ENISA launches a public consultation on a new draft candidate cybersecurity certification scheme in a move to enhance trust in cloud services across Europe.
Today, the European Union Agency for Cybersecurity (ENISA) launched a public consultation, which runs until 7 February 2021, on its draft of the candidate European Union Cybersecurity Certification Scheme on Cloud Services (EUCS). The scheme aims to further improve the Union’s internal market conditions for cloud services by enhancing and streamlining the services’ cybersecurity guarantees. The draft EUCS candidate scheme intends to harmonise the security of cloud services with EU regulations, international standards, industry best practices, as well as with existing certifications in EU Member States.
EU Agency for Cybersecurity Executive Director Juhan Lepassaar said: “Cloud services play an increasing role in the life of European citizens and businesses under lockdown; and their security is essential to the functioning of the Digital Single Market. A single European cloud certification is critical for enabling the free flow of data across Europe, and is an important factor in fostering innovation and competitiveness in Europe.”
Speaking at the ENISA Cybersecurity Certification Conference on 18 December 2020, Director of Digital Society, Trust and Cybersecurity at the European Commission Directorate-General for Communications Networks, Content and Technology (DG CONNECT) Lorena Boix Alonso said: “We must ensure that cybersecurity certification strikes the right balance, following a sensible risk-based approach, with flexible solutions and certification schemes designed to avoid being outdated quickly. And we need a clear roadmap to allow industry, national authorities and standardisation bodies to prepare in advance.”
There are challenges to the certification of cloud services, such as a diverse set of market players, complex systems and a constantly evolving landscape of cloud services, as well as the existence of different schemes in Member States. The draft EUCS candidate scheme tackles these challenges by calling for cybersecurity best practices across three levels of assurance and by allowing for a transition from current national schemes in the EU. The draft EUCS candidate scheme is a horizontal and technological scheme that intends to provide cybersecurity assurance throughout the cloud supply chain, and form a sound basis for sectoral schemes.
More specifically, the draft EUCS candidate scheme:
- Is a voluntary scheme;
- The scheme’s certificates will be applicable across the EU Member States;
- Is applicable for all kinds of cloud services – from infrastructure to applications;
- Boosts trust in cloud services by defining a reference set of security requirements;
- Covers three assurance levels: ‘Basic’, ‘Substantial’ and ‘High’;
- Proposes a new approach inspired by existing national schemes and international standards;
- Defines a transition path from national schemes in the EU;
- Grants a three-year certification that can be renewed;
- Includes transparency requirements such as the location of data processing and storage.
Public Consultation
The public consultation allows interested parties to provide feedback on the draft EUCS candidate scheme. The outcome of this consultation will be processed and shared with the public. The consultation will remain open until 7 February 2021, 12:00 CET.
To review the draft scheme, visit: Draft EUCS Candidate Scheme.
The consultation is closed. For more information please consult the following EUCS – Cloud Services Scheme.
During the period of the public consultation, a review by the European Cybersecurity Certification Group (ECCG) and the Stakeholder Cybersecurity Certification Group (SCCG) will also be undertaken. Following the consultation, the EUCS candidate scheme will be updated and submitted to the ECCG for its opinion.
WEBINAR: ENISA Cybersecurity Certification of Cloud Services
On 11 January 2021, the EU Agency for Cybersecurity will hold a webinar presentation of the draft EUCS candidate scheme. ENISA Lead Certification Expert Eric Vétillard will present the current draft and will lead a Q&A session with participants. The webinar is open to the public.
To register for the 11 January 2021 event, visit: WEBINAR: ENISA Cybersecurity Certification of Cloud Services.
Background on ENISA Cybersecurity Certification
Under the EU Cybersecurity Act (CSA) of 2019, the EU Agency for Cybersecurity assists in the preparation of candidate cybersecurity certification schemes. The EUCS consultation is established in accordance with Article 49(3) of the CSA.
The current draft of the EUCS candidate scheme is based on expert input from the Cloud Service Provider Certification (CSPCERT) Working Group and the EUCS ad-hoc working group, which includes members from industry, and participants from Member States and European Institutions. The draft also takes into consideration international standards and national certification schemes across the Union.
The draft EUCS candidate scheme is the second candidate cybersecurity certification scheme introduced by the EU Agency for Cybersecurity this year. In July 2020, the Common Criteria Based European Cybersecurity Certification Scheme (EUCC), which aims to replace the existing schemes operating under the SOG-IS MRA for ICT products, opened for a month-long public consultation.
The ENISA Cybersecurity Certification Conference
On 18 December 2020, the EU Agency for Cybersecurity held the first online ENISA Cybersecurity Certification Conference to provide updates on cybersecurity and certification work by the European Commission, the Presidency of the Council of the European Union and the Agency. The conference also covered the latest and upcoming developments on certification schemes, including the draft EUCC and EUCS candidate schemes, and topics such as international standards for IoT. The one-day event was highly attended, with more than 1,500 registrations.
Contacts
For questions related to the press and interviews, please contact press (at) enisa.europa.eu