Reasons for certification

Certificates give businesses and individual consumers accurate information regarding the security assurance of their certified ICT-products, services and processes. Although certification does not mean that a product is cyber-secure (and this is stated explicitly in the CSA), a certificate does demonstrate compliance with the criteria of the cybersecurity scheme.

European cybersecurity certification is voluntary, but can be made mandatory by other EU law, or in member state law adopted in accordance with EU law. This could be the case for general cybersecurity requirements in specific EU and/or member state law which are presumed to be met if a valid certificate can be provided.

The scheme’s certificates are applicable across the EU and valid in all member states.

The EUCS scheme

EUCS (European Union Cybersecurity Certification Scheme on Cloud Services) is one of the first schemes to be developed under the CSA. The scheme:

• Enhances trust in cloud services by defining a reference set of security requirements;
• Proposes a new assessment approach, inspired by existing national schemes and international standards;
• Grants a three-year certification that can be renewed;
• Includes transparency requirements such as the location of data processing and storage.

In addition to the EUCS scheme, ‘extension profiles’ can be developed that address specific needs or implementation. Extension profiles are expected for specific sectors and/or specific subjects. An extension profile only covers security objectives and requirements and should not interfere with the core security requirements of the scheme.

Cloud service providers (CSPs) can obtain an EUCS certificate to demonstrate their conformity with the applicable security requirements for the desired assurance level defined in the EUCS scheme.

Scope

The EUCS scheme covers the cybersecurity certification of cloud services. Cloud services are defined as capabilities offered via cloud computing invoked using a defined interface [ISO17788]. It applies to all kinds of cloud service: IaaS, PaaS, SaaS, and other cloud services and subservices.

The scheme originates from many different sources. The first one being the report of the CSP-CERT Working Group, which was delivered in 2019 and provided a basic framework on which the candidate scheme has been developed. During subsequent development, an important source of cybersecurity requirements was C5:2020 (“Cloud Computing Compliance Criteria Catalogue” from BSI) and, more specifically, criteria from the SecNumCloud framework of ANSSI. Requirements from ISO 27001:2017 and the best practices of ISO 27002:2017 have also been taken into account.

Certificates issued

Currently, the EUCS scheme is waiting for final adoption. This means that currently no certificates are being issued in the Netherlands under the EUCS. Later you will find a complete overview of all the certificates on this website.

Certification at which level?

The EUCS scheme covers a wide range of security requirements, by offering all three security assurance levels defined in the CSA: ‘basic’, ‘substantial’ and ‘high’. Per assurance level the security requirements on cloud services, and the assessment methodology, increase in several dimensions: scope, rigor and depth.

The assurance level of Basic

This level is intended to minimise the known basic risks of incidents and cyberattacks”.

The evaluation for the assurance level of Basic consists solely of inspection activities. These activities are based on a check on the completeness and coherence of the documentation provided on processes and designs. This is intended to check whether technical and organisational measures are fulfilled. The level of Basic requirements include fully automated testing of basic known vulnerabilities and automated compliance checks by the cloud service provider.

The assurance level of Substantial 

This level is “intended to minimise the known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources”.

The evaluation scope for the assurance level of Substantial is defined by the description of the cloud service and by the security objectives and requirements that apply for the assurance level Substantial. The meta-approach defined, describes an assessment that should cover operating effectiveness during a defined period.

The assurance level of High

This level is “intended to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources”.

The evaluation scope for the assurance level of High is determined by the description of the cloud service and by the security objectives and requirements that apply to the assurance level of High. The meta-approach defined, describes an assessment that should cover operating effectiveness during a defined period. Additionally, at the level of High, conformity assessment should include a separate penetration test.

How to apply for certification?

Generally the first step is to contact an authorised Conformity Assessment Body (CAB). The list of CABs for the EUCS scheme is published here and updated regularly.

Once evaluation and certification contracts are in place with the CAB, the CAB will handle the certification process, regardless of the chosen CSA assurance level.

At the assurance level of High, the National Cybersecurity Certification Authority of the Netherlands monitors the evaluation and certification steps and needs to authorize the CAB to issue the certificate.