCF).
3. NIS2 simplification measures, built around a new cyber posture scheme (its own section below).
4. Reinforcement of ENISA's mandate (Member State support, situational awareness, standardisation leadership, skills attestation).

Three ECCF changes matter for manufacturers:

On maintenance and stakeholder tooling, CSA2 formally recognises ENISA as scheme manager, with a dedicated ECCG subgroup for each scheme. It replaces the current Stakeholder Cybersecurity Certification Group (SCCG) and Union Rolling Work Programme with a European Cybersecurity Certification Assembly plus Commission and ENISA information portals. The legal basis for ENISA-authored technical specifications, building on the EUCC "state of the art" documents, is written into the proposal.

Panel reactions were candid. Helge Kreutzmann (BSI) named two gaps in the draft. First, CSA2 keeps the old authorisation plus notification split instead of going fully to the New Legislative Framework's notification mechanism. Second, scope was not extended boldly enough: the draft certifies services but not providers, while several Member States already certify providers and key personnel, and the Cyber Solidarity Act requests it. Kreutzmann: "We think this should carry over on the European level, that we can actually certify the providers."

Suzana Pavlidou (NCCA Cyprus) and Apostolos Malatras (Head of Unit for Cybersecurity Certification, ENISA) joined Philippe Blot as moderator. Goran Gotov (Zscaler) raised a structural concern from the floor: the Assembly meets once a year and ad hoc groups are scheme-specific, which makes macro-level industry input thinner than before. Richard Skalt (TIC Council; cybersecurity advocacy manager at TÜV SÜD) pressed for a 12-month deadline commitment on ENISA scheme development, and asked whether CSA2 will integrate ISO/IEC 27001 and Belgium's "Cyber Fundamentals" scheme into the NIS2 simplification route. No firm commitment on that integration was given on stage.

Cyber posture and NIS2: what the audience actually asked

The Q&A feed made the audience priority unambiguous. The seven highest-voted questions of the day (14 to 19 votes each) were not about EUCC throughput or CAB capacity. They were about the same structural worry, phrased seven ways: can certification results legitimately be used to infer NIS2 compliance, when NIS2 supervision is mandatory and done by different authorities?

Fohrenbach's answer ran across her presentation and the Q&A. Three pieces are worth separating:

On the two audience questions that did not get a stage answer, we are not filling gaps. We flag them:

For readers planning around NIS2, the honest read is this. The cyber posture scheme is the Commission's preferred route. The legal mechanics that would make that route robust (the implementing regulation with maximum harmonisation, Member State agreement on the linkage) are live negotiation items. If you are building a compliance strategy today, do not treat "certify under cyber posture and NIS2 is handled" as a settled fact for your jurisdiction. Watch the trilogue.

Where certification meets the CRA

Fohrenbach's CRA tie-in was the clearest manufacturer signal of the day. Headline for 2026: build the conformity assessment infrastructure. Harmonised standards will land later, and unevenly.

The CRA covers software products, hardware products, and components placed separately on the market. The distribution Fohrenbach stated:

Under CRA Annex VIII, the available New Legislative Framework modules are Module B + C (EU type examination) and Module H (quality system certification). The Commission's stated intention is to specify, before the end of 2026, how the EUCC can be used to demonstrate conformity with the CRA; ENISA is running 18 pilots on EUCC-to-CRA presumption of conformity, with a workshop in Athens planned.

The run-up to full CRA application in one view:

The harmonisation work happens in an informal Commission-level working group of notifying authorities, with one of the main open questions being how to notify when harmonised standards are not yet available. Fohrenbach flagged CENELEC as the driver of the harmonised standards work. The working hypothesis across Member States: leverage CABs already accredited under the Radio Equipment Directive Delegated Act (RED DA) and the EUCC ecosystem, and fast-track them for CRA notification.

For the current state of module selection while CSA schemes are still pending, see our conformity assessment decision guide.

The CAB capacity gap

The CAB capacity panel was the most operationally loaded session of the day. It was moderated by Eric Vetillard; on the panel: Christin Hartung-Kümmerling (BSI, online), Xenia Kyriakidou (head of NCCA Cyprus, Cyprus's notifying and market surveillance authority for the CRA, and vice-chair of the ADCO CRA committee), Richard Skalt (TIC Council / TÜV SÜD), and Nikolaos Soumelidis (Q-CERT).

A few facts from the panel worth pulling forward:

• Two-thirds of European countries do not yet have an eIDAS national accreditation body, per Soumelidis. Greece itself does not have one.
• BSI is preparing Module H notification as the most scalable route for CRA, per Hartung-Kümmerling. BSI is not prioritising Module B for CRA; she acknowledged that other Member States are taking the Module B route but did not name them.
• Cyprus, Germany, and most other Member States will rely on their national accreditation bodies for CRA accreditation. Fast-tracking via RED DA or EUCC accreditation is on the table.
• TIC Council internal survey (Skalt): two-thirds of TIC Council members plan to have more than 50 dedicated cybersecurity experts by end of 2026, and 40% of members are already notified for EUCC.
• ADCO CRA is the Administrative Cooperation Group of Member State market surveillance authorities for the CRA; Kyriakidou is its vice-chair.

Stefan Zimmermann (VDMA) asked Hartung-Kümmerling from the floor which Member States are preparing Module B notification. She declined to name them on stage. The question is live because it affects whether a manufacturer who wants an EU type examination route has a notified body available in their home market on 11 December 2027.

From a manufacturer's perspective, three things follow. First, if your product category pushes you into third-party assessment, check your home Member State's plan now. "Sufficient notified bodies by December 2026" is a policy aspiration, not a guarantee by jurisdiction. Second, the RED DA / EUCC CAB fast-track is the most plausible capacity expansion path, but it means your likely CAB pool is shaped by which bodies already serve radio equipment or Common Criteria markets. Third, Module H (quality system) is scaling faster than Module B (type examination) in at least one major Member State, which has implications for how you prepare evidence.

Steffen Zimmermann's (VDMA) morning session sharpened the industry view. Around 80% of VDMA members are SMEs under 250 employees, and roughly 90% of those are affected by NIS2 and the CRA. His five-part critique of certification was blunt:

1. Not invented here. Existing IEC 62443, ISO/IEC 27001 and TISAX get dismissed in favour of EU-native schemes.
2. Not good enough. The same IEC 62443 is then deemed insufficient once the CRA enters the picture.
3. Untrusted certificate. Proprietary methodology drives stakeholders to demand new schemes with the same transparency flaw.
4. Let's create market demand. Voluntary schemes with poor uptake get mandated via public procurement rather than rethought.
5. Illusion of compliance. The certificate stays valid while the security degrades.

On harmonised standards under the CRA, his quotable line: "Harmonised standards do not cover all functionalities. They are developed to address the core functionality listed in the annexes. So a product may be in conformance for the core functionality, but the CRA demands conformity for the entire product."

EUDI Wallet certification

Evgenia Nikolouzou (ENISA) walked through the EUDI Wallet scheme's journey. The Commission request arrived in May 2024; a call for expressions of interest followed in October 2024 with 26 experts selected for the ad hoc working group; the AHWG kicked off in January 2025 and ran 7 plenary meetings and 4 thematic groups through February 2026; the scheme was submitted for review in April 2026 and public consultation opened on 3 April 2026.

The scheme covers the wallet plus the underlying eID scheme, and must cover products, services and processes because of how eIDAS is structured. Evaluation is two-stage: stage 1 is architecture and dependencies review, stage 2 is testing and vulnerability analysis, followed by certificate issuance and surveillance. Two levels of assurance are used: the tamper-resistant hardware layer is handled by the EUCC at AVA_VAN.4 / .5, and the application layer is handled by national schemes at AVA_VAN.3.

The timeplan, from the slide Nikolouzou presented, anchors on these milestones: AHWG validation of draft v0.4 on 16–17 April 2026; ECCG comments period closes 1 June 2026; public consultation starts at the beginning of July 2026; ECCG finalisation in September–October 2026. For a detailed analysis of what the wallet scheme requires from applicants and what that signals for future CRA-adjacent schemes, see our EUDI Wallet scheme breakdown.

Managed Security Services scheme

Vicente Gonzalez Pedros (ENISA) opened the afternoon session on the EU MSS scheme, followed by a panel moderated by Georgia Bafoutsou (ENISA) with Paloma Llaneza (Digital Trust Scheme Manager, CerteIDAS), Adrian Pauna (Oracle), Marios Ioannou (Columbia Group), Oscar Boizard (ANSSI), and Pablo Fernandez (Security Operations Centers Manager, CCN-CNI).

The Commission request reached ENISA at the end of April 2025. The original request covered the incident management life cycle vertical; ENISA split it into service profiles and chose incident response as the first profile to build. Under the Cyber Solidarity Act, once a European scheme covers a service contracted via the Act, providers must be certified two years after the scheme is in place.

The scheme architecture has two layers:

• A horizontal layer of common baseline requirements, standards-agnostic and service-agnostic, applicable to all MSS.
• A vertical layer of service-specific technical requirements (lifecycle management, expertise, incident-response scenarios, stakeholder collaboration, resource requirements).

Two points from Gonzalez Pedros are worth pulling forward. The horizontal layer is never certified on its own: the certificate is always for the service, never for the provider. And the horizontal layer aligns with NIS2 but does not certify NIS2 compliance. NIS2 coverage belongs to the cyber posture scheme, not MSS.

On the AHWG: more than 200 proposals came in via the open call. The incident response working group was formed with 30 experts, and a reserve list of 70 more was kept for future service profiles. The AHWG was officially appointed on 29 September 2025.

Draft progression (from the AHWG slide):

• Main Scheme Draft v3 sent to AHWG on 20 March 2026.
• 250 comments received, grouped into nine themes: relationship with NIS2, assurance levels for multiple profiles, evaluation standards and methodologies, cross-border oversight, terminology alignment, certification scope (client-specific vs general), evaluation repetition costs, NCCA and CAB dialogues, and confidentiality in certification reports.
• Main Scheme Draft v4 sent to AHWG on 9 April 2026.

One structural clarification from Gonzalez Pedros: the MSS scheme has no ITSEFs (unlike the EUCC). CAB and CB will be reconciled to a single term in the next draft. CAB accreditation is against ISO/IEC 17065, and the scheme builds on the same evaluation methodology ENISA is using for the European Wallet.

The scheme timeline he set out: validate draft v4 on 16–17 April 2026; first draft to ECCG for comments with one month for Member State review; address comments in about two weeks; public consultation from the beginning of July 2026 for 1.5 months; meet mid-September 2026 to address consultation comments; scheme endorsement in ECCG by October 2026.

What the panellists contributed

Paloma Llaneza (CerteIDAS) argued the core case for an EU-level scheme: without one, providers certify in 27 Member States separately, and only large firms can afford that. Her reference point was eIDAS-2, where one regulation plus an implementing act replaced 27 national standards with a single European standard. Llaneza is the editor of ETSI EN 319 401 (Policy and security requirements for Trust Service Providers), which she positioned as the working proportionality model: the horizontal layer is a one-time baseline, the verticals stack modularly on top.

Adrian Pauna (Oracle) made the multinational case: an EU scheme standardises compliance across jurisdictions, and penetration testing methodologies need clear definition inside the scheme. He noted a structural issue specific to pen testing: today it is certified at the person level (OSCP, OSCE), which makes service-level certification structurally difficult until the market shifts. His recommendation for next verticals: detection first, then pen testing.

Marios Ioannou (Columbia Group, Cyprus) framed the EU credential as a door-opener: recognition across the territory, and participation in the EU Cybersecurity Reserve. On cross-border incidents, he pointed out that a Spain to Cyprus to Malta response is far easier when all parties share the same baseline capabilities.

Oscar Boizard (ANSSI) drew the sharpest line of the session, on certification vs qualification:

Kreutzmann (BSI) argued that CSA2 should enable provider-level qualification at EU level, beyond the current service-level certification.

France runs four ANSSI qualification schemes aligned with EU MSS categories (consulting, audit, detection, response), plus PAMS for administration. PASSI is the oldest and has the largest qualified-provider base. Introducing a substantial level materially changed the supplier mix: SMEs with six to seven competent staff made it in. Boizard's recommendation for the next vertical: auditing, as a quick win, because the standards already exist.

Pablo Fernandez (CCN-CNI) brought hard numbers from the Spanish approach. The Spanish MSS scheme started approximately four years ago, built on the ENS (Esquema Nacional de Seguridad), which itself has roughly 16 years of history. The MSS model is Guía CCN-STIC 896 layered on top of ENS, aligned with NIS2, the Cyber Solidarity Act amendments, and the incoming CSA2 and EU MSS. The CCN slide published figures: 3,578 certified entities under ENS, 25 MSS certified services delivered by 5 MSSPs, and 304 integrated SOCs in the national network of SOCs. Fernandez noted that CCN-STIC 896 will be available in English "in a couple of weeks", which is directly actionable for readers outside Spain.

Where the panellists landed on which MSS vertical should be built next:

A useful detail from the floor: an audience question raised sovereignty as a factor (MSS providers that are national sovereign entities vs multinationals). Llaneza's answer was that EU-level regulation is needed to replace 27 national schemes, following the eIDAS-2 precedent. Ioannou's answer was that a shared baseline across Member States is what lets companies actually work together in a cross-border incident.

What this means for manufacturers shipping under CRA

The CRA milestone to focus on between now and 11 December 2027 is conformity assessment capacity, not harmonised standards. Harmonised standards will land late and unevenly. Competent-authority designation is a June 2026 deadline. Notified-body availability is a December 2026 aspiration. If your product sits in Important Class II, your CAB pool is heavily shaped by which bodies are already notified for EUCC or accredited under the RED DA.

For Default and Important Class I manufacturers, the practical implication is that module choice matters more than usual this year. Module H (quality system) has clearer scaling signals from at least one major Member State; Module B (type examination) availability is uneven and not publicly mapped. If you can legitimately qualify under harmonised standards when they are available, that route removes a dependency on CAB supply.

The EUCC-to-CRA presumption of conformity via Delegated Act is not yet walkable, but it is the most specific piece of infrastructure under construction. The 18 pilots and the Commission's stated end-of-2026 target for specifying how the EUCC supports CRA conformity are what to track over the next two quarters.

The MSS scheme is not directly a CRA product concern. It matters because it is the second CSA scheme in active drafting, after the EUDI Wallet, and it will ship ahead of the first CRA-specific scheme. The methodology choices ENISA locks in here (ISO/IEC 17065 CAB accreditation, the Wallet-aligned evaluation methodology) will carry into CRA-adjacent schemes later.

Next Steps

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.