Skip to main content
  • News article
  • 6 February 2020
  • European Union Agency for Cybersecurity
  • 2 min read

Standardisation and the EU Cybersecurity Act

The EU Agency for Cybersecurity publishes two studies related to the domain of standards supporting the Cybersecurity Act and the new Cybersecurity Certification Framework.

The EU Cybersecurity Certification Framework will make it easier for ICT manufacturers and developers to serve the EU market. A unified Cybersecurity Certification Framework across the EU will reduce the effects that a fragmented market has on the economy. To support the creation of certification schemes under this framework the role of standardisation bodies is key.

EU Standardisation Conference

On the 3rd of February 2020, the Agency organised a conference ‘Cybersecurity Standardisation and the EU Cybersecurity Act - What's Up?’ together with the European Standards Developing Organisations – CEN-CENELEC and ETSI. The event attracted over 400 stakeholders from various sectors – policy makers, industry, research, standardisation organisations, certification organisations and those involved in the development of the ICT certification framework in Europe.

The conference discussed the challenges in the standardisation landscape for cybersecurity in light of the EU Cybersecurity Act (CSA). The main topics were:

  • The role of standardisation to support the certification framework
  • Achievements in cybersecurity standardisation and the rolling plan of standardisation bodies
  • First EU certification scheme – difficulties and success stories in relation to standards
  • Next prospective schemes – way ahead

The Executive Director of the EU Agency for Cybersecurity, Juhan Lepassaar, commented

It is important that organisations involved in standardisation and certification align their activities. The EU cybersecurity certification framework must be supported by modern, high quality standards.

As a follow up of this event, we publish today two studies related to the domain of standards supporting the Cybersecurity Act and the new certification framework.

Recommendations for European standardisation in relation to the Cybersecurity Act

The Report - Standardisation in support of the Cybersecurity Certification presents the value of the cybersecurity standardisation efforts for certification, the roles and responsibilities of Standards Developing Organisations (SDOs) in this context, and discusses various ways how standardisation can support efficiently the process of creating certification schemes by following a step by step methodology.

The methodology described in this study can be used as guidelines for new certification schemes or standards authors. It will help in setting up KPIs, useful for all stakeholders involved in the preparation or operational phase of a certification scheme. The qualification system proposed can also be used to define more precisely the requirements associated with the different assurance levels mentioned in article 52 of the Cybersecurity Act.

With regard to standardisation activities, the study proposes a set of recommendations for the Standards Developing Organisations and the prospective authors of certification schemes.

Analysis of standards in areas relevant to the potential EU candidate cybersecurity certification schemes

The Report - Standards Supporting Certification explores five distinct areas, in which frameworks, schemes or standards currently exist that could potentially be evolved to EU candidate cybersecurity certification schemes. These five areas are the Internet of Things (IoT), cloud infrastructure and services, threat intelligence in the financial sector, electronic health records in the healthcare and qualified trust services.

The study reflects on the standards currently available in these five areas of interest and identifies existing gaps. It further proposes recommendations on how these gaps can be addressed, especially by standardisation bodies, and how the available standards could potentially be adapted to form the basis of future candidate EU cybersecurity certification schemes.

Details

Publication date
6 February 2020
Author
European Union Agency for Cybersecurity