On 2nd–3rd June, ENISA held the 2022 edition of its Cybersecurity Certification Conference.
The conference focused on the future of certification and how certification schemes will be developed and implemented as part of the EU’s certification approach.
The ENISA Cybersecurity Certification Conference provided insightful presentations and panel discussions from cybersecurity experts, service providers, Conformity Assessment Bodies (CABs), supervisory bodies and national authorities. The core of the conference focussed on the implementation of national strategies across the EU, providing updates on the ongoing development of the certification scheme.
This article will consider the potential for the positive impact that the EU cybersecurity certification framework could have for organisations adopting ICT products and services once implemented. Specifically, it outlines how certifications could streamline the assessment of products and services across the European digital marketplace by providing common assurance standards for procurement functions.
The EU cybersecurity certification framework aims to establish and maintain trust and security for ICT products, services and processes by enabling a certification recognised across the EU. Once in effect, the Cybersecurity certification scheme will provide a framework that can be used to assess ICT products, cloud services and mobile networks. Where a product or service meets the requirements of the respective scheme, a certification will be awarded that demonstrates the organisation’s commitment to ensuring the security of their market offering. Certifications therefore bestow a level of assurance that certain defined security standards have been achieved, thereby enabling consumer confidence.
Assurance levels provided by the certification schemes will vary from basic to substantial and high. The assurance level sought should be commensurate with the level of risk associated with the intended use of the product or service. A high assurance level would indicate that the certified product or service has met the most rigorous security standards set for consumer offerings.
Certification will be voluntary, and Conformity Assessment Bodies (CABs) will be tasked with performing the conformity assessments that lead to certification. Certifications, when awarded will be recognised uniformly across the EU. CABs will also offer related assessment tools and services.
There are currently three different certification schemes under development:
- EU Common Criteria Scheme (EUCC), covering ICT products;
- EU Cloud Services (EUCS), covering cloud services; and
- EU5G, addressing security of the 5G ecosystem.
The aforementioned EUCC certification scheme covering ICT products, and based on an existing international scheme called “Common Criteria”, is nearing completion and expected to be operational this year. Certification schemes will be aligned where possible to existing certification schemes such as ISO/IEC:27001, BSI C5 (Germany), SecNumCloud (France), CSA Cloud Control Matrix, NIST 800-53, SOC 2 Trust Services Criteria, and PCI DSS).
Although the certification will be voluntary, the EU Cybersecurity Agency is required to evaluate by 2023 whether specific schemes should be mandatory for certain high-risk ICT products, services, or processes.
The availability of certifications will have significance to the wider EU cybersecurity agenda. It is important to consider how they may aid the objectives of the Network and Information Systems Directive (NISD). The NiSD aims to boost the overall level of cybersecurity in the EU, particularly in the areas of Critical National Infrastructure and Operators of Essential Services. Additionally, efforts of national competent authorities demonstrate a joined-up approach. For instance, the Irish National Cyber Security Centre’s (NCSC) publication of cyber security baseline standards for Public Service Bodies (PSBs), demonstrates a comparable practice in the adoption of standardised methodologies to achieve accepted levels of assurance.
Once in place, the EU cybersecurity certification framework will provide a common reference scheme for procurement teams assessing the potential risk of ICT products and services. When the certification schemes have been rolled out and are beginning to become widely used, we would recommend companies take stock of their current processes and whether they can implement strategies to take full advantages of Certification. This could include:
- By assessing the time and expense taken up by their current cybersecurity due diligence during procurement, gauging what could be leveraged from the certifications and calculating the potential savings.
- By evaluating the benefits of exclusively using certified products and services, and publicising this policy.
- By leveraging a baseline level of assurance for third-party products and services within the supply chain.
We will keep you updated with the roll out of the certification framework through subsequent newsletter articles as the certification framework progresses.
Certificates will be recognised in all EU Member States, it is expected that it will also make cross border trade easier for organisations. For more information, ENISA have published a helpful video giving an overview of how the cybersecurity certification framework will function. Trilateral’s Data Protection and Cyber Risk Team includes data protection, information and cyber security specialists with extensive expertise in delivering solutions-oriented data protection and cyber risk services. We can assist with your journey towards cyber security certification and adoption of baseline security standards. Contact our advisors today for a consultation.