Cybersecurity Certification Framework

The Goal of Cybersecurity Certification under the Cybersecurity Act

The goal of EU cybersecurity certification is to harmonise the recognition of the level of cybersecurity of ICT solutions across the Union, allowing vendors and service providers to reach more customers. Vendors, service providers and users alike need to be able to determine the level of security assurance of the products, services and processes they procure, make available or use.

Cybersecurity certification requires the formal evaluation of products, services and processes by an independent and accredited body against a defined set of criteria and standards, and the issuing of a certificate indicating conformance. As such, cybersecurity certification plays a key role in increasing trust and security in products, services and processes. Cybersecurity certification in the EU serves the purpose of providing information and assurance to users about the level of conformity against stated requirements. EU cybersecurity certification schemes serve as the vehicle to convey such requirements from the EU policy level to the level of industrial service provision and further to the users and conformity assessment bodies.

As set out in Regulation (EU) 2019/881, the EU cybersecurity certification framework lays down the procedure for the creation of EU cybersecurity certification schemes, covering ICT products, services and processes. Each scheme will specify one or more level(s) of assurance (basic, substantial or high), based on the level of risk associated with the envisioned use of the product, service or process.

One framework, several schemes

The European Union aims to develop a framework of cybersecurity certification schemes. This framework is intended to demonstrate that certified ICT solutions have the right level of cybersecurity protection for the European Digital Market.

In fact, effective and efficient cybersecurity certification allows certificates to aggregate a number of different cybersecurity certificates as building blocks. This is how the certification of complete solutions and also (parts of) systems and specific technologies will be made possible.

Currently, one cybersecurity certification scheme is published and 3 are under development.

The 'EUCC' scheme is published. It covers ICT products such as hardware, software and components. This scheme is based on an existing international scheme called 'Common Criteria'. Schemes under development include the 'EUCS', covering cloud services, the 'EU5G', addressing 5G and the EUDI Wallets targeting EU Digital Identity Wallets.

An opportunity for the Ecosystem

The European Union is preparing cybersecurity certification schemes to harmonise both the security requirements for ICT solutions and the methodology for assessing them.

These schemes represent a business opportunity for Conformity Assessment Bodies (CABs) as they will be able to offer a range of different certifications in the cybersecurity domain.

In addition, CABs will be able to develop and offer new combined assessment tools and new professional services related to the new schemes.

As for manufacturers and service providers, proving compliance for access to a specific market will be simplified as one certification will be recognised throughout the Union.

Take action!

ENISA wishes to give to all relevant stakeholders the opportunity to provide their input and thus contribute to the development and implementation of EU cybersecurity certification schemes.

There are many opportunities to get involved early, in particular during the development of the schemes by applying to be part of Ad Hoc Working Groups or by providing feedback to the drafts candidate schemes or technical documents published by ENISA.

Contribution to standardisation efforts is also welcome. Access ENISA dedicated website to EU cyber certification to discover current opportunities.

• https://certification.enisa.europa.eu