The European Commission has recently adopted the European Cybersecurity Scheme on Common Criteria (EUCC), which is the first-ever European cybersecurity certification scheme [3]. This voluntary scheme [2] [3], developed by the European Union Agency for Cybersecurity (ENISA) [2] [3], aims to enhance the cybersecurity of IT products and services across member states [2].
Description
The EUCC replaces existing national certifications and establishes rules and procedures for certifying ICT products. It ensures that these products can effectively protect both hardware and software. By undergoing a standardized assessment process [2], ICT suppliers can demonstrate cybersecurity assurance for their digital products. This scheme complements the Cyber Resilience Act [3], which imposes binding cybersecurity requirements on all hardware and software products in the EU [3]. Furthermore, the Cybersecurity Act [1] [2], established in June 2021, provides a framework for cybersecurity certification for ICT products [1], processes [1] [2], and services [1] [2].
Certification is crucial for ensuring the quality and reliability of cybersecurity services that assist companies and organizations in preventing [1], detecting, responding to [1], or recovering from incidents [1]. In April 2023 [1], the European Commission proposed an amendment to include managed security services in the certification scheme [1]. This expansion would cover areas such as incident response [1], penetration testing [1], security audits [1], and consultancy [1]. Additionally, in October 2023 [1], the European Commission conducted a public consultation on a draft implementing regulation to establish the European Common Criteria-based cybersecurity certification scheme (EUCC) [1]. If implemented [1], the EUCC would replace all relevant national cybersecurity certification schemes in the EU [1].
The EUCC was developed in collaboration with industry experts and Member States, following technical and legal discussions and public consultation [3]. Its primary goal is to help European ICT providers compete in national, EU [1] [2] [3], and global markets by encouraging them to improve their security measures [2]. Once published in the Official Journal of the EU [3], the scheme will come into effect 20 days after publication [3]. The European Commission will also publish the first Union Rolling Work Programme for European cybersecurity certification [3], outlining future schemes based on recent legislative and market developments [3].
Conclusion
The adoption of the EUCC has significant implications for the cybersecurity landscape in Europe. It provides a standardized and authoritative framework for certifying ICT products and services, ensuring their cybersecurity capabilities. By replacing national certifications [2], the EU [1] [2] [3]CC promotes consistency and harmonization across member states. This scheme also encourages ICT providers to enhance their security measures, enabling them to compete effectively in national, EU, and global markets [2]. The inclusion of managed security services in the certification scheme further strengthens its scope and relevance. Overall, the EUCC represents a crucial step towards improving cybersecurity in Europe and safeguarding digital products and services.
References
[1] https://privacy108.com.au/insights/cybersecurity-regulations-in-europe/
[2] https://www.infosecurity-magazine.com/news/eu-cybersecurity-certification/
[3] https://digital-strategy.ec.europa.eu/en/news/first-eu-wide-cybersecurity-certification-scheme-make-european-digital-space-safer