EU Cybersecurity Certification
EU Cybersecurity Certification schemes are developed within the framework defined primarily in the Cybersecurity Act.
Nowadays voluntary, with the goal to empower the EU Digital Single Market, the future schemes are also encouraged through other regulations.
The continuously evolving context for, and of certifications will significantly impact various sectors of activity.
EU Cybersecurity Certifications will shake and shape the ICT ecosystem bringing a harmonized vision and understanding of cybersecurity assessment across Europe. The first concerned actors are:
EU cybersecurity certification will bring new EU wide market opportunities by simplifying efforts in demonstrating cybersecurity compliance. Certified solutions will be able to stand out on the market and the work done behind will support the development of internal expertise. For those already certified with existing schemes, ENISA and Member States will provide guidance to smoothen the transition process and compare requirements from existing schemes to the EU ones to facilitate transition.
As required by the Cybersecurity Act, each Member States have designated a NCCA that will be in charge of supervising, certifying and monitoring EU cybersecurity certification at national level and to exchange at EU level.
EU cybersecurity certification schemes are developed by ENISA with the support of experts from Member States and from the industry, including from the conformity assessment community.
These schemes are designed to meet the need of the Member States, the industry, and to match the requirements of European regulation, making them a valuable tool at the European level to promote the security of products and services. This new value represents a significant opportunity for the CABs who will be accredited to issue certificates or to perform evaluation activities (tests, audits) for these schemes.
EU Cybersecurity certificates are granted to Certified ICT products and services against EU Cybersecurity certification schemes. They demonstrate that the tested solutions are resistant to certain levels of attacks, set remediation processes while considering the latest state-of-the-art developments.
They are recognized across the Union and allow product vendors and service providers to showcase the compliance of their solution to a specific scheme, level of assurance, scope and potentially extension or security profiles.
Certificates are valid for a limited time that can be extended through a re-assessment of the solution.
EU Certification Framework
The EU certification framework foresees up to three level of assurance in schemes to tackle different levels of risk associated with the intended use of the ICT solution.
Evaluation to minimise the known basic risks of incidents and cyberattacks.
Evaluation to minimise the known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources.
Evaluation to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources.
How to start with Certification Explanation
The first EU Cybersecurity certification scheme, EUCC is out. Published on February 27, 2023, it gives one year to the ecosystem to get ready. While National Cybersecurity Certification Authorities will use this time to develop their certification strategy, Conformity Assessment Bodies will start the authorization and when necessary, notification process. On their side manufacturers and developers can start planning resources and get familiar to the scheme in order to start the certification process.
ENISA will be providing support to the ecosystem to encourage the understanding and adoption of the EU Cybersecurity Certification Schemes by developing guidance documents and online content & material.