By Alina Clasen | Euractiv Est. 3min 31-01-2024 Content-Type: News News Based on facts, either observed and verified directly by the reporter, or reported and verified from knowledgeable sources. “The objective of this framework was to raise the level of cybersecurity of ICT products, services and processes in the EU Market,” a Commission spokesperson told Euractiv. [Chor muang / Shutterstock] Euractiv is part of the Trust Project >>> Print Email Facebook X LinkedIn WhatsApp Telegram The European Commission adopted the European cybersecurity certification scheme on Wednesday (31 January), the EU’s first cyber scheme to certify ICT products, in line with the aims of the EU’s Cybersecurity Act. The European Cybersecurity Certification Scheme on Common Criteria (EUCC) offers a set of rules to ensure trustworthiness in the life cycle of information and communications technology (ICT) products. ICT products are goods electronically accessed, processed, stored, transferred, or obtained information in digital form. They include wireless and smart devices but also technological components such as chips, smartcards, hardware and software. Common criteria laboratories are ICT security certification laboratories that provide services to assess the security of ICT products based on an authorised and standardised methodology. Half of all global common criteria laboratories are located in Europe, with more than 60% of the 350 common criteria certificates awarded each year issued in the EU, according to ENISA, the EU’s cybersecurity agency. “The objective of this framework was to raise the level of cybersecurity of ICT products, services and processes in the EU Market,” a Commission spokesperson told Euractiv. “It does so by setting a comprehensive set of rules, of technical requirements, standards, and procedures to be applied across the Union,” the spokesperson added. The first phase of the EUCC implementation, lasting approximately one year, will focus on establishing public and private Conformity Assessment Bodies (CABs). “Within the EU, the scheme gives the opportunity to all EU Member States to operate public and private CABs if they wish to do so,” Laura Heuvinck, ENISA’s spokesperson, told Euractiv. “In a more global context, the adoption of the scheme opens up opportunities in public procurement across the Union as certification comes under the Treaty,” Heuvinck added. The cyber agency is working on two other cybersecurity certification schemes for cloud services and 5G security. Feasibility for other projects addressing cybersecurity certification for AI and a certification strategy for eIDAS are being developed. EU institutions finalise agreement on cybersecurity law for connected products European Union policymakers reached a political deal on the Cyber Resilience Act on Thursday evening (30 November), bridging their differences on the last outstanding issues. The Cyber Resilience Act is a legislative proposal to introduce security requirements for connected devices, from … Managed security services The scheme falls under the EU cybersecurity certification framework, as per the 2019 Cybersecurity Act. In April last year, the Commission proposed a targeted amendment to the Cyber Security Act “to allow for the possibility to expand the benefits of the European Cybersecurity Certification Framework to Managed Security Services,” the Commission’s spokesperson explained. Services that perform or support customer cybersecurity risk management activities are also known as managed security services. For the EU, these services are becoming increasingly important for preventing and mitigating cybersecurity incidents. How European countries are implementing new cybersecurity framework EU countries are implementing the updated Network and Information Security Directive (NIS2), in force since January, with varying degrees of progress. To provide an overview of the state of play, Euractiv interviewed Nicolas Sonder and Mailin von Knobelsdorff, PwC experts on cybersecurity. Harmonising approach The implementation of EUCC is based on the SOG-IS Common Criteria evaluation framework used in 17 EU states. It aims to harmonise national certification schemes under the SOG-IS agreement and replace the latter. With the EUCC, the EU aims to introduce a speedier and more effective certification mechanism that allows businesses EU-wide to compete at national, EU and global levels. The EUCC should not only harmonise national certification arrangements but also complement regulations such as the Cyber Resilience Act and the revamped Network and Information Security Directive (NIS2). For organisations considered essential or important to the functioning of society, certification schemes such as EUCC might be made mandatory. [Edited by Luca Bertuzzi/Nathalie Weatherald] Read more with Euractiv Tug of war continues on international AI treaty as text gets softened furtherThe negotiations on the world’s first treaty on Artificial Intelligence failed to solve the thorny issue of whether private companies should be covered. At the same time, the latest draft, seen by Euractiv, further watered down an already weakened text.
