eu cybersecurity certification scheme

How Will the EU’s First Cybersecurity Certification Scheme Impact Your Business?

In the digital world, trust is hard won and easily lost. Part of the reason for this is the lack of a universally understood and credible security kitemark scheme. Enter the EU’s cybersecurity certification framework: a years-long initiative designed to harmonise trust in IT products, services and processes within the bloc and beyond.

EU security agency ENISA has just announced the first such scheme: The European Cybersecurity Scheme on Common Criteria (EUCC). According to experts, it will complement proposed EU cybersecurity rules and could help UK businesses both market their own products and improve baseline security in their organisation.

Why do we need the EUCC?

Deficiencies in IT products are a key cause of cyber risk. They may be riddled with software vulnerabilities, or feature insecure hardware components, communications protocols and out-of-the-box configurations which are hard to fix. Some manufacturers may not even have a dedicated vulnerability management programme.

Yet up until now, it’s been challenging for IT buyers to discern the secure products on the market from the also-rans, and the downright insecure kit. Any certification schemes in operation were run on a national basis, which is no good in an increasingly global and interconnected world.

What is the EUCC?

This is where the EUCC comes in. Provided for by the EU’s 2019 Cybersecurity Act (CSA), it’s designed to introduce a “comprehensive set of rules, of technical standards requirements, standards and procedures to be applied across the union,” according to ENISA.

It continues:

“Voluntary-based, the new EUCC scheme allows ICT suppliers who wish to showcase proof of assurance to go through an EU commonly understood assessment process to certify ICT products such as technological components (chips, smartcards), hardware and software. The scheme is based on the time-proven SOG-IS Common Criteria evaluation framework already used across 17 EU member states. It proposes two levels of assurance based on the level of risk associated with the intended use of the product, service or process, in terms of probability and impact of an accident.”

According to CyberSmart cybersecurity consultant, Adam Pilton, there are two security assurance levels: “Substantial” and “High”.

“The substantial level ensures that the ICT products, services and processes meet the stipulated functionalities and are at a level intended to minimise known cybersecurity risks carried out by actors with limited skills and resources,” he tells ISMS.online.

“The high assurance ensures ICT products, services and processes meet the stipulated functionalities and are at a level intended to minimise state-of-the-art cyber-attacks carried out by actors with significant skills and resources.”

Certification can last for up to five years or more in some cases. But if during the lifetime of a certification any element of the asset in question changes, action would be required to update assurance levels. If not completed satisfactorily, it could lead to suspension or withdrawal of the certification, Pilton explains.

How the EUCC Could Benefit UK Firms

There are two main benefits to the EUCC. It will hopefully:

Incentivise ICT suppliers/manufacturers to enhance the security of their products, services and processes, by encouraging them to adhere to the EUCC requirements
Provide a useful way for organisations buying IT products and services to ensure their purchases are aligned with their risk appetite

A certification scheme is essential “to develop, launch and effectively manage secure devices and services”, according to Gil Bernabeu, CTO of technical standards organisation, GlobalPlatform.

“SOG-IS has enabled this in Europe for the past decade. And EUCC builds on that approach, extending the reach and recognition across the 27 member states to enable vendors to certify and sell products across Europe under the EU CSA,” he tells ISMS.online.

“The key to its success will be ensuring that security levels are consistent across all regions and markets in a way that is transparent, aligned with industry, and accessible to the end user. Saving time, money and effort while improving cybersecurity in Europe can only be a good thing.”

Although the scheme is EU-based, any business can obtain certification. That means UK IT suppliers could use certification to enhance the marketability of their solutions among an EU customer base. It will also benefit IT buyers in the UK as they try to differentiate between suppliers within the bloc.

The scheme’s influence could stretch even further afield in time, according to Pilton.

“Countries around the world were involved in the consultation of this scheme, including the UK, US, Australia and China. And 82% of the participants involved in the consultation indicated their intention to use the EUCC scheme,” he says.

“Having an EU-wide certification will create a more trusted and secure Europe. And with other countries indicating their intent to adopt this scheme, this will undoubtedly have a global impact in ensuring that we have access to trustworthy products, processes and services.”

Just the Start

Although voluntary, the scheme could have a significant impact, just like the UK’s Cyber Essentials, says Pilton.

“The EUCC is a scheme that can unite a continent, a globally influential continent too. It will of course directly improve the cybersecurity of those participating but will also increase awareness, promoting cyber-hygiene and best practices to all businesses,” he claims.

“Over time this will build trust, encouraging responsible development and deployment of secure products. Twenty-five percent of those who attended the EUCC consultation stated that they intended to have their products certified against it.”

The EUCC will also complement other legislation and directives in development at an EU level, for example helping NIS2 compliance for organisations needing to evidence that entities in their supply chains meet prescribed standards, Pilton says.

That’s also the opinion of Jesus Fernandez, who was a member of the ENISA working group on EUCC.

“The voluntary scheme will complement the Cyber Resilience Act that introduces binding cybersecurity requirements for all hardware and software products in the EU. The EUCC scheme will also boost the implementation of the NIS2 Directive,” he argues.

“So, at this point, it is prudent to expect future vertical/sectoral regulations that could impose mandatory EUCC certifications specific to particular types of IT products when used in specific sectors.”

It’s also worth remembering that the EUCC is the first of three cybersecurity certification schemes, with two others covering cloud services and 5G networks still being finalised. Together, they could do much to improve baseline security across the region and beyond.

Explore ISMS.online's platform with a self-guided tour - Start Now