Key data
| Regulation | Corrigendum to Regulation (EU) 2019/881 — CELEX:32019R0881R(07) |
|---|---|
| Publication | 11 March 2026 |
| Entry into force | Not specified |
| Affected parties | Technology companies, ICT product manufacturers and digital service providers in the EU |
| Category | European Regulation |
| Base Regulation | Regulation (EU) 2019/881 — Cybersecurity Regulation |
| Competent body | ENISA — European Union Agency for Cybersecurity |
ICT product manufacturers and digital service providers operating in Europe face a growing obligation: to obtain cybersecurity certifications recognized throughout the EU. The framework governing this is Regulation (EU) 2019/881, known as the Cybersecurity Regulation, which establishes the permanent mandate of ENISA and creates the European cybersecurity certification system.
The corrigendum published on 11 March 2026 (CELEX reference:32019R0881R(07)) introduces adjustments of a technical-legal nature that do not alter the substantive regulatory framework. In other words: the obligations for technology companies, manufacturers and digital service providers remain intact. What changes are formal aspects of the legal text, not the certification requirements.
What does this regulation establish?
Regulation (EU) 2019/881 has two fundamental pillars:
- Permanent ENISA mandate: The European Union Agency for Cybersecurity receives a stable and reinforced mandate to support companies, Member States and European institutions in cybersecurity matters.
- European cybersecurity certification framework: A system of certifications valid throughout the EU is created for ICT products and services, eliminating the need to obtain different national certifications in each Member State.
ENISA develops certification schemes progressively. Each scheme defines the requirements, assurance levels and evaluation procedures applicable to a specific category of products or services. Companies must be aware of which schemes are already active and which are under development for their sector.
| Regulation element | Description |
|---|---|
| ENISA mandate | Permanent — strengthens the agency's role as a European cybersecurity reference |
| European certifications | Valid throughout the EU — replace multiple national certifications |
| Affected products | Connected products, software, cloud services |
| Scheme development | Progressive — ENISA publishes schemes by categories in a staggered manner |
| Corrigendum 11/03/2026 | Technical-legal — does not modify substantive obligations |
Economic and operational impact
For ICT companies, the impact of the Cybersecurity Regulation translates into two concrete dimensions:
Certification cost: Obtaining a European cybersecurity certification involves evaluation, audit and maintenance costs. These costs vary depending on the assurance level required by each scheme (basic, substantial or high) and the type of product or service. The Regulation does not set specific amounts, as they depend on the applicable scheme and the evaluation body.
Market opportunity: European certification eliminates current fragmentation, where a company had to obtain different certifications in each Member State where it operated. This represents a direct saving for companies selling in multiple EU countries and a competitive advantage over non-certified competitors.
Operational impact: Companies must integrate cybersecurity requirements into their product development and service delivery processes from the initial phases, not as a layer added at the end. This affects development, product, legal and compliance teams.
Who does it affect?
- Manufacturers of connected products (IoT): Devices with connectivity that are marketed in the EU.
- Software developers: Companies that create and distribute applications, operating systems or software solutions in the European market.
- Cloud service providers: Companies that offer infrastructure, platform or software as a service (IaaS, PaaS, SaaS) to customers in the EU.
- Digital service providers: Any company that provides digital services subject to certification schemes approved by ENISA.
- Technology companies with presence in the European digital single market: Regardless of their headquarters, if they market ICT products or services in the EU they fall within the scope of the Regulation.
Practical example
A Spanish company that develops a SaaS business management platform and markets it in Spain, France and Germany would currently need, in theory, to comply with the cybersecurity certification requirements of each of those three markets separately.
Under the framework of Regulation (EU) 2019/881, when ENISA publishes the certification scheme applicable to cloud services, this company will be able to obtain a single European certification recognized in all three countries simultaneously. This eliminates audit duplication, reduces certification maintenance costs and simplifies compliance documentation for customers and administrations in different Member States.
The immediate step for this company is to identify which ENISA scheme applies to its type of service and what phase of development it is in, in order to plan the certification process with sufficient advance notice.
What should companies do now?
- Identify if your products or services fall within the scope of the Regulation: Review whether you manufacture connected products, develop software or provide cloud services aimed at the European market. If so, Regulation (EU) 2019/881 applies to you.
- Monitor the certification schemes that ENISA is developing: ENISA publishes schemes progressively. Consult ENISA's official portal to identify which schemes are already approved and which are under development for your product or service category.
- Evaluate the required assurance level: Certification schemes contemplate different levels (basic, substantial, high). The required level depends on the risk associated with the product or service. Determine which level applies to your case to size the effort and cost of certification.
- Integrate cybersecurity requirements into the development cycle: Do not wait until the product is finished to seek certification. Incorporate security controls from design (security by design) to reduce the cost and time of the evaluation process.
- Designate an internal regulatory monitoring officer: Assign a person or team the task of monitoring the evolution of ENISA schemes and coordinating the certification process when required.
- Review contracts with customers and suppliers: If you provide services to other companies or public administrations in the EU, anticipate that your customers may require European certification as a contractual or procurement requirement.
Frequently asked questions
What companies are required to certify under the EU Cybersecurity Regulation?
Technology companies that develop connected products, software or cloud services, as well as ICT product manufacturers and digital service providers operating in the EU are affected. Regulation (EU) 2019/881 is the reference framework.
What is ENISA and what role does it play in cybersecurity certification?
ENISA is the European Union Agency for Cybersecurity. It has a permanent mandate under Regulation (EU) 2019/881 to develop and maintain certification schemes for ICT products and services. These schemes define the requirements and evaluation procedures that companies must meet to obtain EU-wide recognized certifications.
When do companies need to be certified?
The timing depends on the certification scheme applicable to each product or service category. ENISA is developing schemes progressively. Some schemes may already be mandatory, while others are still under development. Companies should monitor ENISA's official portal to know the status of the scheme applicable to their sector.
Is the corrigendum of 11 March 2026 going to change the certification obligations?
No. The corrigendum is technical-legal in nature and corrects formal errors in the text of Regulation (EU) 2019/881. It does not modify the substantive obligations for companies. Certification requirements remain the same.
What are the assurance levels in ENISA certification schemes?
ENISA schemes typically define three assurance levels: basic, substantial and high. Each level corresponds to a different level of security rigor and evaluation intensity. The applicable level depends on the risk profile of the product or service and is determined by the specific scheme.
Can a company certified in one Member State use that certification in another?
Yes. That is precisely the purpose of the European certification framework. A certification obtained under an ENISA scheme is valid throughout the EU, eliminating the need for separate national certifications.
Official source
Corrigendum to Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification, and repealing Regulation (EU) No 526/2013 (CELEX:32019R0881R(07), published 11 March 2026).
Disclaimer: This article is for informational purposes only and does not constitute legal advice. The interpretation and application of EU regulations may vary depending on specific circumstances. Companies should consult with legal and compliance professionals to assess their specific obligations under Regulation (EU) 2019/881 and to develop an appropriate certification strategy. The information contained herein is based on the regulatory text as of the publication date and may be subject to updates or amendments by ENISA or EU institutions.