In the EU there is currently a multitude of cybersecurity certification initiatives. However, the EU wants to set up an EU-wide certification framework through the Cybersecurity Act. Currently, the central European IT security evaluation criteria are based on mutual recognition (SOG-IS), but only the following Member States are part of it: Austria, Croatia, Estonia, Finland, France, Germany, Italy, Netherlands, Luxembourg, Poland, Spain and Sweden in addition to the UK and Norway.
Some have developed national certification initiatives that aren’t mutually recognized. Let’s have a look at a few national certifications for ICT products:
Commercial Product Assurance (CPA)
CPA is a UK-based national scheme for commercial off-the-shelf products. It’s open to all vendors, suppliers, and developers of security products whose sales base is in the UK. Since it assures security products; they are assessed against SCs (Security Characteristics) for each product type. These include web application firewalls, encryption, and smart meters. SCs also have three mitigations or requirements that each product is expected to satisfy: development, verification, and deployment.
CPA assessment is valid for two years, but since there is no Mutual Recognition Agreement (MRA) for it, products tested in the UK won’t be accepted as certified in other markets. Outside of the UK, CPA isn’t widely recognized.
Baseline Security Product Assessment (BSPA)
The Dutch Baseline Security Product Assessment scheme started its pilot phase in 2015. The scheme assesses the suitability of IT security products for use in the “sensitive but unclassified” domain. It’s pretty expensive to attain, and the overall process takes up to 2 months. The average costs of certification under Baseline Security Product Assessment in the Netherlands are around 40 thousand euros.
Certification Sécuritaire de Premier Niveau (CSPN)
The National Cybersecurity Agency of France (Agence Nationale de la sécurité des systèmes d’information – ANSSI) established CSPN in 2008. It’s an IT Security Certification Scheme that offers a cheaper, faster alternative to Common Criteria (CC) and Federal Information Processing Standard (FIPS) approach. CSPN is a pretty lightweight certification process that lasts up to 8 weeks and costs between 25 thousand and 35 thousand euros.
All of the security criteria that a product needs to meet, as well as the methodology and process of certification, are based on the standard created by the ANSSI. It only applies in France, although similar models might soon be adopted across the European Union and even the U.S.
SOG-IS MRA
The SOG-IS agreement (Senior Officials Group — Information Systems Security) came as a response to the EU Council Decision of March 31st, 1992. The participants of the Agreement are government agencies and organizations from EU or EFTA (European Free Trade Association) countries.
SOG-IS MRA is the leading certification mechanism in Europe, but it only includes 12 Member States plus Norway. It also hasn’t developed many protection profiles — it covers mainly digital signatures, digital tachograph, and smart cards.
HOW TO MAKE THE BEST OUT IT ?
You’ll likely require some of these national security certifications if you wish to sell your product in the UK, the Netherlands or France. The process can be long, but in most cases not as long as it is for a CC certification which can take over a year in some cases. Regardless of what the device you sell is, you might have to comply with the local security standards. These standards vary even across the EU, which makes the implementation process costly and time-consuming. The best solution to that is simply to meet all national security requirements at the same time by implementing a smart security assurance framework.