The EU has adopted its first Cybersecurity Certification scheme as part of efforts to boost cybersecurity of IT products and services across member states.
The European Cybersecurity Scheme on Common Criteria (EUCC) was drafted by the European Union Agency for Cybersecurity (ENISA) in coordination with member states.
The voluntary scheme, which falls under the EU cybersecurity certification framework, will replace current national cybersecurity certifications following a transition period.
The EUCC will allow ICT suppliers to go through an EU commonly understood assessment process to demonstrate cybersecurity assurance for digital products such as technological components, hardware and software.
The Union-wide standards are designed to help European ICT providers to compete in national, EU, and global markets, incentivizing suppliers to improve their security.
How Will the New EU Cybersecurity Certification Scheme Work?
The EUCC proposes two levels assurance based on the level of risk associated with the intended use of the product, service or process. This risk level is calculated in regard to the probability and impact of an accident.
Its requirements are based on the SOG-IS Common Criteria evaluation framework already used across 17 EU Member States.
Vendors will be able to convert their existing SOG-IS into EUCC certificates after assessing their solutions against added or updated requirements as specified in the EUCC.
ENISA will publish certificates issued under EUCC.
Juhan Lepassaar, Executive Director at ENISA, commented: “The adoption of the first cybersecurity certification scheme marks a milestone towards a trusted EU digital single market and it is a piece of the puzzle of the EU cybersecurity certification framework that is currently in the making.”
ENISA added that it is currently working on two other cybersecurity certification schemes – for cloud services and 5G security.
The Agency has also undertaken a feasibility study on EU cybersecurity certification requirements on AI.
Increasing Cybersecurity Regulations and Standards
Demonstrating security competence through certifications has become vital for businesses amid rising compliance requirements and increasing stakeholder awareness of cyber and privacy issues.
The announcement from the EU follows a raft of legislative activity in cybersecurity from the supranational body. In December 2023, it reached agreement on the Cyber Resilience Act (CRA), which aims to introduce security requirements for connected device manufacturers within the Union.
In January 2023, the EU updated its Network and Information Security Directive (NIS2), imposing common cybersecurity standards on critical industry organizations. The deadline for the transposition of the provisions into the national law for member states is October 17, 2024.
In addition, last year, the ISO/IEC 27001 certification was updated to reflect new business practices and increased dependencies on cloud services.