Certification is a tool that allows product vendors and service providers to demonstrate and advertise the cybersecurity of their solutions. By developing cybersecurity certification at EU level, the goal is to harmonise the recognition of the level of cybersecurity of ICT solutions across the Union, allowing vendors and service providers to reach more customers. Voluntary with the goal to empower the EU Digital Single Market, the future schemes may also be encouraged as means to demonstrate compliance to requirements of other legislations.
ENISA develops candidate cybersecurity certification schemes, upon request of the European Commission or the Member States. To do so, the Agency is supported by groups of experts (Ad-Hoc Working Groups) and collaborates closely with the Commission, Member State authorities, and relevant stakeholders as defined in the Cybersecurity Act. EU-wide certification schemes then form the baseline of technical requirements, standards and procedures for the given product or service.
Industry expertise, constructive comments and consultative views provided by the certification ecosystem are taken into account at every step of the scheme development process. The Union Rolling Work programme (URWP), a strategic document under the Cybersecurity Act, allows manufacturers, national authorities and standardisation bodies to be well prepared and informed about upcoming European cybersecurity certification schemes and regulatory priorities.
Cybersecurity schemes, such as the EUCC, build upon respected international standards. Specifically, Common Criteria-based certification has been used to issue certificates in Europe for almost 30 years, with the corresponding scheme capitalising on the high reputation of European vendors and certifiers worldwide.
Once approved, a draft scheme becomes EU legislation through an 'Implementing Act', endorsed by all Member States. When adopted, the Act allows for time to prepare the operation of the scheme, before issuing certificates. Cooperation with European standardisation organisations (CEN, CENELEC and ETSI), as well as ISO, ensures that consistency and trust among manufacturers, developers and purchasers is established before a scheme comes into effect.
To understand the level of uptake of cybersecurity related products, services and processes in the relevant market, ENISA continues to examine market trends affecting both the supply and demand sides, proactively assessing implications for European stakeholders. Along with standardisation organisations in Europe and internationally, the Agency assesses the European market landscape from the ICT security perspective and promotes cohesive cybersecurity standards.
By introducing market analysis to the field of cybersecurity harmonisation, the Agency seeks to innovate in the space of market-driven decision-making for the conception, launching and maintenance of cybersecurity products, services and processes within the EU. Numerous ENISA initiatives, from annual cybersecurity market analyses and the organisation of relevant events to the creation and maintenance of a relevant ad Hoc Working Group, indicate the commitment of ENISA to gaining market analysis expertise and measure uptake of achieved results.
