The EU has adopted its first cybersecurity certification system as part of efforts to strengthen the cybersecurity of IT products and services in member states.
The European Cybersecurity System according to Common Criteria (EUCC) was developed by the European Union Agency for Cybersecurity (ENISA) in coordination with Member States.
The voluntary system, which is part of the EU cybersecurity certification framework, will replace current national cybersecurity certifications after a transition period.
The EUCC will allow ICT suppliers to undergo a commonly understood assessment process within the EU to demonstrate cybersecurity assurance for digital products such as technology components, hardware and software.
Union-wide standards are designed to help European ICT providers compete in national, European and global markets, by providing incentives for them to improve their security.
How will the new European cybersecurity certification system work?
THE EUCC offers two levels of assurance based on the level of risk associated with the intended use of the product, service or process. This level of risk is calculated based on the probability and impact of an accident.
Its requirements are based on the SOG-IS Common Criteria Assessment Framework already used in 17 EU Member States.
Suppliers will be able to convert their existing SOG-IS to EUCC certificates after evaluating their solutions against added or updated requirements, as specified in the EUCC.
ENISA will publish certificates issued under the EUCC.
Juhan Lepassaar, Executive Director of ENISA, said: “The adoption of the first cybersecurity certification scheme marks an important step towards a trusted European Digital Single Market and is a piece of the puzzle of the ENISA Cybersecurity Certification Framework. EU currently under development. »
ENISA added that it is currently working on two other cybersecurity certification schemes – for cloud services and 5G security.
The Agency also undertook a feasibility study on EU cybersecurity certification requirements for AI.
Increased cybersecurity regulations and standards
Demonstrating security skills through certifications has become vital for businesses amid increasing compliance requirements and growing stakeholder awareness of cybersecurity and privacy issues.
The EU announcement follows a series of cybersecurity legislative activities by the supranational body. In December 2023, it reached an agreement on the Cyber Resilience Act (CRA), which aims to introduce security requirements for manufacturers of connected devices within the Union.
In January 2023, the EU updated its Network and Information Security Directive (NIS2), imposing common cybersecurity standards on critical industrial organizations. The deadline for the transposition of the provisions in the national law of the Member States is October 17, 2024.
Additionally, last year the ISO/IEC 27001 certification has been updated to reflect new business practices and increased dependencies on cloud services.