ENISA work in the area of certification
A number of European legislative initiatives related to information technology have been launched in the recent years. The most relevant of these initiatives are the NIS Directive, the EU Data Protection Rules Reform (GDPR), the eIDAS Regulation and the Revised Directive on Payment Services (PSD2). These rules rely the availability of trustworthy information technology products that support the deployment of robust information systems in Europe.
Trustworthiness and security of information technology products can be achieved by setting in place a certification framework. In Europe, a common ICT product security certification scheme would support the recognition of trustworthiness of products across Member States, and such recognition is an essential pillar towards achieving the trust and security required to promote a Digital Single Market. Currently, there is no framework for the certification of ICT security products at a European level, although the already existing mechanism SOG-IS includes 9 Member States and Norway.
ENISA is working with representatives from Member States public and private sectors on moving forward towards a common European ICT product security certification framework. Many important aspects of a potential certification scheme need to be covered and agreed, namely: accreditation bodies and criteria, conformity assessment bodies’ requirements, certification criteria, certified products listing, surveillance, etc.
ENISA uses as main references towards building a common European ICT product security certification framework:
- The RAMS Regulation, Regulation No 765/2008 of 9 July 2008, setting out the requirements for accreditation and market surveillance relating to the marketing of products.
- The SOGIS agreement, an agreement on common information technology security evaluation criteria, signed by ten EFTA members.
- The CE marking, a marking by which the manufacturer indicates that the product is in conformity with the applicable requirements set out in Community harmonisation legislation providing for its affixing.
- The minutes from the 2014 SOGIS workshop and the 2016 ICT product security certification workshop, conducted by ENISA, especially the main conclusions and the points raised during the discussions.