ENISA Launches Public Consultation for First Candidate Cybersecurity Certification Scheme

Today, the European Union Agency for Cybersecurity, ENISA, is launching a month-long public consultation for the first candidate cybersecurity certification scheme, the Common Criteria based European cybersecurity certification scheme (EUCC). The scheme aims to replace the existing schemes operating under the SOG-IS MRA for ICT products, to add new elements and to extend the scope to cover all EU Member States.

The public consultation allows interested parties to provide feedback on the draft of the EUCC candidate scheme and the outcome will be processed and shared. The consultation will remain open for contributions until July 31st, 12:00 CET. (Closed Call)

 To participate in the Public Consultation, please go to:  EUCC Consultation Survey

Over the past two decades, the Common Criteria have proven efficient for the certification of chips and smartcards across Europe, and have enhanced the level of security of electronic signature devices, for means of identification such as passports, banking cards and tachographs for lorries. More recently, the criteria have been used intensively to certify the cybersecurity of ICT software products.

This new candidate scheme aims to further improve the Union’s internal market conditions for ICT products, and positively affects the ICT services and ICT processes relying on such products.

About the EUCC candidate scheme:

• Built on the current SOG-IS MRA and Common Criteria with rules included for transition;
• Applicable to ICT products;
• Covers assurance levels ‘Substantial’ and ‘High’;
• Certificate validity for five years, can be renewed;
• Allows for composite certification;
• Recognition in all EU Member States;
• Voluntary scheme;
• Harmonised conditions for vulnerability handling and disclosure;
•  Clearly defined rules on monitoring and handling non-compliance and non-conformity;
• Introduces a new patch management mechanism to support vulnerability handling;
• Use of a framework-based label and a QR code to ensure easy access to accurate certification information.

The EU Cybersecurity Act of 2019 (CSA) lays down an EU cybersecurity certification framework for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes in the Union, as well as of avoiding fragmentation of the internal market. ENISA’s task under the CSA is to prepare and develop candidate cybersecurity certification schemes with the involvement and support of stakeholders and a working group.

The first ad hoc working group for this scheme, the EUCC AHWG, was set up late last year by ENISA, and is chaired by the Agency. The group is composed of 20 appointed members representing industry (developers, evaluators), and 12 participants from Member States and accreditation bodies. The EUCC AHWG has been working in close collaboration with the Commission and with the European Cybersecurity Certification Group (ECCG).

The EUCC is the first candidate scheme in the framework. A second candidate scheme is currently in preparation and relates to the certification of cloud services.