Growing numbers of manufacturers and service providers of ICT products and services are becoming interested in EU cybersecurity certification under the Cybersecurity Act (CSA).
In some cases, certification may lead to a market advantage while in other cases certification provides an opportunity to demonstrate compliance with EU regulation.
Advantages of EU cybersecurity certification
EU cybersecurity certificates are recognised throughout the EU, which reduces overall certification costs. National-level cybersecurity certification schemes will be replaced by EU cybersecurity certification schemes provided they have a comparable scope.
EU cybersecurity certificates give businesses and individual consumers accurate information regarding the security assurance applicable to their certified ICT products and services . The availability of cyber-resilient products and services is becoming ever more important for business continuity. The increase in the demand for secure products and services will be promoted by upcoming EU regulation.
Under forthcoming EU regulation, the use of EU cybersecurity certified products and services may become mandatory for some vital and important sectors such as energy, transport and telecommunication. In other cases, EU cybersecurity certification may become mandatory in order to enter EU markets. Staying up to date with new EU regulation regarding cybersecurity will be a clear advantage.
CSA assurance levels
In principle, EU cybersecurity certification is possible at three assurance levels: Basic, Substantial and High. However, the certification schemes will define which assurance levels are in scope of the scheme.
Certification at the assurance level Basic is conducted by a Conformity Assessment Body (CAB) or with a conformity self-assessment if allowed by the scheme. Certification at the assurance level Substantial is conducted by a CAB. Certification on the assurance level High can be carried out by either CABs or the NCCA itself, depending on the implementation method chosen by the EU member state.
Efficient, flexible, high-quality certification in the Netherlands
The National Cybersecurity Certification Authority (NCCA) of the Netherlands makes the certification process as flexible and efficient as possible while maintaining high standards of quality.
The Netherlands has chosen the Prior approval model for the implementation of the NCCA tasks, which allows the CABs to conduct the assessment and certification process itself for the assurance level High, with oversight by the NCCA. As a result, the Netherlands is able to process these certification requests rapidly, flexibly and responsively. For CSA assurance levels Basic and Substantial, the NCCA only monitors the certificates after issuing by means of random checks. Certified products and services must remain compliant until the expiration date of the certificate and during the whole product-service life cycle.
How to certify an ICT product or service
The first step in certifying an ICT product or service under the CSA is to determine which certification scheme to use. For each scheme, a certification process will be developed in order to provide further guidance on how to get certified. The first certification schemes created under the Cybersecurity Act are the Common Criteria-based European Cybersecurity Certification Scheme (EUCC) and the European Cybersecurity Certification Scheme for Cloud Services (EUCS). Other schemes are expected in the upcoming years, such as schemes for 5G network components, the Internet of Things (IoT), artificial intelligence and Industrial Automated Control Systems (IACS). The Union Rolling Work Programme of the European Commission sets the priorities for the development of these schemes.
Obligations under the CSA
Under the CSA, holders of EU cybersecurity certificates and conformity self-assessments have certain obligations and are subject to supervision by the NCCA. We are currently creating an overview of these obligations and will add this overview here as soon as it is ready.