Consultation on Candidate Cybersecurity Certification Scheme (GEN - 1136.00)

Connectivity of appliances as possible subject to certification schemes

GEN - 1136.00.png

2020 - Consultation on Candidate Cybersecurity Certification Scheme
© Copyright ENISA 2020

GEN - 1136.00. The sensitivity of the connectivity of appliances and equipment to cyberattacks has been mentioned in various meetings and seminars. The European Union has established a European Union Agency for Cybersecurity (ENISA) that has been looking at this issue for over 20 years, initially focussing on the financial sectors. Since last year it has been drawing up cybersecurity certification schemes. How much these schemes will extend to HVACR equipment is not yet known.


The connectivity of equipment is increasing and proliferating. While the hacking of equipment is relatively infrequent and often serves as a route to access financial accounts on should not underestimate the effects an attack might have on technical systems.

Even though the past years the risks were brought to the attention of the HVACR industry in meetings, seminars and events limited efforts have been made within the HVACR industry to deal them.

Cybersecurity certification

A European level the cybersecurity regulation 526/2013 appeared seven years ago. Meanwhile the Commission has sought to harmonise the different cybersecurity certification policies in the member states with the aim to speed up the secure development of European ICT infrastructures and services.

The updated Cybersecurity Act (Regulation 2019/881) itself introduces an EU-wide cybersecurity certification framework for ICT products, services and processes. Companies doing business in the EU will benefit from having to certify their ICT products, processes and services only once and see their certificates recognised across the European Union.

Consultation until 31 July 2020

The European Union Agency for Cybersecurity, ENISA, has opened a public consultation for interested parties to share feedback on the draft of the Common Criteria based European cybersecurity certification scheme (EUCC) ( This draft is extensive and contains 280 pages written largely with cybersecurity experts in mind.

Application of cybersecurity certification in HVACR

Today, it is difficult to assess in how far such certification schemes would extend to the HVACR industry. It is possible that such certification would in future be required by certain customers.

Recommended Actions

The associations and manufacturers dealing with the cybersecurity aspects of the connectivity of equipment may be encouraged to participate to this consultation.

Product Groups should consider, at a general level, the issue of cybersecurity.

Related documents and links

All related documents and articles can be found in the respective sections in the right sidebar.