A cybersecurity certification recognized at an EU-wide level will ensure that the Union is aligned in recognizing the importance of cybersecurity standards, which will empower not only consumers but also vendors and service providers. Each Member State will have a designated NCCA or National Cybersecurity Certification authority to supervise, certify, and monitor whether cybersecurity certification complies with a national level and at the EU level.
Certification of ICT solutions is voluntary unless specified by EU regulations. However, choosing to apply for certification comes with benefits. Through EU cybersecurity certification, vendors and service providers can demonstrate cybersecurity compliance and advertise the cybersecurity of their solutions while bringing a level of trust among the ICT ecosystem and the market, which will attract more opportunities, help them reach more consumers, and boost innovation.
The European Union Agency for Cybersecurity (ENISA) has a mission to “proactively contribute to the emerging EU framework for the ICT certification of products and services and to carry out the drawing up of candidate certification schemes in line with the Cybersecurity Act, and additional services and tasks”
ENISA will play a pivotal role in the EU cybersecurity certification framework as the agency responsible for drawing up cybersecurity certification schemes for products, services, and processes. The agency will engage with public services, industry, and standardization organizations to develop a comprehensive set of standards, procedures, rules, and technical requirements and will have the support of an Ad-Hoc Working Group and Member States.
The certification scheme that ENISA is developing will take into account existing schemes and standards, including the Directive for a High Level of Cybersecurity across the Union (NIS2) which focuses on critical infrastructure. The certification schemes are in progress with different schemes under development at different stages. Certification schemes in development are also encouraged to demonstrate compliance with proposed legislation, including the eIDAS Regulation, the Cyber Resilience Act (CRA), and the Artificial Intelligence Act.
One of the schemes in development is the European Cybersecurity Certification Scheme on Common Criteria which will target ICT products. Including some types of IoT hardware and software products and components. Other schemes in development are the European Certification Scheme for Cloud Services (EUCS) and the European Cybersecurity Certification Scheme (EU5G). ICT products, processes and services will be assessed and only be granted EU cybersecurity certificates if they demonstrate that they are resistant to certain levels of attacks, have defined remediation processes, and comply with the specified cybersecurity requirements. Different cybersecurity levels can be assigned and will depend on the cybersecurity risk associated with the intended use of the specific IoT solution. The certification assurance levels include ‘basic,’ ‘substantial,’ or ‘high.’
Certification will be performed by a Conformity Assessment Body (CAB), which will have the authority to audit, test, and certify. And the NCCAs will supervise and monitor the certificates issued by the CABs in the Member States. ENISA will have a dedicated website where all certificates will be published.
How the A4CEF Project helps understanding and implementing EU cybersecurity certifications?
The A4CEF project built capabilities, contributing to the European Cybersecurity Certification Framework (ECCF) and the EU Cloud Services (EUCS) scheme in particular.
This project has been designed to directly meet objectives of the CEF-TC-2020-2 call for proposals text, under Objective 4 – “Support to cooperation and capacity building for cybersecurity certification in line with the Cybersecurity Act”. The following objectives have been identified and will be addressed:
- to leverage and extend the results being produced by the existing B4C Project (Action CEF 2019-EU-IA-0109),
- to build up the internal capabilities of the National Standards Authority of Ireland (NSAI), which is already an established CAB and is one of the candidates being considered for designation as NCCA in Ireland.
- to enhance the internal capabilities of all the consortium partners, through newly developed training material on cloud computing certification, and through practical application of the certification processes previously defined and developed at NSAI, with the conduct of related cloud computing pilot certifications.
- to (cross-border) exchange best practices and relevant information related to conformity assessment activities (including the entire ‘value chain’ of the European Cybersecurity Certification Framework), through structured bi-directional exchange between Cyprus and Ireland.
- to build a comprehensive reference model to directly support the full range of cybersecurity certification activities from A to Z, through the development of a comprehensive reference model for all stakeholders, interactions and flows as defined in the European Cybersecurity Certification Framework.
- to effectively disseminate the results of the proposed Action to a large number of stakeholders in the countries involved and also across Europe, through structured dissemination and communication activities in relevant working groups and other European fora.
If you want to know more about the A4CEF project and its activities please visit this website: https://www.a4cef.eu