icon-grid
Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance)RecitalsTitle I General provisions (arts. 1-2)Article 1 Subject matter and scopeArticle 2 DefinitionsTitle II ENISA (The European union agency for cybersecurity) (arts. 3-45)Chapter I Mandate and objectives (arts. 3-4)Article 3 MandateArticle 4 ObjectivesChapter II Tasks (arts. 5-12)Article 5 Development and implementation of Union policy and lawArticle 6 Capacity-buildingArticle 7 Operational cooperation at Union levelArticle 8 Market, cybersecurity certification, and standardisationArticle 9 Knowledge and informationArticle 10 Awareness-raising and educationArticle 11 Research and innovationArticle 12 International cooperationChapter III Organisation of ENISA (arts. 13-28)Article 13 Structure of ENISASection 1 Management Board (arts. 14-18)Article 14 Composition of the Management BoardArticle 15 Functions of the Management BoardArticle 16 Chairperson of the Management BoardArticle 17 Meetings of the Management BoardArticle 18 Voting rules of the Management BoardSection 2 Executive Board (art. 19)Article 19 Executive BoardSection 3 Executive Director (art. 20)Article 20 Duties of the Executive DirectorSection 4 ENISA Advisory Group, Stakeholder Cybersecurity Certification Group and National Liaison Officers Network (arts. 21-23)Article 21 ENISA Advisory GroupArticle 22 Stakeholder Cybersecurity Certification GroupArticle 23 National Liaison Officers NetworkSection 5 Operation (arts. 24-28)Article 24 Single programming documentArticle 25 Declaration of interestsArticle 26 TransparencyArticle 27 ConfidentialityArticle 28 Access to documentsChapter IV Establishment and structure of ENISA's budget (arts. 29-33)Article 29 Establishment of ENISA's budgetArticle 30 Structure of ENISA's budgetArticle 31 Implementation of ENISA's budgetArticle 32 Financial rulesArticle 33 Combating fraudChapter V Staff (arts. 34-37)Article 34 General provisionsArticle 35 Privileges and immunityArticle 36 Executive DirectorArticle 37 Seconded national experts and other staffChapter VI General provisions concerning ENISA (arts. 38-45)Article 38 Legal status of ENISAArticle 39 Liability of ENISAArticle 40 Language arrangementsArticle 41 Protection of personal dataArticle 42 Cooperation with third countries and international organisationsArticle 43 Security rules on the protection of sensitive non-classified information and classified informationArticle 44 Headquarters Agreement and operating conditionsArticle 45 Administrative controlTitle III Cybersecurity certification framework (arts. 46-65)Article 46 European cybersecurity certification frameworkArticle 47 The Union rolling work programme for European cybersecurity certificationArticle 48 Request for a European cybersecurity certification schemeArticle 49 Preparation, adoption and review of a European cybersecurity certification schemeArticle 50 Website on European cybersecurity certification schemesArticle 51 Security objectives of European cybersecurity certification schemesArticle 52 Assurance levels of European cybersecurity certification schemesArticle 53 Conformity self-assessmentArticle 54 Elements of European cybersecurity certification schemesArticle 55 Supplementary cybersecurity information for certified ICT products, ICT services and ICT processesArticle 56 Cybersecurity certificationArticle 57 National cybersecurity certification schemes and certificatesArticle 58 National cybersecurity certification authoritiesArticle 59 Peer reviewArticle 60 Conformity assessment bodiesArticle 61 NotificationArticle 62 European Cybersecurity Certification GroupArticle 63 Right to lodge a complaintArticle 64 Right to an effective judicial remedyArticle 65 PenaltiesTitle IV Final provisions (arts. 66-69)Article 66 Committee procedureArticle 67 Evaluation and reviewArticle 68 Repeal and successionArticle 69 Entry into forceAnnex - Requirements to be met by conformity assessment bodiesDone at
Page Overview
Document Overview
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Coming soon: Any documents - Any document vs Another document at any date
Print / Export options
Current page
Whole document
Selected pages
Consolidated PDF of the entire document as of 26th December 2024
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This page
This document
Manage bookmarks
Search within this document
View previous searches
Share
Get page link
Share via email application
PreviousNext
Version status: Entered into force | Document consolidation status: No known changes
Version date: 27 June 2019 - onwards
Version 2 of 2

Article 51 Security objectives of European cybersecurity certification schemes

Proposed changes

A European cybersecurity certification scheme shall be designed to achieve, as applicable, at least the following security objectives:

(a) to protect stored, transmitted or otherwise processed data against accidental or unauthorised storage, processing, access or disclosure during the entire life cycle of the ICT product, ICT service or ICT process;

(b) to protect stored, transmitted or otherwise processed data against accidental or unauthorised destruction, loss or alteration or lack of availability during the entire life cycle of the ICT product, ICT service or ICT process;

(c) that authorised persons, programs or machines are able only to access the data, services or functions to which their access rights refer;

(d) to identify and document known dependencies and vulnerabilities;

(e) to record which data, services or functions have been accessed, used or otherwise processed, at what times and by whom;

(f) to make it possible to check which data, services or functions have been accessed, used or otherwise processed, at what times and by whom;

(g) to verify that ICT products, ICT services and ICT processes do not contain known vulnerabilities;

PreviousNext