Certification

EU cybersecurity certification framework

Securing network and information systems in the European Union has been deemed as a key objective in an effort to keep the EU online economy functional and secure; it is evident that failure to do so could have far reaching consequences for European citizens and threatens to impact the trust of citizens, the industry and public administration alike. As the role of ENISA has been further bolstered by means of Regulation (EU) 2019/881 (Cybersecurity Act), the important task of cybersecurity certification calls for appropriate stakeholders’ involvement and support.
The purpose of the EU cybersecurity certification framework under the Regulation (EU) 2019/881 is to establish and maintain the trust and security on cybersecurity products, services and processes. Drawing up cybersecurity certification schemes at EU level aims at providing criteria to carry out conformity assessments to establish the degree of adhrence of products, services and processes against specific requirements. Users and service providers alike, need to be able to determine the level of security assurance of the products, services and processes they procure, make available or use.

Cybersecurity certification requires the formal evaluation of products, services and processes by an independent and accredited body against a defined set of criteria, standards, and the issuing of a certificate indicating conformance; as such cybersecurity certification plays a key role role in increasing trust and security in products, services and processes. Cybersecurity certification in the EU serves the purpose of providing notice and assurance to users about the level of conformity against stated requirements. EU cybersecurity certification schemes serve as the vehicle to convey such requirements from the EU policy level to the industry service provision level and further to the users and conformity assessemnt bodies.

As set out in Regulation (EU) 2019/881, the EU cybersecurity certification framework lays down the procedure for the creation of EU cybersecurity certification schemes, covering ICT products, services and processes. Each scheme will specify one or more level(s) of assurance (basic, substantial or high), on the basis of the level of risk associated with the envisioned use of the product, service or process.

Mission of ENISA

The mission of ENISA in the area of the EU cybersecurity certification framework is outlined as follows: “To pro-actively contribute to the emerging EU framework for the ICT certification of products and services and carry out the drawing up of candidate certification schemes in line with the Cybersecurity Act, and additional services and tasks”.

Throughout its lifespan ENISA has received due recognition for its outputs. In a shift towards a role that adds more value to the EU policy on network and information security, ENISA has been singled out as the appropriate organisation to deliver on the promise of drawing up candidate certification schemes in an EU cybersecurity certification framework. ENISA, with its pivotal role as an agency that engages with public services as well as with industry and standardisation organisations, provides a sound reference point to draw up candidate cybersecurity certification schemes. The expected output of ENISA includes draft and finalised candidate schemes for the certification of ICT products and services, within the meaning of the Cybersecurity Act.