All studies recently published agree. Industrial Automation and Control Systems (IACS) increasingly constitutes a target for cyber-attacks aiming at disturbing Member States’ economies, at disabling our critical infrastructures or at taking advantage from our people. Such hostile acts take place in a context of geostrategic tensions, for the satisfaction of organised crime’s purposes, or else in support of possible activist causes. In this context, the ERNCIP Thematic Group (TG) “Case studies for the cybersecurity of Industrial Automation & Control Systems” was started in January 2014 to answer the question: “Do European critical infrastructure operators need to get IACS’ components or subsystems tested and “certified” (T&C) with regards to their cybersecurity?” And should the answer have been yes, it had to answer a corollary question: “What are (roughly) the conditions of feasibility for implementing successfully a European IACS components cybersecurity Compliance & Certification Scheme?” This TG’s undertaking was a research project, not a task force seeking to deliver an immediately applicable standard. It mobilised representatives of IACS vendors, industrial operators, European Institutions and national cybersecurity authorities.