On Feb. 9, 2024, EU CNCL issued cover note attaching EC staff working document (SWD) on the Union Rolling Work Program for European cybersecurity certification.
Delivers on the requirement of CSA, article 47(1), that The Commission shall publish a Union rolling work program for European cybersecurity certification (the Union rolling work program) which, more specifically, shall identify strategic priorities for future European cybersecurity certification schemes (section 2 of the SWD).
In addition, Article 47(2) of the CSA requires The Union rolling work program shall in particular include a list of ICT products, ICT services and ICT processes or categories thereof that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme” (section 3 of the SWD).
More generally, the CSA lays down in its Title III the European framework for the establishment of voluntary European cybersecurity certification schemes.
These schemes aim at ensuring an adequate level of cybersecurity for information and communication technology products, services and processes in the European Union.
As well as reducing the fragmentation of the internal market.
In Sep. 2024, EC issued consultation on list of cybersecurity documents, see #226948.
On Jan. 31, EC adopted rules on cybersecurity certification scheme.
EC adopted regulation (C(2024)560) on application of Reg 2019/881 re EUCC.
Draft reg specifies roles, rules and obligations, structure of European Common Criteria-basedcybersecurity certification scheme (EUCC) in line with CSA Reg 2019/881.
EUCC builds on Mutual Recognition Agreement (MRA) of Information Technology Security Certificates of Senior Officials Group Information Systems Security2 (SOG-IS) using the Common Criteria, including the group’s procedures and documents.
The scheme should be based on established international standards.
Common Criteria is international standard for information security evaluation e.g. ISO/IEC 15408 Information security, cybersecurity, privacy protection- IT security.
Reg based on 3rd party evaluation, envisages 7 Evaluation Assurance Levels (EAL).
Common Criteria is accompanied by Common Evaluation Methodology, published, e.g. ISO/IEC 18045 Information security, cybersecurity and privacy protection Evaluation criteria for IT security Methodology for IT security evaluation.
Specifications and documents that apply provisions of this regulation may relate to a publicly available standard that mirrors standard used in certification under this reg.
Such as Common Criteria for Information Technology Security Evaluation and Common Methodology for Information Technology Security Evaluation.
Under Common Criteria, certification carried out against security target encompassing definition of ICT product’s security problem and security goals addressing the problem.
Security problem provides details on intended use of ICT product and risks associated with such use, select set of security requirements responds to both security problem and security objectives of ICT product; further explanations provided in the preamble.
Other Aspects
States ENISA should provide list of certified protection profiles on its cybersecurity certification website, indicate their status, in accordance with Regulation 2019/881.
It also sets out conditions for mutual recognition agreements with third countries.
Such agreements may be bi- or multilateral and should replace similar ones in place.
To facilitate smooth transition to such mutual recognition agreements, Member States may continue existing cooperation arrangements with third countries for limited period.
Effectiveness
Regulation set to enter into force on 20th day after publication in EU Official Journal.
But should start to apply 12 months after its entry into force; requirements of Chapter IV and Annex V do not require transition period so they apply from entry into force.
Measures provided for in regulation are consistent with opinion of the European Cybersecurity Certification Committee established by art 66 of the CSA Reg.
Feb. 7, 2024 Official Journal
On Feb. 7, 2024, EU CMSN issued final Reg 2024/482 of Jan. 31 in the Official Journal.
Regulation in force on 20th day following that of its publication in OJ, Feb. 27, 2024.
It shall apply from Feb. 27, 2025; Chapter IV and Annex V apply from Feb. 27, 2024.
Feb. 9, 2024 Union Rolling Work Program
On Feb. 9, 2024, EU CNCL issued cover note attaching EC staff working document (SWD) on the Union Rolling Work Program for European cybersecurity certification.
Delivers on the requirement of CSA, article 47(1), that The Commission shall publish a Union rolling work program for European cybersecurity certification (the Union rolling work program) which, more specifically, shall identify strategic priorities for future European cybersecurity certification schemes (section 2 of the SWD).
In addition, Article 47(2) of the CSA requires The Union rolling work program shall in particular include a list of ICT products, ICT services and ICT processes or categories thereof that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme” (section 3 of the SWD).
More generally, the CSA lays down in its Title III the European framework for the establishment of voluntary European cybersecurity certification schemes.
These schemes aim at ensuring an adequate level of cybersecurity for information and communication technology products, services and processes in the European Union.
As well as reducing the fragmentation of the internal market.
In Sep. 2024, EC issued consultation on list of cybersecurity documents, see #226948.
