Adopted on April 17th, 2019, the EU Cybersecurity Act came into force on June 27th, 2019. The Act aims to give the EU Agency for Network and Information Security (ENISA) a permanent mandate that implements an established cybersecurity certification framework. By adopting cybersecurity certification schemes, the goal is to make it easier for ICT manufacturers and developers to serve the European market and do business across borders. Through cybersecurity certificates and statements of conformity recognized and used throughout all Member States, organizations achieve compliance easier through a harmonized approach, particularly for those operating across different markets.

The Act also requires the Member States to designate a cybersecurity authority to ensure conformity with the Act. To establish trust, the certification framework consists of certification schemes.

The EU cybersecurity certification scheme is a “set of rules, technical requirements, standards, and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services, or ICT processes.”

When an ICT product, service, or process is certified under a cybersecurity certification scheme, it declares that it complies with the Act’s specified requirements, and an accredited Conformity Assessment Body (CAB) issues the certificate to the ICT product, service, or process that complies with the scheme. Because the certification is recognized in all Member States of the EU, it becomes easier for the business to trade across different markets.

The certificate also helps purchasers understand the security features of the ICT product, service, and process. The framework enables tailored EU certification schemes that are categorized by assurance level. The ICT product, service, or process may be classified as basic, substantial, or high to express the cybersecurity risk and assurance level. An ICT product certified with a high assurance level means it passed the highest security assessment.

A report by the European Union Agency for Cybersecurity (ENISA) has explored five distinct areas that can be developed to EU candidate cybersecurity certification schemes. They are:

1. Internet of Things (IoT)
2. Cloud infrastructure and services
3. Threat intelligence in the financial sector
4. Electronic health records in healthcare
5. Qualified trust services

A cybersecurity certification scheme is composed typically of three core elements, which are defined by standardization bodies when applicable:

• Technical Specification of Security Requirements – a document that contains the targeted ICT product, service, or process’s security functional requirements and describes the expected cybersecurity behavior.

• Set of Validation Procedures – a document that validates that the targeted ICT product meets the required security assurance level. The set of validation procedures define the activities of evaluation, the concept of composition methodology, and expected evaluation reports.

• Certification Scheme Policies and Procedures – a document defining the policies and processes governing the certification scheme, which may include planning and preparation, application and evaluation procedures, certificate issuance, and certificate maintenance. Disclosure of vulnerabilities and maintenance of assurance levels may also be included, as well as management, roles, and responsibilities of the program.

The following platform (https://www.cyberactcertification.eu/) will guide you through your ICT product, processes and services security certification under the EU Cybersecurity Act. It will provide you with the latest updates on the potential candidate schemes covering SOGIS CC, CLOUD, 5G, IoT, HEALTHCARE and AUTOMOTIVE domains. Stay tuned...

If you want to learn more about EU Cybersecurity Act Certification Schemes, you can read the following article;