The EUCS (European Cybersecurity Certification Scheme for Cloud Services) is a certification scheme created under the Cybersecurity Act (CSA). The aim of the CSA is to improve cybersecurity across a wide range of digital products, services and processes. It also establishes a unified approach to cybersecurity certification in the European internal market.
Reasons for certification
Certificates give businesses and individual consumers accurate information regarding the security assurance of their certified ICT-products, services and processes. Although certification does not mean that a product is cyber-secure (and this is stated explicitly in the CSA), a certificate does demonstrate compliance with the criteria of the cybersecurity scheme.
European cybersecurity certification is voluntary, but can be made mandatory by other EU law, or in member state law adopted in accordance with EU law. This could be the case for general cybersecurity requirements in specific EU and/or member state law which are presumed to be met if a valid certificate can be provided.
The scheme’s certificates are applicable across the EU and valid in all member states.
The EUCS scheme
The EUCS scheme is one of the first certification schemes to be developed under the CSA. The scheme:
- Enhances trust in cloud services by defining a reference set of security requirements;
- Proposes a new assessment approach, inspired by existing national schemes and international standards;
- Grants a three-year certification that can be renewed;
- Includes transparency requirements such as the location of data processing and storage.
In addition to the EUCS scheme, ‘extension profiles’ can be developed that address specific needs or implementation. Extension profiles are expected for specific sectors and/or specific subjects. An extension profile only covers security objectives and requirements and should not interfere with the core security requirements of the scheme.
Cloud service providers (CSPs) can obtain an EUCS certificate to demonstrate their conformity with the applicable security requirements for the desired assurance level defined in the EUCS scheme.
The EUCS scheme covers the cybersecurity certification of cloud services. Cloud services are defined as capabilities offered via cloud computing invoked using a defined interface [ISO17788]. It applies to all kinds of cloud service: IaaS, PaaS, SaaS, and other cloud services and subservices.
The scheme originates from many different sources. The first one being the report of the CSP-CERT Working Group, which was delivered in 2019 and provided a basic framework on which the candidate scheme has been developed. During subsequent development, an important source of cybersecurity requirements was C5:2020 (“Cloud Computing Compliance Criteria Catalogue” from BSI) and, more specifically, criteria from the SecNumCloud framework of ANSSI. Requirements from ISO 27001:2017 and the best practices of ISO 27002:2017 have also been taken into account.