European Cybersecurity Act : What certification process ?

In 2017, the European Commission published a series of initiatives to strengthen the EU’s resilience, deterrence and defense against cyber attacks. These measures include the proposal for a Regulation on ENISA and the certification of information and communication technologies for cybersecurity (European Cybersecurity Act). This regulation gives ENISA a permanent mandate and strengthens its expertise in prevention, consultancy and cooperation. The European Cybersecurity Act also includes a second component aimed at creating a European cybersecurity certification framework, in which ENISA plays a key role. Article [01] referred to the changes that the Cybersecurity Act will bring to organizations and institutions. But, to go further, it is important to understand the implications of the certification process, the actors involved, and the definition of the different levels of assurance.

In summary, the Cybersecurity Act includes the following points:

  • ENISA is in charge of developing European cybersecurity certification plans, based on a proposal from the Commission;
  • Three levels of assurance with different requirements are defined: basic, substantial, high;
  • The basic level of assurance can be achieved via a self-assessment of compliance;
  • The national certification control authorities have a triple role:
    • Accreditation of compliance assessment organizations;
    • Verification of the compliance of certificates or declaration of compliance issued with the requirements of the plan and the regulation;
    • Delivery of certificates for the high level of assurance, and in some cases even lower levels;
  • The certification procedure is a voluntary action but the Commission will establish, by 2023 at the latest, a list of products, services and processes involved in an existing certification plan that should be covered by a mandatory plan.

The guiding ideas behind this Regulation are to define a multi-level certification system adapted to the needs of the market while maintaining the certification achievements. National certification control authorities continue to play an essential role because they have the expertise in cybersecurity certification.

Title III of the Cybersecurity Act is dedicated to the definition of a European cybersecurity certification framework. Its objective is to improve the functioning of the internal market by raising the level of cybersecurity within the EU and by providing a harmonized approach to certification plans. It defines a mechanism for establishing European certification plans and for certifying that ICT products, services and processes that have been certified in accordance with these plans meet specified security requirements. The Cybersecurity Act details the security objectives of European Cybersecurity certification plans. Indeed, the harmonization of certifications at the European level was a major point of this initiative. This is why the Commission recognized its importance and agreed to have a harmonized approach to certification between the different national supervisory authorities. A system of peer review between European national certification authorities has therefore been introduced, including procedures for issuing cybersecurity certificates.

A certification plan may specify a basic, substantial or high level of assurance. The level of assurance is proportional to the level of risk, in terms of probability and impact of an incident. This level also depends on the intended use. Each level of assurance has specific security requirements, including the security functions and the level of effort required for the assessment.

The basic, substantial and high levels of assurance meet the following criteria respectively:

  • Basic: at least one review of the technical documentation;
  • Substantial: reviewing that known vulnerabilities are not applicable and verifying that security functions are properly implemented by products, services or processes;
  • High: the same verifications as for the substantial level, plus the evaluation of the resistance to experienced attackers via penetration testing.

For the basic level and for low-risk products and services, the evaluation can consist in a self-assessment of compliance.

For the high level of assurance, the certificate can only be issued by a national certification control authority (or a duly delegated organization).

It is explicitly stated in the Regulation that certification is voluntary unless European or national legislation states otherwise. Before 31 December 2023 at the latest, the Commission will have to decide if a specific plan should become mandatory in order to ensure an adequate level of cybersecurity and for which types of products and services.

References

[01] Cybersecurity Act: What’s going to change?