The EU Agency for cybersecurity (ENISA) develops draft certification schemes, upon request of the European Commission or the EU Member States. To do so, the Agency is supported by a group of experts ('Ad-Hoc Working Group') and collaborates closely with the European Commission, EU countries, and relevant stakeholders.
Involving the ecosystem
In order to build Cybersecurity Certification Schemes, ENISA relies on the ecosystem such as the Ad Hoc Working Groups (AHWGs) but also on expertise, comments and consultative views provided by the ecosystem. The Cybersecurity Act defined the main entities to support ENISA in its task.
To be effective, a draft scheme has to become a piece of EU legislation called an 'Implementing Act' [Link].
This Act has to be endorsed by all Member States. Once this Act is adopted, Member States have time to prepare the operation of the scheme before issuing certificates.
What's Happening
The European Cybersecurity Certification Scheme on Common Criteria, the first scheme, targets ICT products such as hardware and software products and components. On January 31st, 2024, the European Commission published the Implementing Act launching the certification scheme live. ENISA is publishing the state-of-the-art documents supporting the scheme as listed in its Annex 1.
The European Certification Scheme for Cloud Services was drafted with the support of an Ad-Hoc Working group and Member States. The text should now enter the process of the ECCG opinion.
The European Cybersecurity Certification Scheme for 5G is developed in two phases. During a first phase which ended in Autumn 2022, ENISA, the experts gathered under an Ad-Hoc Working Group with the EU Commission and Member States analysed the existing industrial evaluations and certifications schemes and their necessary updates to comply with the Cybersecurity Act. A first draft scheme will be made available for public consultation, the expected date is under discussion within the AHWG.
In view of the adoption of the draft EU Regulation on Artificial Intelligence, ENISA is assessing whether and how AI could be the object of cybersecurity certification, as well as how schemes under elaboration could be re-used. This work is preparatory, as ENISA has not received a request to develop a certification scheme by the European Commission.
Mentioned in the NIS2 Directive as a critical sector but also hinted at in the future Cyber Solidarity Act, Managed Security Services are at heart of the prevention and response to Cybersecurity threats and Incidents. Already included in the Union Rolling Work Programme for Certification, it is foreseen that the future amendment of the Cybersecurity Act includes the possibility for ENISA to certify such services. The European Agency for Cybersecurity launched a preparatory work on the topic.
There are many opportunities to get involved early, in particular during the development of the schemes by applying to be part of Ad Hoc Working Groups or by reading and reacting to the drafts published by ENISA. Contribution to standardisation efforts is also key. Take part to the discussion and exchange with the community at the next Cybersecurity Certification Conference!
#EUCyberCertification
When schemes are enacted, further opportunities will emerge, and it will be the right time for CABs to prepare for accreditation and for everyone to prepare for certification!
Follow ENISA news and events to stay updated.