Cybersecurity Certification Framework

The Goal of Cybersecurity Certification under the Cybersecurity Act

The goal of EU cybersecurity certification is to harmonise the recognition of the level of cybersecurity of ICT solutions across the Union, allowing vendors and service providers to reach more customers. Vendors, service providers and users alike need to be able to determine the level of security assurance of the products, services and processes they procure, make available or use.

Cybersecurity certification requires the formal evaluation of products, services and processes by an independent and accredited body against a defined set of criteria and standards, and the issuing of a certificate indicating conformance. As such, cybersecurity certification plays a key role in increasing trust and security in products, services and processes. Cybersecurity certification in the EU serves the purpose of providing information and assurance to users about the level of conformity against stated requirements. EU cybersecurity certification schemes serve as the vehicle to convey such requirements from the EU policy level to the level of industrial service provision and further to the users and conformity assessment bodies.

As set out in Regulation (EU) 2019/881, the EU cybersecurity certification framework lays down the procedure for the creation of EU cybersecurity certification schemes, covering ICT products, services and processes. Each scheme will specify one or more level(s) of assurance (basic, substantial or high), based on the level of risk associated with the envisioned use of the product, service or process.

One Framework, several schemes

The European Union aims to develop a framework of cybersecurity certification schemes demonstrating that certified ICT solutions have the right level of cybersecurity protection for the European Digital Market.

In fact, effective and efficient cybersecurity certification allows certificates to be composed using different cybersecurity certificates as building blocks to certify complete solutions and also (parts of) systems and specific technologies.

Currently, one cybersecurity certification scheme is published and 3 are under development.

'EUCC' covering ICT products such as hardware, software and components is published; it is based on an existing international scheme called 'Common Criteria'. Regarding the schemes under development, 'EUCS', covers cloud services,  'EU5G', addresses the 5G and EUDI Wallets targets EU Digital Identity Wallets .

An opportunity for the Ecosystem

The European Union is preparing cybersecurity certification schemes to harmonise both the security requirements for ICT solutions and the methodology for assessing them.

These schemes represent a business opportunity for Conformity Assessment Bodies (CABs) as they will be able to offer a range of different certifications in the cybersecurity domain.

In addition, CABs will be able to develop and offer new combined assessment tools and new professional services related to the new schemes.

As for manufacturers and service providers the effort to prove compliance in order to enter a specific market will be simplified as one certification will be recognised throughout the Union.

Take action!

It is important that all relevant stakeholders have an opportunity to provide their input and contribute to the development and implementation of EU cybersecurity certification schemes.

There are many opportunities to get involved early, in particular during the development of the schemes by applying to be part of Ad Hoc Working Groups or by providing feedback to the drafts candidate schemes or technical documents published by ENISA.

Contribution to standardisation efforts is also key. Access ENISA dedicated website to EU cyber certification to discover open opportunities.

• https://certification.enisa.europa.eu