EUCC receives first EU cybersecurity certification scheme

In July 2019, the EUCC was the first candidate cybersecurity certification scheme request received by the EU Agency for Cybersecurity (ENISA) under the Cybersecurity Act.

This scheme aims to serve as a successor to the currently existing schemes operating under the SOGIS MRA (Senior Officials Group Information Systems Security Mutual Recognition Agreement).

It covers the certification of ICT products, using the Common Criteria ISO/IEC 15408 and is the foundation of a European Cybersecurity certification framework.

The latter will consist of several schemes that it is expected to gradually increase trust in ICT products, services and processes certified under these schemes and reduce the costs within the Digital Single Market.

This scheme was originally published on 1 July 2020 and it was put for consultation which allowed certification actors and interested parties to provide their feedback through a dedicated survey.

Key points of the public consultation outcome

• Confirms the intent of certification stakeholders to use the scheme in the internal market, when it is made available
• stakeholders encourage ENISA to further develop guidance to support the implementation and execution of the scheme
• stakeholders indicated some elements of the scheme that needed to be adjusted or fixed, such as conditions or timelines for the maintenance of certificates, the monitoring and handling of non-compliances or vulnerabilities.

Key recommendations

Further to the candidate scheme ENISA has supported the EU cybersecurity certification framework to:

• Develop a communications plan targeting consumers to support the implementation of the EUCC scheme and ensure they are well informed in what cybersecurity certification of ICT products entails
• Ease the participation of interested EU Member States newcomers to cybersecurity certification to participate to the EUCC scheme by providing a dedicated training programme
• Establish a transition project in order to provide and ensure the best conditions for a smooth transfer from the current national SOG-IS activities to the current EUCC.

The Agency has currently transmitted the candidate EUCC scheme v.1.1.1 to the Commission in line with the provisions of Article 49 (6, 7) of Regulation (EU) 2019/881 (Cybersecurity Act). The Commission will initiate a Commission Implementing Regulation that may be adopted.