EU Cybersecurity Certification Framework

As our lives are dominated by digital products and online connectivity, cybersecurity is a critical concern for regulators, consumers and businesses across the European Union (EU).

The introduction of the EU Cybersecurity Certification Framework is a pivotal development in the efforts to improve the digital economy’s resilience against cyber threats.

This initiative is instrumental in enhancing the security of information and communication technology (ICT) products, services, and processes, while also aiming to harmonize cybersecurity standards across member states.

The EU Cybersecurity Certification Framework is designed to cover a broad spectrum of ICT products, services, and processes. Its scope is wide-ranging, aimed at ensuring a high level of cybersecurity across various digital domains.

The certification categorizes products and services into different levels based on the risk associated with their use. These levels—basic, substantial, and high—correlate with the severity and probability of risks that entities might face, requiring different degrees of security measures.

Products such as cloud services, IoT devices, and software, along with processes and services that manage or process data, fall under the purview of this certification.

For businesses, understanding the certification’s scope is crucial. It identifies which products or services need certification and clarifies the requirements for compliance.

This clarity helps businesses align their cybersecurity practices with EU standards, allowing them to participate in the European market.

Technologies and Devices Impacted:

Below is a non-exhaustive list of technologies that will be impacted by this regulation:

1. Cloud Computing Services: Public, private, and hybrid cloud services.
2. Internet of Things (IoT) Devices: Smart home devices, wearables, industrial IoT systems.
3. Network Infrastructure: Routers, switches, and firewalls.
4. Operating Systems: Both for personal computers and mobile devices.
5. Encryption Software: Tools for data protection and privacy.
6. Data Processing Solutions: Big data analytics platforms and services.
7. Mobile Applications: Apps with access to sensitive user data.
8. Enterprise Resource Planning (ERP) Systems: Software that manages business processes.
9. Supply Chain Management Software: Systems for tracking and managing supply chains.
10. Telecommunications Equipment: Devices and infrastructure for communication services.
11. Digital Payment Systems: Online payment platforms and mobile payment services.
12. Identity Verification Services: Biometric systems and digital ID verification solutions.
13. Healthcare Devices: Medical devices connected to networks, eHealth services.
14. Automotive Systems: Connected vehicles, including software for autonomous driving.
15. Aerospace Technologies: Aircraft and satellite communication systems.
16. Energy Systems: Smart grid technologies and renewable energy management systems.
17. Financial Technologies (FinTech): Blockchain, cryptocurrencies, and banking software.
18. Educational Technologies (EdTech): Online learning platforms and educational software.
19. Gaming and Entertainment: Online gaming platforms and streaming services.
20. Cybersecurity Products: Antivirus software, intrusion detection systems.

Businesses and Sectors Impacted:

Again, below is a non-exhaustive list of sectors impacted by this new legislation:

• IT and Telecom Companies: Providers of internet, telecommunication services, and network infrastructure.
• Financial Services: Banks, insurance companies, and fintech startups.
• Healthcare Sector: Hospitals, clinics, and companies manufacturing or providing digital health solutions.
• Manufacturing Industry: Businesses involved in the production of goods, especially those utilizing IoT for industrial automation.
• Retail and E-commerce: Online retailers and physical stores with digital payment systems.
• Energy Sector: Companies in the production, distribution, and management of energy, particularly those involved in smart grid technologies.
• Transport and Logistics: Airlines, automotive manufacturers, and companies providing logistics services through digital platforms.
• Government and Public Services: Government agencies and public sector entities that manage or store sensitive data.
• Education Sector: Institutions and companies offering digital learning materials and platforms.
• Entertainment and Media: Online media, gaming companies, and digital content providers.

Certification Process:

Certification under the EU Cybersecurity Certification Framework is proven through a multi-step process involving evaluation and certification by authorized bodies, leading to the issuance of an EU Cybersecurity Certification (EUCC) certificate. Here’s an overview of how certification is proven:

1. Application for Certification: Applicants must provide all necessary, complete, and correct information to the certification body and the Information Technology Security Evaluation Facilities (ITSEF)​​.
2. Conditions for Issuance of an EUCC Certificate: Certification bodies will issue an EUCC certificate if several conditions are met, including:
   • The ICT product category falls within the scope of the accreditation of the certification body and ITSEF involved​​.
   • The applicant has signed a statement undertaking all listed commitments​​.
   • The ITSEF concludes the evaluation without objection​​.
   • The certification body verifies that the evaluation technical reports are consistent with the evidence provided and standards, criteria, and methods have been correctly applied​​.
3. Content and Format of an EUCC Certificate: An EUCC certificate will include information such as:
   • A unique identifier established by the issuing certification body​​.
   • Details about the certified ICT product or protection profile and the holder of the certificate, including the name, type, version, and contact information​​.
   • Information related to the evaluation and certification of the ICT product or protection profile, including the names and contact information of the certification body and ITSEF, the responsible national cybersecurity certification authority, applicable assurance level, and the standards used for evaluation​​.
   • The mark and label associated with the certificate​​.

This structured process ensures that the EUCC certificate serves as a tangible proof of compliance with the EU Cybersecurity Certification Framework, instilling trust among consumers and businesses regarding the security of certified ICT products and services.

Marking and Labeling

The holder of a certificate may affix a mark and label to a certified ICT product, demonstrating that it has been certified according to the regulation. The mark and label must be affixed visibly, legibly, and indelibly to the certified product, its packaging, or accompanying documents. In the case of software, the mark and label should appear in the accompanying documentation or be made easily accessible to users via a website​​.

Below is a mockup of the label.