Understand the new European regulation on security certification
Our Product Security Evaluation Laboratory (accredited in both Common Criteria and LINCE methodologies) always tries to take care of the complexity of the certification processes, so that it becomes a much simpler task for our customers. With that approach, we will explain in this post what the European CyberSecurity Act (CSA) is and what implications it has on the Security Certification schemes.
Why is it necessary to certify product security?
It is a need to regulate, in a formal way, product evaulation processes, so that a product’s certification means something measurable and reproducible with respect to the security capabilities of the product holding the certificate. This regulation framework has been named certification scheme.
Previously to the CSA, the countries had (and still have so far) their own local certification schemes (in Spain the ENECSTI, driven by the CCN’s Certification Authority). Whithin this framework, the Laboratories conducted the product evaluations and the CCN’s Certification Authority was the only organization with attributions to issue a certificate. The need of recognizing the validity of a certificate accross countries was satisfied by the settlement of different agreements, SO-GIS and CCRA being the most relevant.
The CyberSecurity Act (CSA)
The CSA is a legal framework that regulates and unifies all security certification processes for all european countries.
Its main key points are:
- ENISA (European Agency for Cyber Security) has been appointed as the organization in charge of developing and deploying this regulation, as well as to write the security certification schemes accordingly to what is established in the CSA.
- Certification schemes: as it is not possible to globally (i.e: for all products and services) define the cybersecurity needs, requirements and objetives, specific schemes have to be defined for each group of products or processes that share the same peculiarities regarding security, always in compliance with the general framework defined in the CSA:
Up to now, the candidate schemes, ordered by deployment maturity, are:
- EUCC (Common Criteria based European cybersecurity certification scheme): it is the first defined scheme and it will be the successor of local Common Criteria schemes, operating under SO-GIS agreement. The definition of this scheme is the most mature, so it will be worth to dedicate a full post to this matter in our blog in the near future.
- Cloud Services: this scheme is still beeing defined as of the date of writing; it will regulate the certificaction of services provided in the cloud.
- Other schemes: other schemes are under construction, and they will be deployed in the short/middle term: ICSS, 5G, etc.
- New stakeholders: each scheme may determine that some certificates, depending on the assurance level, may be issued by private entities (typically evaluation facilities that have extended their accreditation accordingly). It is even possible that some schemes will allow auto-evaluation of security features, performed by the vendor itself.
It is expected that the first scheme to come into force will be EUCC, during the first half of 2021. Most probably, local schemes will mantain its presence during a co-existence period. The new role of current certification authorities is currently in the process of definition; presumably their responsibilities will evolve to the coordination, regulation and control of the organizations allowed to issue certifications as well as the certification of products with higher level of assurance.
Regarding vendors, the transition will be very smooth: it is foreseeable that certificates prior to CSA’s activation will retain its validity. Whether you need an immediate certification for your product or you are planning to certify it for the next year, Layakk is prepared to offer you Evaluation services and, depending on the assurance level, also Certification services. Our Laboratory services always comply with the principles of simplicity, high quality, honesty and best price.