EU Cybersecurity Certification Framework and the Philosopher's Stone

The EU’s new Cybersecurity Act aims to improve European cyber resilience and response by building upon existing instruments that keep networks and information systems secure. With the Commission’s proposal, it's possible that the current system is reformed to remove constraints on the European Union Agency for Network and Information Security (ENISA). Instead, ENISA might become the center of the operation of setting up an EU certification framework.

But why is European Cybersecurity Certification Framework so important, and what’s new when it comes to implementation?

It Makes a Single Cybersecurity Market Possible

One way in which the cybersecurity market is held back across the EU is undoubtedly a lack of a recognized cybersecurity certification scheme. What we have instead are national certifications that all work in different countries. Unfortunately, most of them aren’t mutually recognized outside of their home base market.

The European Cybersecurity Certification Framework could, therefore, eliminate problems and help create a single cybersecurity market for the EU. A harmonized approach at the EU level defines mechanisms that establish EU-wide cybersecurity certification schemes that assess the ICT (Internet and Communications Technology) processes, products, and services and make sure they comply with specified security requirements.

Important Security Objectives

The European cybersecurity certification scheme looks to accomplish specific security objectives. These objectives include:

• Protection of Data — this will include protecting data against accidental or unauthorized destruction, loss, storage, access, processing or disclosure;
• Keeping Data Records — this provides recording which data was accessed, used or processed, by whom and when, as well as making sure that information is accessible and available to be checked;
• Quality Development of ICT Products, Processes, and Services — these need to be developed, manufactured, and supplied according to the security requirements of the particular scheme, as well as making sure they are provided with updated software and hardware that has mechanisms for secure updates and no publicly known vulnerabilities.

Elements of Certification Scheme

Each certification scheme should include items such as subject-matter and scope, type of categories of ICT processes, and products and services that it covers. It should also detail how the certification scheme in question suits the needs of the target groups. Where that’s applicable, plans should also include assurance levels and any specific or additional requirements that would guarantee that conformity assessment bodies who are evaluating the cybersecurity requirements are technically competent to do so.

ENISA Prepares Candidate Schemes

Member States can propose the preparation of a candidate European cybersecurity certification scheme and may request ENISA to prepare it. ENISA then makes sure that those schemes are going to be consistent with the overall harmonized standard of candidate scheme preparation.

ENISA is also responsible for maintaining a website dedicated to providing information about European cybersecurity certification schemes. The agency will also review schemes that are adopted at least every five years to ensure that feedback from interested parties has been taken into account.

The EU Cybersecurity Certification Framework will make it easier for IoT manufacturers and developers to serve the European market. A unified certification framework across all of the EU will reduce the effects a fragmented market has on the online economy.