The Commission Implementing Regulation (EU) 2024/482 laying down rules for the application of Regulation (EU) 2019/881 regarding the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) was published in January 2024.

The new EUCC scheme allows ICT suppliers who wish to showcase proof of assurance to go through an EU commonly understood assessment process to certify ICT products such as technological components (chips, smartcards), hardware, and software.

An essential part of the EUCC scheme is the accreditation in the meaning of Regulation (EC) No 765/2008 of ITSEFs (laboratories) and Certification Bodies, which evaluate and certify ICT products.

In close collaboration with EA, ENISA prepared, inter alia, the following documents, which have been published in December 2024 by the Commission Implementing Regulation (EU) 2024/3144:

• A new State-of-the-Art document related to the accreditation of certification bodies,
• A revised State-of-the-Art document related to the accreditation of cybersecurity testing facilities (ITSEFs).

Around 85 delegates from National Accreditation Bodies and Cybersecurity Certification Agencies attended an online workshop on 20 June 2024, discussing the EU Cybersecurity Act, the EU Common Criteria (EUCC) scheme, and Stateof-the-Art (SotA) documents for accreditation.

Ingrid Lauringson (European Commission, DG CONNECT) provided an overview of the EU Cybersecurity Certification Framework, the Cybersecurity Act (Regulation (EU) 2019/881), and its connection to the upcoming Cyber Resilience Act.

Philippe Blot (ENISA) presented the Implementing Regulation (EU) 2024/482 on the EUCC scheme and related accreditation documents for Certification Bodies and ITSEFs.

Rosalina Porres (ENAC, Spain) shared practical insights on implementing EUCC accreditation documents.

The European Data Protection Board (EDPB) is responsible for consistently applying and enforcing data protection law across the European Economic Area (EEA). This includes implementing the EU General Data Protection Regulation (GDPR) regarding accreditation and certification issues.

According to the GDPR, one option to demonstrate the competence of certification bodies in relation to data protection is to have them accredited by their National Accreditation Body in accordance with Regulation (EC) NO 765/2008. The vast majority of Member States have opted for this approach.

The accreditation of certification bodies shall be based on EN ISO/IEC 17065 and the additional criteria approved by the national supervisory authority or the EDPB.

For this purpose, EA and the EDPB enhanced their collaboration in 2024 to ensure a harmonised approach for the accreditation of certification bodies by EEA National Accreditation Bodies, and that the criteria which shall be applied in several Member States (European schemes) are in compliance with accreditation rules.

EU law requires companies above a certain size to disclose information on what they see as the risks and opportunities arising from social and environmental issues, and on the impact of their activities on people and the environment. This helps investors, civil society organisations, consumers and other stakeholders to evaluate the sustainability performance of companies, as part of the European Green Deal. Companies subject to the Directive (EU) 2022/2464 regarding corporate sustainability reporting (CSRD) have to report according to European Sustainability Reporting Standards (ESRS).

Member States may decide that independent assurance services providers can be engaged to verify the sustainability information. These independent assurance services providers shall be accredited in accordance with Regulation (EC) No 765/2008.

Regarding the implementation of the CSRD, EA cooperates with ESMA (the European Securities and Markets Authority) and CEAOB (the Committee of European Auditing Oversight Bodies).

In April 2024, EA and ESMA defined the next steps of cooperation especially regarding the definition of the best suitable standard for accreditation under the CSRD and the additional technical requirements.

EA also started to cooperate with CEAOB regarding the implementation of the CSRD. During the November 2024 kick-off meeting, EA and CEAOB discussed several technical items, which include the common understanding about the work of independent assurance services providers and their accreditation.

The European Commission published the Regulation (EU) 2020/1056 on electronic freight transport information (eFTI) in July 2020. This Regulation includes the certification of eFTI platforms and eFTI service providers by certification bodies that are accredited by the National Accreditation Body in accordance with Regulation (EC) No 765/2008.

As of January 2026: eFTI platforms and service providers can start preparing for operations. Member States authorities may start accepting data stored on certified eFTI platforms for inspection. That means that certification bodies must be accredited well before this date.

The eFTI Regulation will apply in full from 09 July 2027. Accordingly, Member State authorities must accept information shared electronically by operators via certified eFTI platforms.

EA is cooperating with the European Commission regarding the preparation of the Delegated Act on the rules for certification of eFTI platforms and service providers.

In November 2024, the European Commission published the Implementing Regulation (EU) 2024/2981 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and the Council regarding the certification of European Digital Identity Wallets.

European Digital Identity Wallets will allow everyone in Europe to securely identify themselves when accessing public and private services, and store and display digital documents like mobile driving licenses and education credentials, all from their mobile phones. They will also enhance privacy by only sharing the exact information agreed to. The provision and operation of wallet solutions and of the electronic identification schemes under which they are provided shall be the object of certification as defined in national certification schemes. The object of certification shall include, inter alia, software and hardware components as well as platforms on which the software components run on or rely upon for critical operations.

Bodies certifying wallet solutions shall be accredited by National Accreditation Bodies – appointed pursuant to Regulation (EC) No 765/2008 – in accordance with EN ISO/IEC 17065, provided that they comply with the requirements set out in national certification schemes.

EA is actively cooperating with the European Commission and ENISA. In this context, a workshop on the Certification of European Digital Identity Wallets is organised with the European Commission on 27 February 2025. The event will deal with the implementation of Regulation EU 2024/2981 on EUDI Wallet certification, and the state of play regarding the EUDI Wallet certification scheme.

The EA Advisory Board (EAAB) management was renewed in November 2025 for a new 3-year term until November 2028:

• Alexander Šafařík-Pštrosz (EUROLAB), Andrew Evans (CAPIEL) and Ariane Van Cutsem (NA Belgium) have been elected within their respective college as the chairs of, respectively, the EAAB Conformity Assessment Bodies’ (CAB) College, Industry, Services and Trade College, and National Authorities’ (NA) College.
• Andrew Evans (Industry College, CAPIEL) has been elected the Chair of the EAAB, and Alexander Šafařík-Pštrosz and Ariane Van Cutsem as the Vice-Chairs of the EAAB.

The EAAB Terms of Reference and Rules of Procedure have been updated to reflect the current procedures of the Board:
establishment of in-between meetings between the college chairs and EA and hybrid meetings, and reports provided to the Secretariat for the EA General Assemblies are considered as annual reports of the EAAB.

The EAAB urged EA to continue the ongoing dialogue with the various services of the European Commission and regulators to establish harmonised conditions for implementing the new regulations relating to new technologies, and encouraged EA to invite its member NABs to approach and work with their respective National Authorities towards this objective.

As APPLIA (a Brussels-based trade association representing one of Europe’s largest manufacturing sectors for turnover and employment) became a new EAAB member, it was automatically recognized as an EA Recognized Stakeholder.