Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label EUCC. Show all posts

EU Takes a Leap Forward with Cybersecurity Certification Scheme

EUCC

What is the EU cybersecurity certification scheme?

The EUCC, or EU cybersecurity certification scheme, has an implementing rule that was adopted by the European Commission. The result is consistent with the cybersecurity certification methodology under consideration on EUCC, which was created by ENISA in response to a request from the European Commission.

An ad hoc working group (AHWG) made up of subject matter experts from various industrial sectors and National Cybersecurity Certification Authorities (NCCAs) of EU member states provided support to ENISA in the design of the candidate scheme.

ENISA is appreciative of the efforts made by the Stakeholder Cybersecurity Certification Group (SCCG) as well as the advice and assistance provided by Member States through the European Cybersecurity Certification Group (ECCG).

It is anticipated that the EUCC sets the path for the upcoming schemes that are presently being developed, as it is the first cybersecurity certification system accepted by the EU. While the cybersecurity certification framework is optional, an implementing act is a component of the EU Law, or "acquis communautaire." National certification programs that were previously part of the SOG-IS agreement will eventually be replaced by EUCC.

"The adoption of the first cybersecurity certification scheme marks a milestone towards a trusted EU digital single market, and it is a piece of the puzzle of the EU cybersecurity certification framework that is currently in the making," stated Juhan Lepassaar, Executive Director of the EU Agency for Cybersecurity.

About EUCC

The new program is compliant with the EU cybersecurity certification system, as stipulated by the 2019 Cybersecurity Act. Raising the degree of cybersecurity for ICT goods, services, and procedures on the EU market was the aim of this framework. It accomplishes this by establishing a thorough set of guidelines, technical standards, specifications, norms, and protocols that must be followed throughout the Union.

The new voluntary EUCC program enables ICT vendors to demonstrate proof of assurance by putting them through a commonly recognized EU assessment procedure. This approach certifies ICT goods, including hardware, software, and technological components like chips and smartcards.

The program is built around the tried-and-true SOG-IS Common Criteria assessment framework, which is currently in use in 17 EU Member States. Based on the degree of risk connected to the intended use of the good, service, or process in terms of the likelihood and consequence of an accident, it suggests two levels of assurance.

The complete plan has been customized to meet the requirements of the EU Member States through thorough research and consultation. Hence, European enterprises can compete on a national, Union, and international scale thanks to the certification processes implemented throughout the Union.

What next?

In collaboration with the Ad-hoc working group, ENISA developed the candidate scheme, defining and agreeing upon the security requirements as well as generally recognized assessment techniques.

Following ECCG's opinion, ENISA forwarded the draft scheme to the European Commission. As a result, the European Commission issued an implementing act, which was later approved through the pertinent comitology procedure.

The enacted legislation anticipates a transitional period wherein firms will reap the advantages of current certifications obtained under national systems in a subset of Member States. Accreditation and notice are available to Conformity Assessment Bodies (CABs) who are interested in evaluating against the EUCC. After evaluating their solutions against any updated or new standards outlined in the EUCC, vendors will be able to convert their current SOG-IS certificates into EUCC ones.

Other certificates

Two further cybersecurity certification programs, EUCS for cloud services and EU5G for 5G security are presently being developed by ENISA. Additionally, the Agency is assisting the European Commission and Member States in developing a certification plan for the eIDAS/wallet and has conducted a feasibility assessment on EU cybersecurity certification standards for AI. A managed security services (MSSP) program is envisioned in a recent modification to the Cybersecurity Act proposed by the European Commission.