The European Union has made strides to enhance cybersecurity across its member states with the adoption of the first Cybersecurity Certification scheme. This voluntary scheme, known as the European Cybersecurity Scheme on Common Criteria (EUCC), was developed by the European Union Agency for Cybersecurity (ENISA) in collaboration with member states.
The EUCC is designed to replace current national cybersecurity certifications and will provide a commonly understood assessment process for ICT suppliers to demonstrate cybersecurity assurance for digital products such as technological components, hardware, and software. The goal is to establish Union-wide standards that will help European ICT providers compete in national, EU, and global markets, while also incentivizing suppliers to improve their security measures.
The EUCC proposes two levels of assurance based on the level of risk associated with the intended use of the product, service, or process. These requirements are based on the SOG-IS Common Criteria evaluation framework already used across 17 EU Member States. Vendors will have the opportunity to convert their existing SOG-IS certifications into EUCC certificates after assessing their solutions against added or updated requirements specified in the EUCC.
The certificates issued under EUCC will be published by ENISA. Juhan Lepassaar, Executive Director at ENISA, emphasized the significance of this milestone in the development of the EU digital single market, calling it a piece of the puzzle in the construction of the EU cybersecurity certification framework. ENISA is also working on the development of cybersecurity certification schemes for cloud services and 5G security, as well as conducting a feasibility study on EU cybersecurity certification requirements for AI.
The move to establish the EU Cybersecurity Certification scheme is part of a broader trend of increasing cybersecurity regulations and standards within the EU. The Cyber Resilience Act (CRA) was adopted in December 2023 to introduce security requirements for manufacturers of connected devices within the Union. Additionally, the EU updated its Network and Information Security Directive (NIS2) in January 2023, imposing common cybersecurity standards on critical industry organizations, with a deadline for national transposition of the provisions set for October 17, 2024. Furthermore, the ISO/IEC 27001 certification was updated last year to reflect new business practices and increased dependencies on cloud services.
The significance of these developments reflects the growing need for businesses to demonstrate their security competence through certifications, especially in light of rising compliance requirements and increased stakeholder awareness of cyber and privacy issues. By establishing EU-wide cybersecurity certification standards, the EU aims to strengthen the cybersecurity posture of its member states and promote the competitiveness of European ICT providers in the global market.