Monday, June 27, 2022

Cybersecurity Certification Schemes in Europe (Part 1)

by Rasma Araby

atsec has recently participated in two conferences that focused on cybersecurity certification: the 2022 International Conference on the EU Cybersecurity Act in Brussels, Belgium, and ENISA Cybersecurity Certification Conference 2022 in Athens, Greece.

atsec contributed with two presentations at the EU Cybersecurity Conference “Successful cPP Certification under the CSA,” presented by Rasma Araby, and “A Scheme of Scheme – Challenges and opportunities for CSA schemes” presented by Staffan Persson. Also, Rasma Araby participated in the panel discussion regarding “Market Incentives for Certification” at the ENISA Cybersecurity Certification Conference.

Both conferences focused on the upcoming certification schemes being developed in Europe. Upon request of the European Commission (Article 48 (2) of the Cybersecurity Act (CSA)), ENISA is working on three cybersecurity certification schemes:

  •  EUCC - the candidate EUCC scheme is a scheme for ICT products based on the Common Criteria (ISO/IEC 15408 and 18045). The EUCC candidate cybersecurity certification scheme aims to serve as a successor to the SOG-IS Mutual Recognition Agreement.
  • EUCS - the candidate European Union Cybersecurity Certification Scheme on Cloud Services (EUCS). The scheme aims to further improve the Union’s internal market conditions for cloud services by enhancing and streamlining the services’ cybersecurity guarantees. The draft EUCS candidate scheme intends to harmonize the security of cloud services with EU regulations, international standards, industry best practices, as well as with existing certifications in EU Member States.
  • EU5G – the candidate European Union Cybersecurity Certification Scheme on 5G cybersecurity. The scheme aims to develop a candidate European cybersecurity certification scheme for 5G networks to address the following use cases: the supply and deployment of 5G network equipment, management of subscriber identities, remote SIM provisioning, 5G authentication, and subscriber connectivity services.

Both conferences discussed the need for standardization and certification and also focused on stakeholder requirements, applicable national and international legislations, as well as the threat landscape. The need for harmonized requirements and schemes was heavily underlined by the attending product vendors.

All three certification schemes are under development right now. It is expected the EUCC scheme will be completed and adopted first. For the legal implementation of the candidate EUCC scheme prepared by ENISA, the European Commission will adopt an implementing act, presumably at the end of 2022.

In the second part of this blog, we will continue reporting on the cybersecurity certification schemes in Europe and will solely focus on the EUCC scheme. Stay tuned!

No comments:

Post a Comment

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.