The purpose of the EU cybersecurity certification framework under The Cybersecurity Act is to establish and maintain trust and security on cybersecurity products, services and processes.
Cybersecurity Certification Framework
The Goal of Cybersecurity Certification under the Cybersecurity Act
Drawing up cybersecurity certification schemes at the EU level aims at providing criteria to carry out assessments on conformity to establish the degree to which products, services and processes adhere to specific requirements. Users and service providers alike need to be able to determine the level of security assurance of the products, services and processes they procure, make available or use.
Cybersecurity certification requires the formal evaluation of products, services and processes by an independent and accredited body against a defined set of criteria and standards, and the issuing of a certificate indicating conformance. As such, cybersecurity certification plays a key role in increasing trust and security in products, services and processes. Cybersecurity certification in the EU serves the purpose of providing notice and assurance to users about the level of conformity against stated requirements. EU cybersecurity certification schemes serve as the vehicle to convey such requirements from the EU policy level to the level of industrial service provision and further to the users and conformity assessment bodies.
As set out in Regulation (EU) 2019/881, the EU cybersecurity certification framework lays down the procedure for the creation of EU cybersecurity certification schemes, covering ICT products, services and processes. Each scheme will specify one or more level(s) of assurance (basic, substantial or high), based on the level of risk associated with the envisioned use of the product, service or process.
One Framework, several schemes
The European Union aims to develop a framework of cybersecurity certification schemes demonstrating that certified ICT solutions have the right level of cybersecurity protection for the European Digital Market.
In fact, effective and efficient cybersecurity certification allows certificates to be composed using different cybersecurity certificates as building blocks to certify complete solutions and also (parts of) systems and specific technologies.
Currently, three cybersecurity certification schemes are under development.
One scheme, covering ICT products and called 'EUCC', is almost ready. It is based on an existing international scheme called 'Common Criteria'. The second scheme being developed, 'EUCS', covers cloud services and a third one, called 'EU5G', is on 5G networks.
An opportunity for the Ecosystem
The European Union is preparing cybersecurity certification schemes to harmonise both the security requirements for ICT solutions and the methodology for assessing them.
These schemes represent a business opportunity for Conformity Assessment Bodies (CABs) as they will be able to offer a range of different certifications in the cybersecurity domain.
In addition, CABs will be able to develop and offer new combined assessment tools and new professional services related to the new schemes.
As for manufacturers and service providers the effort to prove compliance in order to enter a specific market will be simplified as one certification will be recognised throughout the Union.