Cloud certification

Cloud certification

The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is a certification scheme created under the Cybersecurity Act (CSA).

The aim of the CSA is to improve cybersecurity across a wide range of digital products, services and processes. It also establishes a unified approach to cybersecurity certification in the European internal market.

Reasons for certification

Certificates give businesses and individual consumers accurate information regarding the security assurance of their certified ICT products, services and processes. Although certification does not mean that a product, service or process is cyber-secure (and this is stated explicitly), a certificate does demonstrate compliance with the criteria of the cybersecurity scheme.

European cybersecurity certification is voluntary, in principle, but can be made mandatory by other EU law, or in member state law adopted in accordance with EU law. This could be the case for general cybersecurity requirements in specific EU and/or member state law which are presumed to be met if a valid certificate can be provided.

The scheme’s certificates are applicable across the EU and valid in all member states.

The EUCS scheme

The EUCS scheme is one of the first certification schemes to be developed under the CSA. The scheme:

Enhances trust in cloud services by defining a reference set of security requirements;
Proposes a new assessment approach, inspired by existing national schemes and international standards;
Grants a three-year certification that can be renewed;
Includes transparency requirements such as the location of data processing and storage.

In addition to the EUCS scheme, ‘extension profiles’ can be developed that address specific needs or implementation. Extension profiles are expected for specific sectors and/or specific subjects. An extension profile only covers security objectives and requirements and should not interfere with the core security requirements of the scheme.

Cloud service providers (CSPs) can obtain an EUCS certificate to demonstrate their conformity with the applicable security requirements for the desired assurance level defined in the EUCS scheme.

Scope

The EUCS scheme covers the cybersecurity certification of cloud services. Cloud services are defined as capabilities offered via cloud computing invoked using a defined interface [ISO17788]. It applies to all kinds of cloud service: IaaS, PaaS, SaaS, and other cloud services and subservices.

The scheme originates from many different sources. The first one being the report of the CSP-CERT Working Group, which was delivered in 2019 and provided a basic framework on which the candidate scheme has been developed. During subsequent development, an important source of cybersecurity requirements was C5:2020 (“Cloud Computing Compliance Criteria Catalogue” from BSI) and, more specifically, criteria from the SecNumCloud framework of ANSSI. Requirements from ISO 27001:2017 and the best practices of ISO 27002:2017 have also been taken into account.

FAQ

The EUCS scheme covers a wide range of security requirements, by offering all three security assurance levels defined in the CSA: ‘basic’, ‘substantial’ and ‘high’. Per assurance level the security requirements on cloud services, and the assessment methodology, increase in several dimensions: scope, rigor and depth.

Assurance level basic

This level is intended to minimise the known basic risks of incidents and cyberattacks”.

The evaluation for the assurance level of Basic consists solely of inspection activities. These activities are based on a check on the completeness and coherence of the documentation provided on processes and designs. This is intended to check whether technical and organisational measures are fulfilled. The level of Basic requirements include fully automated testing of basic known vulnerabilities and automated compliance checks by the cloud service provider.

Assurance level substantial

This level is “intended to minimise the known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources”.

The evaluation scope for the assurance level of Substantial is defined by the description of the cloud service and by the security objectives and requirements that apply for the assurance level Substantial. The meta-approach defined, describes an assessment that should cover operating effectiveness during a defined period.

Assurance level high

This level is “intended to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources”.

The evaluation scope for the assurance level of High is determined by the description of the cloud service and by the security objectives and requirements that apply to the assurance level of High. The meta-approach defined, describes an assessment that should cover operating effectiveness during a defined period. Additionally, at the level of High, conformity assessment should include a separate penetration test.

Generally the first step is to contact an licensed Conformity Assessment Body (CAB). The list of licensed CABs for the EUCS scheme is published here and updated regularly.

Once evaluation and certification contracts are in place with the CAB, the CAB will handle the certification process, regardless of the chosen CSA assurance level.

At the assurance level of High, the Dutch National Cybersecurity Certification Authority (NCCA) monitors the evaluation and certification steps using the prior approval model.