Background

Two years ago, the Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification – called Cybersecurity Act – was published.

One key element of this regulation is the establishment of the European cybersecurity certification framework. It lays down the main horizontal requirements for European cybersecurity certification schemes to be developed and allows European cybersecurity certificates and EU statements of conformity for ICT products, ICT services or ICT processes to be recognised and used in all Member States.

The purpose of European cybersecurity certification schemes is to ensure that ICT products, ICT services and ICT processes certified under such schemes comply with specified requirements that aim to protect the availability, authenticity, integrity and confidentiality of stored, transmitted or processed data or of the related functions of or services offered by, or accessible via those products, services and processes throughout their life cycle.

The Cybersecurity certification is voluntary. But ICT products, ICT services and ICT processes that have been certified under a European cybersecurity certification scheme – prepared by ENISA and adopted by the European Commission – shall be presumed to comply with the requirements of such scheme.

The certification and evaluation shall be performed by a conformity assessment body, which is accredited by its National Accreditation Body according to Regulation (EC) No 765/2008.

 

Cybersecurity Certification: Candidate EU CC Scheme

Following the request from the European Commission, ENISA prepared the first candidate EU cybersecurity certification scheme – called EUCC scheme (Common Criteria based European candidate cybersecurity certification scheme).
This scheme shall be considered as a successor to the existing schemes operating under the SOG-IS MRA, the Senior Officials Group Information Systems Security Mutual Recognition Agreement.

The draft EUCC scheme (version 1.1.1) has been published by ENISA in May 2021. It includes inter alia the following topics:
■         Purpose of the scheme
■         Evaluation standards
■         Assurance levels
■         Specific requirements for Conformity Assessment Bodies (CABs)
■         Notification and authorisation of CABs, functioning of CABs and subcontractors
■         Specific evaluation criteria and methods
■         Necessary information for certification
■         Marks and labels

According to the EUCC scheme, the Certification Bodies shall be accredited according to ISO/IEC 17065 and the testing laboratories (ITSEF: IT Security evaluation facility) according to ISO/IEC 17025.

It is expected that additional requirements for the accreditation of Certification Bodies and ITSEFs will be set out by ENISA in specific guidelines.

For the legal implementation of the candidate EUCC scheme prepared by ENISA, the European Commission will adopt an implementing act presumably end of 2021/beginning of 2022.

 

EA/ENISA Webinar on the EU Cybersecurity Act: EUCC scheme and guidelines for accreditation

On 24 September 2021, EA will organise a webinar with support of ENISA. This webinar will focus on the EUCC scheme and the guidelines for accreditation. It is meant to support the EA National Accreditation Bodies in the implementation of the EUCC scheme and to start with the accreditation of Certification Bodies and ITSEFs as soon as the scheme will have been published in the Official Journal of the EU in 2022.
Apart from the EA National Accreditation Bodies, representatives from EA recognised stakeholders and National Cybersecurity Certification Authorities (NCCA) can register for this webinar.

 

You find more detailed information on the Cybersecurity Act and the EUCC scheme on ENISA’s website https://www.enisa.europa.eu/topics/standards/certification.