A new cybersecurity scheme for the certification of ICT products in Europe

It covers the certification of ICT products based on the Common Criteria, and it is also the foundation of a new European cybersecurity certification framework. The latter will consist of several schemes expected to gradually increase trust in ICT products available on the EU markets. The creation of the EUCC is a significant milestone at the European level.

 

What is EUCC? 

Prepared by the European Union Agency for Cybersecurity (ENISA), EUCC is the first candidate scheme published under the Cybersecurity Act (CSA), which proposes the creation of a common European framework for the certification of "cyer secure" ICT products and services. EUCC is based on Common Criteria and aims to replace the current national certification schemes also based on Common Criteria. It will be a successor to the existing schemes operating under the SOG-IS MRA (Senior Officials Group Information Systems Security Mutual Recognition Agreement).

The scope of EUCC will be the security certification of ICT products that do not belong to any other scheme. Soon, ENISA is expected to publish specific schemes as well for certain technologies or markets, like IoT, cloud services, or mobile communications. 

 

Benefits of EUCC certification

This new certification framework is expected to gradually increase trust in ICT products and services available in the EU. The scheme can serve as the certification of many types of generic and industry-specific ICT products. As such, it is more of a horizontal scheme. Users of the scheme may establish Protection Profiles to express their security requirements. Similar cybersecurity schemes recognized by the European Commission provide an ecosystem in which IT security laboratories, private companies, and public administrations can abide when certifying their ICT products within Europe. Old certificates can be converted to the new scheme. The cybersecurity certification is voluntary. 

 

Evaluation and certification

The evaluations and certifications will be performed by conformity assessment bodies accredited by their national accreditation body. The assessments will be conducted by accredited laboratories, so-called IT Security Evaluation Facilities (ITSEF), internal or external to the corresponding certification body. 

The scheme will cover the assessment of vulnerabilities in cryptographic implementations of ICT products. Evaluations will be based on the following standards:

  • Common Criteria (CC) for Information Technology Security Evaluation, under the applicable ISO/IEC 15408 version.
  • Common Methodology (CEM) for Information Technology Security Evaluation, under the applicable ISO/IEC 18045 version.

The evaluations also take into consideration the supporting elements established to allow the harmonized interpretation of these standards. 

Certificates will be issued by certification bodies that must be accredited. They might differ from the national cybersecurity certification authority in some countries. 

 

Assurance Levels

EUCC offers the two highest assurance levels defined in the CSA: "substantial" and "high". Level "basic" has been left out of the scope of EUCC, to be covered by other future certification schemes with fewer security requirements. 

Recommendations for vendors

Organizations interested in the EUCC certification should prepare for new obligations. They should:

Offer a security support period to their consumers

Monitor and handle compliance of their product. The assessment lab can be subcontracted for compliance monitoring and the handling of compliance in certain cases.

Have an online repository of publicly disclosed vulnerabilities

Implement a patch management methodology: this should allow developers to release security updates to their product and ensure that the vendor can provide patches in a consistent manner. Patch management will require an SLA between the assessment lab and the vendor to enable fast recertification of vulnerable products. In this way, vendors can always keep their products patched against potential new vulnerabilities, maintaining the certification status of their products.

Establish closer lab cooperation: the new scheme requires closer collaboration between the vendor and the assessment lab. After certification, there may be reassessments and audits of already certified products - the products will be subject to a maintenance process in response to changes that might affect their certification status. Maintenance activities will include revision and decision by the certification body and, if necessary, re-evaluation by the laboratory.

 

Transition Period

EUCC recommends a 2-year transition period between the date when EUCC becomes active and the date when the current schemes based on the SOG-IS agreement become inactive. There will be no parallel issuance of EUCC and SOG-IS MRA certificates. The transition period will allow: 

the termination of current certification projects under the existing schemes or their smooth conversion into EUCC projects.

smooth transfer of certificates that require maintenance in the long term or reuse for composite evaluations and certifications under the EUCC scheme.

During this transition period, vendors should get familiar with and adapt to the new requirements imposed by EUCC. Laboratories and certification bodies should also use this transition period to adjust their operation to the new scheme. To minimize service interruptions, ENISA creates transition guides that allow laboratories and vendors to adapt to the new conditions.

 

Next steps

 The European Commission will use the current 1.1.1 version of the candidate scheme to draft the Implementing Act, by which the scheme becomes part of the EU legislation. Nevertheless, the EUCC ecosystem is still in the initial phase; the underlying infrastructure has not been fully established. The regulator still needs to set up the certification bodies as well as the certified evaluation laboratories. So, you can expect a brief period of uncertainty. There will be a two-year transition period before the current national SOGIS schemes stop working. This process will be complex and require new guidelines to facilitate the transition, but the progress is unstoppable. It will soon be a reality in Europe to which we must adapt as quickly as possible.