Cybersecurity certification

With the adoption of the Cybersecurity Act (CSA), a new system for cybersecurity certification is introduced within the EU. This system provides an EU-wide approach towards cybersecurity certification where issued certificates are applicable across the EU and valid in all member states.

CSA certificates give businesses and individual consumers accurate information regarding the security assurance of their certified ICT products, services and processes. Although certification does not guarantee that a ICT product or service is cyber-secure (as explicitly stated in the CSA), a certificate does demonstrate compliance with the criteria of a cybersecurity scheme. European CSA certification is in principle voluntary. However, it can and most likely will be used to demonstrate compliance to other EU laws or to member state laws adopted in accordance with EU laws. 

On each CSA certificate you can find information about the validity of the certificate and under which certification scheme the certificate has been issued. Currently no CSA certificates have been issued yet. Once the first certificate has been issued, a list with all certificates issued within the Netherlands under the Cybersecurity Act will be maintained here. The European cybersecurity agency ENISA will also maintain a certification website with all issued certificates.

In the Netherlands, we have implemented the prior approval model which enables all certification projects to conclude in a predictable timeframe and timely manner.

Have you heard about eu cyber security certification? If not, this is what you should know about it. In today's ICT market how is it possible to compare the level of security of solutions? Some of these solutions call themselves cyber secure and trustworthy while others carry various labels. This leaves ICT consumers with complicated choices developers and service providers wishing to enter new markets might need to comply with numerous security requirements. This lack of harmonization results in high costs for enterprises. To address this challenge the European Union is developing EU cybersecurity certification which provides evidence of compliance to a given level of trust. ENISA the European Union agency for cyber security is developing certification schemes for ict products, cloud services, 5G and more are to come according to market needs. Once in force each EU country will be able to perform and issue cybersecurity certification under the new framework. EU certificates will be recognized in a harmonized way across the union. So what to expect? This way developers and service providers will only need a single certification to address a market of 500 million EU citizens. Users will be able to easily benchmark ICT products and services based on their needs in terms of trust and security. ENISA is also working on guidance documents for developers, service providers ,auditors, evaluators and national cyber authorities to help move forward EU certification. This ecosystem also tests the new certification framework to make sure that the proposed approach and measures are accurate. follow ENISA on social media to find out more and join us at the ENISA cybersecurity certification conference.

© ENISA - Creative Commons 4.0

CSA certification schemes

In order to certify a wide range of products, services and processes in the field of Cybersecurity, multiple certification schemes are being developed under the Cybersecurity Act. Each scheme has its own scope and its own specific application and their own set of certification requirements.

Below you will find a brief introduction to the schemes that are currently active or will come into effect in the near future. An overview of all certification scheme development plans and timelines is provided here.

Common Criteria certification

Based on Common Criteria, a specific certification scheme is being developed within Europe to enable Europe-wide certification on Common Criteria (EUCC). Common Criteria is a set of specifications and guidelines designed to evaluate and certify software, hardware and firmware in the area of cybersecurity.

Cloud certification

EUCS, short for ‘European Union Cybersecurity Certification Scheme on Cloud Services’,  is one of the first schemes to be developed under the CSA. This scheme boosts trust in cloud services by defining a reference set of security requirements. It is applicable for all kinds of cloud services – IaaS, PaaS, SaaS, and other Cloud Services including subservices.