SaaSFort
NIS2 Directive · Article 24

NIS2 Article 24 — European cybersecurity certification schemes

Article 24 is the "the Commission can make this mandatory later" article. Member states may require in-scope entities to use ICT products, services or processes that are certified under a European Cybersecurity Certification Scheme (EUCC) for specific Article 21 measures. As of 2026, EUCC schemes exist for common-criteria-style product certification; broader sectoral schemes (cloud, 5G) are in the pipeline. Treat this article as a tracker — what was voluntary at NIS2 transposition can become mandatory by Implementing Act.

Scan your domain free (60s) See the auditor-handoff pack

Who Article 24 applies to

Every NIS2 in-scope entity in member states that activate the Art. 24 power. As of May 2026, no member state has issued a binding Art. 24 implementing act — but the legal basis is live.

What Article 24 obliges you to do

  • Track which European cybersecurity certification schemes apply to your ICT supply chain
  • Maintain a register of certified vs uncertified critical ICT components
  • When a member state activates Art. 24 for a scheme, migrate affected components within the timeline set by the implementing act
  • Document the certification status of cryptographic modules used (overlap with Art. 21(2)(h))

Common misconception

"Art. 24 is voluntary — I can ignore it."

Half-true. The Article itself sets up a voluntary scheme — but it explicitly gives member states + the Commission the power to make specific certification schemes mandatory by implementing act. Inventory your certifiable components NOW; reactively scrambling when the mandatory window opens is the failure mode.

Get the external-posture evidence in 60 seconds

An auditor reviewing Article 24 compliance will ask for evidence. SaaSFort produces the externally-observable portion (TLS, headers, DNS, certs, exposed surfaces) in 60 seconds — mapped to Art. 21 sub-clauses and ISO 27001 Annex A.

Run my free scan See plans from €9/mo

Frequently asked questions

Which EUCC schemes are live in 2026?

The EUCC scheme for ICT products (Common-Criteria-equivalent) is operational; the EUCS (Cloud Services) scheme is in draft as of 2026. Track ENISA publications for the current list — sectoral schemes (5G, AI) are in the pipeline.

Do I need an EUCC certificate for my own SaaS to be NIS2-compliant?

Not currently. Art. 24 governs which third-party ICT components your supplier register flags as certified. Your own SaaS' direct Art. 21 compliance is independent of Art. 24 (unless a member state mandates it for your sector).

ISO 27001:2022 for SaaS — adjacent certification path

Related cornerstones: Article 23 — incident response · NIS2 / BSI / ISO 27001 glossary · BSI IT-Grundschutz Bausteine · Industry-specific NIS2 checklists