- Anežka Karpjáková
One way for a company to strengthen its security and ensure compliance with legal and regulatory requirements is through certification. A significant milestone in the certification process was the adoption of the Regulation on the European Union Agency for Cybersecurity and on Cybersecurity Certification of Information and Communication Technologies (the "EU Cybersecurity Act"), which is the focus of this article.
What is certification?
Cybersecurity certification is a process that verifies whether specific products, services, or processes meet minimum security standards for a given category. The goal is to build trust in these products and services by ensuring their availability, confidentiality, and integrity.
To obtain a certificate company must first ensure that its products, services, or processes meet all requirements defined in the certification scheme. This involves implementing necessary security measures a přípravu dokumentace. and preparing documentation. The company then applies for certification with an accredited certification body, which evaluates compliance with the criteria. This evaluation may include audits, testing, or other verification methods to assess compliance with the established standard..
Obtaining the certificate is not the end of the process, as companies must continuously monitor and maintain security measures to ensure ongoing compliance with certification requirements.
What was before the EU Cybersecurity Act?
Before the EU Cybersecurity Act some EU Member States already operated their own certification schemesHowever, certification in cybersecurity was limited to specific industries, while some states lacked certification authorities altogether due to the high costs of building testing labs.
The absence of a unified regulatory frameworkthat provided consistent rules and security levels across the EU was particularly challenging for businesses offering products or services in multiple states. Often, they had to undergo certification separately in each Member State because certificates issued in one country were not automatically recognized in others. This led to significant financial and administrative burdens. While there was an international agreement called SOC-IT for mutual recognition, it included only a few EU Member States.
Certification according to the EU Cybersecurity Act
This changed with the introduction of the EU Cybersecurity Act, which took effect in June 2021. The regulation establishes a European framework for the cybersecurity certification of ICT products, services, and processes. It sets out rules and principles for the development of certification schemes. Under this framework, certification schemes adopted by the European Commission ensure that universally recognized certificates are issued based on approved processes for products, services, and processes across the EU.
Each certification scheme will specify the technical and organizational measures, needed to achieve certification in a specific cybersecurity area.
Accredited authorities in each Member State will issue these certificates.
The certificate will be universally valid across all EU Member States, meaning that companies need only obtain certification for a product or service in one country. While certification is not mandatory, it is an effective way to ensure high levels of ICT product and process security and regulatory compliance.
Timeline of the EU Cybersecurity Act adoption
Current certification schemes
EUCC (European Common Criteria-based Certification Scheme)
Based on the international Common Criteria standard (ISO/IEC 15408), this scheme certifies ICT cybersecurity products. Certificates are valid for five years and can be renewed.
EUCS (European Cybersecurity Certification Scheme for Cloud Services)
Focused on certifying various types of cloud services.
EU5G
A certification scheme for 5G networks that ensures security standards for 5G infrastructure and services.
Certification for managed security services
This scheme certifies services such as incident response, penetration testing, security audits, and consulting.
In the coming years, additional certification schemes are expected to be adopted, which will be universally recognized across all EU Member States. Lastly, apart from the certification schemes under the EU Cybersecurity Act, companies can also choose to obtain other globally recognized certification standards, such as those from the ISO series (e.g., ISO 9001 – Quality Management Systems) or Common Criteria.
