Source: OJ L 333, 27.12.2022, p. 80–152

Current language: EN

Article 24 Use of European cybersecurity certification schemes


Summary What does Article 24 of the NIS 2 directive say?

This article sits alongside Article 21, which sets out the core cybersecurity risk-management obligations for essential and important entities.

Article 24 introduces a certification dimension to those obligations, establishing a mechanism by which compliance with Article 21 can be demonstrated through the use of certified ICT products, services, and processes.

It operates on two levels: Member States can require entities to use certified ICT tools, and the Commission holds a broader power to mandate specific certification requirements across categories of entities where cybersecurity levels are found to be insufficient.

Important points:

  • Member States may require essential and important entities to use ICT products, services, and processes certified under European cybersecurity certification schemes as a means of demonstrating compliance with Article 21.
  • The Commission is empowered to adopt delegated acts specifying which categories of essential and important entities must use certified ICT products, services, and processes — but only where insufficient levels of cybersecurity have been identified, and an impact assessment must be carried out beforehand.
  • Where no suitable European cybersecurity certification scheme exists, the Commission may request ENISA to prepare a candidate scheme, after consulting the Cooperation Group and the European Cybersecurity Certification Group.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. In order to demonstrate compliance with particular requirements of Article 21, Member States may require essential and important entities to use particular ICT products, ICT services and ICT processes, developed by the essential or important entity or procured from third parties, that are certified under European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. Furthermore, Member States shall encourage essential and important entities to use qualified trust services.

    1. The Commission is empowered to adopt delegated acts, in accordance with Article 38, to supplement this Directive by specifying which categories of essential and important entities are to be required to use certain certified ICT products, ICT services and ICT processes or obtain a certificate under a European cybersecurity certification scheme adopted pursuant to Article 49 of Regulation (EU) 2019/881. Those delegated acts shall be adopted where insufficient levels of cybersecurity have been identified and shall include an implementation period.

    2. Before adopting such delegated acts, the Commission shall carry out an impact assessment and shall carry out consultations in accordance with Article 56 of Regulation (EU) 2019/881.

    1. Where no appropriate European cybersecurity certification scheme for the purposes of paragraph 2 of this Article is available, the Commission may, after consulting the Cooperation Group and the European Cybersecurity Certification Group, request ENISA to prepare a candidate scheme pursuant to Article 48(2) of Regulation (EU) 2019/881.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod