Certification is a tool allowing product vendors and service providers to demonstrate and advertise the cybersecurity of their solutions. By developing cybersecurity certification at EU level, the EU seeks to harmonise the assessment of the level of cybersecurity of ICT solutions across the Union, and in doing so, to allow vendors and service providers to reach more customers. Voluntary in nature, with the goal to empower the EU Digital Single Market, the future schemes may also be promoted as a means to demonstrate compliance to the requirements of other legislations.
ENISA develops candidate cybersecurity certification schemes, upon request of the European Commission or the Member States. The work engaged by the Agency to this purpose is supported by groups of experts (Ad-Hoc Working Groups). ENISA also collaborates closely with the Commission, Member State authorities, and relevant stakeholders as defined in the Cybersecurity Act. EU-wide certification schemes then establish the technical requirements, standards and procedures to apply to given products or services.
Industry expertise, the constructive comments and consultative views provided by the certification ecosystem are taken into account at every step of the process of the development of the schemes. The Union Rolling Work programme (URWP), a strategic document under the Cybersecurity Act, allows manufacturers, national authorities and standardisation bodies to be well prepared and informed about the upcoming European cybersecurity certification schemes and regulatory priorities.
Cybersecurity schemes, such as the EUCC, build upon respected international standards. Specifically, Common Criteria-based certification has been used to issue certificates in Europe for almost 30 years, with the corresponding scheme capitalising on the high reputation of European vendors and certifiers worldwide.
Once approved, a draft scheme becomes EU legislation through an 'Implementing Act', endorsed by all Member States. When adopted, the Act provides for time to prepare the operation of the scheme, before issuing certificates. Cooperation with European standardisation organisations (CEN, CENELEC and ETSI), as well as ISO, ensures that consistency and trust among manufacturers, developers and purchasers are established before a scheme comes into effect.
To understand the level of uptake of cybersecurity related products, services and processes in the relevant market, ENISA continues to examine market trends affecting both the supply and demand sides, proactively assessing implications for European stakeholders. Along with standardisation organisations in Europe and internationally, the Agency assesses the European market landscape from the ICT security perspective and promotes cohesive cybersecurity standards.
By introducing market analysis to the field of cybersecurity harmonisation, the Agency seeks to innovate in the space of market-driven decision-making for the conception, launching and maintenance of cybersecurity products, services and processes within the EU. The wide range of ENISA initiatives, from the annual cybersecurity market analyses and the organisation of relevant events to the creation and maintenance of a relevant ad Hoc Working Group, indicates how committed ENISA is to gaining market analysis expertise and to taking measure of achieved results.
