The Cybersecurity Act (EU 881 / 2019) is a European regulation that introduces a harmonised European system for the cybersecurity certification of ICT-products, services and processes.
The main objective of the Cybersecurity Act (CSA) is to improve protection against threats to cybersecurity within the EU. The CSA also enables manufacturers and service providers to use one mutually recognised certificate throughout the EU.
Over the years, many European member states have adopted national cybersecurity certification regulations. Divergence between standards in different member states and the lack of mutual recognition risked disruption to the free flow of ICT-products and services within the EU. The CSA certification schemes replace the current national-level certification schemes, provided these are similar enough in scope.
The CSA requires every EU member state to identify at least one National Cybersecurity Certification Authority (NCCA). In the Netherlands, the role of NCCA is fulfilled by the Dutch Authority for Digital Infrastructure, which is part of the Ministry of Economic Affairs and Climate Policy.
Mandatory vs voluntary certification
CSA certification is voluntary unless otherwise specified in other EU law or national law. Several actual EU regulation proposals, such as the NIS II directive, Artificial Intelligence Act and Cyber Resilience Act, mandate the European Commission to define the obligations for CSA certification under these regulations.
Mandatory certification will come in different forms. Certification may become mandatory for EU market entry for certain products and services or for specific sectors. In other cases, certification may be used as a ‘presumption of compliance’ with the cybersecurity requirements with respect to a specific regulation.
The CSA states that the European Commission must evaluate the need for compulsory certification by no later than 31 December 2023.
CSA security levels Basic, Substantial and High
The CSA defines three distinct levels of security, known as assurance levels, on the basis of which products services and processes can be certified: Basic, Substantial and High.
In essence, each CSA assurance level defines how resilient a specific product, service or process has to be against a cyberattack with a certain level of skill and resources. For example, High level certification means protection against advanced attacks from attackers with significant skills and resources.
The details of the CSA assurance levels will be worked out separately in every CSA certification scheme due to the need for a tailor-made security approach to products, services and processes.
Development of an EU certification scheme
The EU Agency for Cybersecurity (ENISA) develops and maintains the CSA certification schemes. The member states are also closely involved in this process and are represented in the European Cybersecurity Certification Group (ECCG). Formally, the ECCG’s role is to advise the European Commission in the field of cybersecurity and certification, but a certification scheme will never be formalised without broad support.
The Stakeholder Cybersecurity Certification Group (SCCG) is a second advisory group of the European Commission. This group consists of stakeholders from market-oriented organisations and European institutions.
ENISA hands over each developed certification scheme to the European Commission, which turns it into a European scheme. Once a certification scheme has been published, the relevant requirements for products and services are the same throughout the EU. The schemes are then managed by ENISA in cooperation with the member states, which come together in the ECCG. ENISA will be in charge of public communication regarding the certification schemes and the certificates issued by means of a dedicated website.
CSA Union Rolling Work Programme
Member states and other stakeholders are consulted by the European Commission in order to define the priorities for the development of the certification schemes. The priorities are stated in the Union Rolling Work Programme (URWP) on certification. The URWP includes scheme plans for Common Criteria, Cloud Services, Internet of Things products, Industrial Automated Control Systems, 5G, Artificial Intelligence and Secure Development of products and software.