EU Cybersecurity Act

What is the EU Cybersecurity Act?


The EU Cybersecurity Act, formally known as Regulation (EU) 2019/881, was adopted in 2019 and came into full effect in 2021.

The Act focuses on two main objectives:

  • Strengthening the EU Agency for Cybersecurity (ENISA) with a permanent mandate and additional resources and personnel to enhance its activities and expertise.

  • Establishing a European cybersecurity certification framework that aims to harmonize cybersecurity certifications for ICT products, services, and processes across the EU.

Once a product or service is certified under the EU framework, it becomes mutually recognized across all member states. This eliminates the need for companies to go through separate national certification processes, saving time and resources.


MergeBase and the EU Cybersecurity Act


The products and services we currently offer do not need to undergo certification under the EU Cybersecurity Act. However, should some of our products require such certification in the future, we will take all the necessary steps to obtain it.


How Can MergeBase Help You Certify Under the EU Cybersecurity Act?


If certifying your products depends on how safe they are, which likely is the case, we can help with:

  • Vulnerability Management. The EU framework emphasizes addressing vulnerabilities in ICT products and services. MergeBase’s continuous scanning and identification of vulnerabilities in open-source components used in applications aligns with this focus. By demonstrating proactive vulnerability management through MergeBase, companies can showcase their commitment to a secure development lifecycle and potentially strengthen their application for specific certification levels.

  • Incident Response. While the framework currently doesn’t explicitly require incident response capabilities, demonstrating a robust incident response plan and process can enhance a company’s overall security posture. MergeBase can contribute to this by providing insights into potential vulnerabilities that attackers might exploit and suggesting remediation steps, contributing to faster response and mitigation efforts.

  • Continuous Monitoring. The framework emphasizes the importance of continuous monitoring for vulnerabilities and threats. MergeBase’s continuous scanning capabilities contribute to this, providing ongoing insights into potential security issues. Integrating MergeBase with other security tools and processes can further strengthen a company’s continuous monitoring efforts.