Union Testing Facilities Operated by ENISA

Article 26 addresses a practical capacity constraint in CRA enforcement: national market surveillance authorities need access to high-quality, independent cybersecurity testing to challenge non-compliant products. Without dedicated testing facilities, authorities must commission tests from commercial labs that may not have sufficient capacity or whose independence could be questioned.

Union testing facilities are specifically established to support market surveillance activities — they are not commercial conformity assessment bodies and do not issue CE marking certificates. Their role is investigative and enforcement-oriented: testing products that authorities suspect may not comply with CRA requirements, generating evidence to support corrective action orders, and providing technical expertise to national authorities that may lack in-house cybersecurity assessment capability.

The designation of ENISA as the coordinator or operator of these facilities reflects ENISA's central role in the CRA's technical and enforcement architecture and its existing expertise in cybersecurity testing and certification.

Union testing facilities can conduct a range of testing activities relevant to CRA enforcement, including:

Compliance verification: Testing whether specific products meet the essential requirements in Annex I, particularly when manufacturers' self-declarations are disputed by authorities.

Incident analysis: Analysing products involved in cybersecurity incidents to determine whether vulnerabilities resulted from non-compliance with CRA requirements.

Standard validation: Assessing whether specific harmonised standards adequately cover the essential requirements they purport to address, supporting Article 9 proceedings.

Capacity building: Providing technical expertise and training to national authorities to improve their capability to assess CRA compliance independently.

Results from Union testing facilities carry significant weight in enforcement proceedings, given the independent and publicly accountable nature of the facilities.

Article 26 allows the Commission to designate existing testing facilities — including those at national cybersecurity agencies, national metrology institutes, and accredited research institutions — as Union testing facilities, rather than requiring construction of entirely new infrastructure.

This pragmatic approach allows the EU to leverage existing technical capacity across member states. National cybersecurity agencies with established testing laboratories, such as the BSI in Germany or ANSSI in France, may be designated to provide Union testing services in addition to their national roles.

For manufacturers, the designation of Union testing facilities means that enforcement testing of their products could be conducted by ENISA-coordinated bodies with high levels of technical expertise and institutional independence. The quality of enforcement testing is likely to be high, reducing the scope for manufacturers to dismiss technical findings on competence grounds.

Article 26 contemplates that Union testing facilities will be funded through EU budget allocations, given their public enforcement function. ENISA's budget under the Cybersecurity Act includes provisions for technical activities that would encompass Union testing facility operations.

The availability of EU funding for Union testing facilities ensures that national authorities can access testing services without bearing the full cost themselves — a particularly important provision for smaller member states with limited national cybersecurity testing infrastructure.

For manufacturers, this funding model means that enforcement testing is more likely to be comprehensive and technically rigorous than it might be if authorities needed to commission tests from their own limited budgets. The availability of well-resourced testing capacity should incentivise manufacturers to ensure genuine compliance rather than relying on resource constraints limiting enforcement.