Cloud Services (EUCS)

The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is a certification scheme created under the Cybersecurity Act (CSA).

The aim of the CSA is to improve cybersecurity across a wide range of ICT products and services. It also establishes a unified approach to cybersecurity certification in the European internal market.

Reasons for certification

EU cybersecurity certificates give businesses and individual consumers accurate information regarding the security assurance of their certified ICT products and services. Although certification does not mean that a product or service is cyber-secure (and this is stated explicitly), a certificate does demonstrate compliance with the criteria of the cybersecurity scheme.

European cybersecurity certification is voluntary, in principle, but can be made mandatory by other EU law, or in member state law adopted in accordance with EU law. This could be the case for general cybersecurity requirements in specific EU and/or member state law which are presumed to be met if a valid certificate can be provided.

The scheme’s certificates are applicable across the EU and valid in all member states.

The EUCS scheme

The EUCS scheme is one of the first certification schemes to be developed under the CSA. The scheme:

  • Enhances trust in cloud services by defining a reference set of security requirements;
  • Proposes a new assessment approach, inspired by existing national schemes and international standards;
  • Grants a three-year certification that can be renewed;
  • Includes transparency requirements such as the location of data processing and storage.

In addition to the EUCS scheme, ‘extension profiles’ can be developed that address specific needs or implementation. Extension profiles are expected for specific sectors and/or specific subjects. An extension profile only covers security objectives and requirements and should not interfere with the core security requirements of the scheme.

Cloud service providers (CSPs) can obtain an EUCS certificate to demonstrate their conformity with the applicable security requirements for the desired assurance level defined in the EUCS scheme.

Scope

The EUCS scheme covers the EU cybersecurity certification of cloud services. Cloud services are defined as capabilities offered via cloud computing invoked using a defined interface [ISO17788]. It applies to all kinds of cloud service: IaaS, PaaS, SaaS, and other cloud services and subservices.

The scheme originates from many different sources. The first one being the report of the CSP-CERT Working Group, which was delivered in 2019 and provided a basic framework on which the candidate scheme has been developed. During subsequent development, an important source of cybersecurity requirements was C5:2020 (“Cloud Computing Compliance Criteria Catalogue” from BSI) and, more specifically, criteria from the SecNumCloud framework of ANSSI. Requirements from ISO 27001:2017 and the best practices of ISO 27002:2017 have also been taken into account.

FAQ

EUCS events

CSA-stakeholdermeeting

Please be invited on 27 June 2024, from 3:00 pm to 4.30 pm (CET) to the next online stakeholdermeeting on CSA EU certification.

Activities data

  • Date
  • Time -
  • Location Online

EUCS in depth stakeholdermeeting

Please be invited on 25 June 2024, from 2:00 pm to 3.30 pm (CET) to the first EUCS in depth online stakeholdermeeting, organised specifically for Conformity Assessment Bodies interested in entering this EU Cybersecurity Certification market.

Activities data

  • Date
  • Time -
  • Location Online

CSA-stakeholdermeeting

Please be invited on 13 December 2023, from 3:00 pm to 4.30 pm (CET) to the next online stakeholdermeeting on CSA EU certification.

Activities data

  • Date
  • Time -
  • Location Online

I want to...