The Certifications & Standards module in Venvera helps your organisation track cybersecurity certifications and EU certification schemes as referenced by NIS2 Article 24. This article explains the regulatory background, documents every form field, describes the ten certification scheme options, and provides guidance on renewal management and audit readiness.
Regulatory Context — Article 24
What Art. 24 Requires
Article 24 of NIS2 empowers Member States to require essential or important entities to use particular ICT products, ICT services, and ICT processes that have been certified under European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 (the Cybersecurity Act). The key points are:
- Member States may require entities to use certified ICT products/services/processes.
- Certification is based on EU cybersecurity certification schemes developed by ENISA (the EU Agency for Cybersecurity).
- Until harmonised EU schemes are fully available, national schemes or internationally recognised standards (e.g., ISO 27001, Common Criteria) may be accepted.
- Entities should demonstrate that their ICT products and services meet appropriate security levels through recognised certification.
The European Cybersecurity Certification Framework
The EU Cybersecurity Act (Regulation 2019/881) established a framework for European cybersecurity certification. Under this framework, ENISA develops candidate certification schemes that the European Commission can adopt. Key schemes include:
- EUCC (EU Common Criteria) — for ICT products, based on Common Criteria (ISO/IEC 15408).
- EUCS (EU Cloud Services) — for cloud services, covering security controls for cloud infrastructure and platforms.
- EU5G — for 5G network technologies (in development).
Until these EU-level schemes are widely adopted, organisations typically rely on international standards (ISO 27001, SOC 2) and sector-specific frameworks (PCI DSS, TISAX) to demonstrate security maturity.
Accessing the Certifications Module
Navigate to NIS2 → Certifications in the sidebar. The list page shows all tracked certifications with summary cards at the top.
Summary Cards
| Card | Description |
|---|---|
| Total | Total number of certifications tracked |
| Active | Count of certifications with "active" status (green text) |
| Expired | Count of expired certifications (red border when >0) |
| Expiring Soon | Active certifications expiring within 90 days (amber border when >0) |
Certifications Table
The main table displays columns for:
- Scheme — certification name and certificate number (if provided)
- Scope — what the certification covers (truncated to 200 chars)
- Issuing Body — the certification body that issued it
- Issued — issue date
- Expires — expiry date (red if expired, amber if expiring soon)
- Status — Active, Expired, Suspended, or Revoked
Adding a Certification
Click Add Certification to open the form.
Form Fields
| Field | Type | Badge | Description |
|---|---|---|---|
| Certification Scheme | Select / Custom text | Required | Choose from the ten predefined schemes or select "Other (custom)" to enter a custom scheme name. The dropdown includes: ISO/IEC 27001, SOC 2 Type II, EUCS, Common Criteria, TISAX, CSA STAR, PCI DSS, FIPS 140-2/140-3, ISO 22301, Cyber Essentials Plus. |
| Scope | Textarea | Required | Describe what the certification covers, e.g., "Information Security Management System covering cloud infrastructure and SaaS platform". This should match the scope statement on the actual certificate. |
| Issuing Body | Text | Required | The certification body or auditor, e.g., BSI, TUV, Deloitte, KPMG, Schellman. |
| Certificate Number | Text | Optional | The unique certificate ID or reference number as printed on the certificate. |
| Issue Date | Date | Required | The date the certificate was issued. |
| Expiry Date | Date | Optional | When the certificate expires. Used for renewal tracking and 90-day alerts. |
| Notes | Textarea | Optional | Additional context such as surveillance audit dates, scope changes, or renewal plans. |
The Ten Certification Scheme Options
Venvera pre-populates a dropdown with ten commonly used cybersecurity certification schemes. Here is what each covers and who typically needs it:
| Scheme | What It Covers | Who Typically Needs It |
|---|---|---|
| ISO/IEC 27001 | Comprehensive ISMS framework covering risk assessment, access control, cryptography, physical security via Annex A controls. | Any entity seeking widely recognised security certification. Strongly recommended for NIS2 compliance. |
| SOC 2 Type II | AICPA audit report on security, availability, integrity, confidentiality, and privacy controls over 6–12 months. | Cloud/SaaS providers. Common for US clients, increasingly accepted in the EU. |
| EUCS | EU cloud certification covering data localisation, security controls, and transparency at three assurance levels. | Cloud providers in the EU. Expected to become mandatory for high-risk use cases. |
| Common Criteria | ISO/IEC 15408 standard for IT product security evaluation using Assurance Levels (EAL1–EAL7). | ICT product vendors selling to government or regulated sectors. Art. 24 references EUCC. |
| TISAX | Automotive-specific security standard (ENX Association), based on ISO 27001 with sector additions. | Automotive manufacturers, suppliers, and service providers. |
| CSA STAR | Cloud-specific assessment (Self-Assessment, Audit, Continuous Monitoring) built on the Cloud Controls Matrix. | Cloud providers and consumers. Complements ISO 27001/SOC 2 for cloud assurance. |
| PCI DSS | Payment card security standard covering network security, data protection, vulnerability management, and access control. | Any organisation storing, processing, or transmitting payment card data. |
| FIPS 140-2/3 | US standard for cryptographic module validation with four security levels. FIPS 140-3 is the current version. | Organisations needing validated encryption. Relevant to Art. 21(2)(h) cryptography compliance. |
| ISO 22301 | Business continuity management covering BIA, continuity strategies, and exercise programmes. | Essential entities needing Art. 21(2)(c) business continuity evidence. |
| Cyber Essentials Plus | UK baseline covering firewalls, secure configuration, access control, malware protection, and patching. | UK-linked organisations. Solid baseline for Art. 21(2)(e) network security. |
Certification Status Workflow
Each certification has one of four statuses:
| Status | Meaning | Visual |
|---|---|---|
| Active | The certification is current and valid | Green badge with checkmark icon |
| Expired | The certificate's validity period has ended | Red badge with X icon |
| Suspended | The certification body has suspended the certificate (e.g., due to a non-conformity) | Amber badge with warning icon |
| Revoked | The certification body has permanently revoked the certificate | Red badge with X icon |
Renewal Management
Certification expiry is tracked automatically. The system applies three alert thresholds:
Certifications expiring within 90 days appear as Expiring Soon in the status column. The "Expiring Soon" summary card count increments, and the card border turns amber. This is your signal to begin the renewal audit process.
When the expiry date passes, the status automatically appears as Expired. The "Expired" summary card count increments, and the card border turns red.
Once the renewal audit is complete and a new certificate is issued, add a new certification record with the updated issue and expiry dates. The old record remains for historical tracking.
Step-by-Step Workflow
Go to NIS2 → Certifications in the sidebar.
Click the Add Certification button in the top-right corner.
Choose from the dropdown list (ISO/IEC 27001, SOC 2 Type II, etc.) or select "Other (custom)" to enter a scheme name manually.
Enter the certification scope exactly as it appears on the certificate. This is important for audit trail purposes.
Fill in the issuing body, certificate number, issue date, and expiry date.
Add any relevant notes (surveillance audit schedule, scope changes planned) and click Save Certification.
Which Certifications Demonstrate NIS2 Compliance?
While no single certification guarantees full NIS2 compliance, certain certifications provide strong evidence for specific Art. 21(2) measures:
| Art. 21(2) Measure | Relevant Certifications |
|---|---|
| (a) Risk Analysis & Policies | ISO/IEC 27001 (core requirement), SOC 2 Type II |
| (b) Incident Handling | ISO/IEC 27001 (A.16), SOC 2 (Common Criteria) |
| (c) Business Continuity | ISO 22301 (dedicated BCMS), ISO/IEC 27001 (A.17) |
| (d) Supply Chain Security | TISAX, ISO/IEC 27001 (A.15), SOC 2 |
| (e) Network & Systems Security | Cyber Essentials Plus, PCI DSS, ISO/IEC 27001 (A.12/A.13) |
| (f) Effectiveness Assessment | SOC 2 Type II (effectiveness over time), CSA STAR Level 3 |
| (g) Cyber Hygiene & Training | ISO/IEC 27001 (A.7), Cyber Essentials Plus |
| (h) Cryptography | FIPS 140-2/140-3, Common Criteria, ISO/IEC 27001 (A.10) |
| (i) HR Security & Access Control | ISO/IEC 27001 (A.7/A.9), SOC 2 |
| (j) MFA & Secure Communications | Cyber Essentials Plus, FIPS 140-2/140-3 |
Certifications as Audit Evidence
During a supervisory audit, your certifications register is a key evidence source. Best practices:
- Always enter the certificate number for traceability.
- Keep the scope aligned with the actual certificate — auditors check for mismatches.
- Use notes to record surveillance audit dates and corrective actions.
- Add new records for renewals rather than editing old ones to preserve history.
- Review the register quarterly to catch soon-to-expire certificates early.