The Cybersecurity Act (EU 881 / 2019) is a European regulation that introduces a harmonised European framework for the EU cybersecurity certification of ICT products, services and processes.
The main objective of the Cybersecurity Act (CSA) is to improve protection against threats to cybersecurity within the EU. The CSA also enables manufacturers and service providers to use one mutually recognised certificate throughout the EU.
Over the years, many European member states have adopted national cybersecurity certification regulations. Divergence between standards in different member states and the lack of mutual recognition risked disruption to the free flow of ICT products and services within the EU. The CSA certification schemes replace the current national-level certification schemes, provided these are similar enough in scope.
The development plans for certification schemes are laid out in the Union Rolling Work programme (URWP). While the CSA framework allows for the EU cybersecurity certification of ICT products, services and processes, there currently are no planned certification schemes for the certification of processes.
The CSA requires every EU member state to identify at least one National Cybersecurity Certification Authority (NCCA). In the Netherlands, the role of NCCA is fulfilled by the Dutch Authority for Digital Infrastructure, which is part of the Ministry of Economic Affairs.
You might have already heard about EU cyber security certification. Let's now see the key actors and their role at first the European Union Agency for cyber security. ENISA develops certification schemes together with stakeholders based on a risk management approach. Each scheme can propose up to three levels of assurance. Then the European Commission transform the draft schemes into legal documents called implementing acts which are supported by guidance documents. National Cybersecurity Certification Authorities are designated in each member state and have the responsibility to supervise the implementation of the schemes and notify and authorize Conformity assessment bodies where applicable. National Cybersecurity Certification Authorities deliver certificates but they are not the only ones participating in the certification process. Private Conformity Assessment Bodies accredited by National Accreditation Bodies certify for the basic and substantial Assurance levels. National Cybersecurity Certification Authorities as well as National Accreditation Bodies are subject to peer-evaluations which allow for better harmonization of EU schemes. With all these actors in place the certificates can be delivered to providers of compliant ICT solutions. As certified solutions might reveal vulnerabilities during their life cycle ENISA is working hard on defining suitable conditions to ensure trust throughout the certificate lifetime. ENISA also makes sure that certification plays a significant role in future cyber security regulations. To stay updated or find more information about the European Cybersecurity certification follow the European Union Agency for cyber security online.
© ENISA - Creative Commons 4.0
Mandatory vs voluntary certification
EU cybersecurity certification is voluntary unless otherwise specified in other EU law or national law. Several actual EU regulation proposals, such as the NIS II directive, Artificial Intelligence act and Cyber Resilience act, mandate the European Commission to define the obligations for EU cybersecurity certification under these regulations.
Mandatory certification will come in different forms. EU cybersecurity certification may become mandatory for EU market entry for certain products and services or for specific sectors. In other cases, certification may be used as a ‘presumption of compliance’ for the cybersecurity requirements with respect to a specific regulation.
CSA assurance levels
The CSA defines three distinct levels, known as assurance levels, on the basis of which products and services can be certified: basic, substantial and high.
In essence, each CSA assurance level defines how resilient a specific product or service has to be against a cyberattack with a certain level of skill and resources. For example, High assurance certification means protection against advanced attacks from attackers with significant skills and resources.
The details of the CSA assurance levels will be worked out separately for every CSA certification scheme due to the need for a tailor-made security approach to products and services.