The European Commission has taken a significant step forward in the realm of cybersecurity by adopting the implementing regulation concerning the EU cybersecurity certification scheme on Common Criteria (EUCC). This move is in alignment with the candidate cybersecurity certification scheme on EUCC that was drafted by ENISA, the European Union Agency for Cybersecurity, following a request issued by the European Commission.
The development of the candidate scheme was supported by an Ad-hoc working group (AHWG) consisting of area experts from across the industry and EU Member States National Cybersecurity Certification Authorities (NCCAs). Additionally, ENISA received valuable guidance and support from Member States via the European Cybersecurity Certification Group (ECCG) and contributions from the Stakeholder Cybersecurity Certification Group (SCCG).
The adoption of the first EU cybersecurity certification scheme is a significant milestone towards establishing trust in the EU digital single market. This scheme is a crucial component of the EU cybersecurity certification framework that is currently in development. While the cybersecurity certification framework is voluntary, the EUCC is expected to pave the way for future schemes that are currently in preparation, ultimately replacing national certification schemes previously under the SOG-IS agreement.
According to Juhan Lepassaar, the Executive Director of the EU Agency for Cybersecurity, “The adoption of the first cybersecurity certification scheme marks a milestone towards a trusted EU digital single market, and it is a piece of the puzzle of the EU cybersecurity certification framework that is currently in the making.”
The EUCC falls under the EU cybersecurity certification framework established by the 2019 Cybersecurity Act, with the goal of enhancing the level of cybersecurity of ICT products, services, and processes in the EU Market. The framework achieves this by setting a comprehensive set of rules, technical standards requirements, and procedures to be applied across the Union. The EUCC scheme allows ICT suppliers to undergo a commonly understood assessment process to certify ICT products such as technological components, hardware, and software.
This voluntary-based scheme is rooted in the time-proven SOG-IS Common Criteria evaluation framework, proposing two levels of assurance based on the level of risk associated with the intended use of the product, service, or process. The comprehensive scheme has been tailored to the needs of the EU Member States and aims to allow European businesses to compete at the national, Union, and global level.
ENISA has also been working on two additional cybersecurity certification schemes, EUCS on cloud services and EU5G on 5G security. Additionally, the agency has conducted a feasibility study on EU cybersecurity certification requirements on AI and is supporting the establishment of a certification strategy for the eIDAS wallet. The European Commission also proposed an amendment to the Cybersecurity Act, which envisions a scheme for managed security services (MSSPs). These efforts reinforce the commitment to bolstering cybersecurity across various sectors.
The implementing act adopted by the European Commission foresees a transition period during which organizations will still be able to benefit from existing certifications under national schemes. Conformity Assessment Bodies (CABs) interested in assessing against EUCC can be accredited and notified, and vendors will have the opportunity to convert their existing SOG-IS certificates into EUCC ones after assessing their solutions against added or updated requirements.
Moving forward, certificates issued under EUCC will be published by ENISA, and the agency will provide supporting materials to aid in the implementation of the scheme. This includes the publication of the Implementing Act and supporting documents on the dedicated certification website, as well as the proposal of support material such as a video on the latest developments of the scheme.
Overall, the adoption of the EUCC represents a significant step towards enhancing cybersecurity within the EU, furthering efforts to create a trusted digital single market. With additional cybersecurity certification schemes in the pipeline, the EU is setting the stage for a more secure and competitive digital landscape.