Use of European cybersecurity certification schemes
Directive on the security of network and information systems · UE 2022/2555
Use of European cybersecurity certification schemes
1. In order to demonstrate compliance with particular requirements of Article 21, Member States may require essential and important entities to use particular ICT products, ICT services and ICT processes, developed by the essential or important entity or procured from third parties, that are certified under European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. Furthermore, Member States shall encourage essential and important entities to use qualified trust services.
2. The Commission is empowered to adopt delegated acts, in accordance with Article 38, to supplement this Directive by specifying which categories of essential and important entities are to be required to use certain certified ICT products, ICT services and ICT processes or obtain a certificate under a European cybersecurity certification scheme adopted pursuant to Article 49 of Regulation (EU) 2019/881. Those delegated acts shall be adopted where insufficient levels of cybersecurity have been identified and shall include an implementation period.
Before adopting such delegated acts, the Commission shall carry out an impact assessment and shall carry out consultations in accordance with Article 56 of Regulation (EU) 2019/881.
3. Where no appropriate European cybersecurity certification scheme for the purposes of paragraph 2 of this Article is available, the Commission may, after consulting the Cooperation Group and the European Cybersecurity Certification Group, request ENISA to prepare a candidate scheme pursuant to Article 48(2) of Regulation (EU) 2019/881.
In Luxembourg, the ILR (Institut Luxembourgeois de Regulation) is the competent authority that carries out inspections and assesses whether the chosen ICT products and services are certified under a recognised European scheme. The law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025, transposes this prescription power and confirms the encouragement to use qualified trust services listed on the national trusted list.
Luxgap practice: verify that your signature and timestamping providers appear on the Luxembourg trusted list and that your critical ICT products hold a valid EUCC certificate, documented in a file enforceable before the ILR.