The EU Cybersecurity Act (EU) 2019/881 (CSA) refers to the Regulation on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification.
The development and take-up of EU-wide cybersecurity certification schemes has been specified in the EU Cybersecurity Act that entered into force in 2019. The purpose of these certification schemes and the cybersecurity certificates granted based on them is to
- harmonise the security requirements of ICT products, services and processes between different Member States
- improve the security of products, services and processes and increase the consumers’ trust in certified products
- reduce situations in which a company must obtain several overlapping or conflicting national certificates that therefore also cause additional costs.
The Cybersecurity Act defines the duties and authorities of the NCCA (National Cybersecurity Certification Authority). In Finland, the party responsible for these activities is Finnish Transport and Communications Agency Traficom, as provided for in section 304 of the Act on Electronic Communications Services (917/2014).
Certificate assurance levels: basic, substantial, high
The CSA defines three different assurance levels for cybersecurity certificates. The assurance level is used to describe the level of the risk associated with the intended use of the object of certification and the level at which the object of certification has been evaluated.
Basic level: the object has been evaluated at a level intended to minimise the known basic risks of cybersecurity incidents and cyberattacks. At the basic level, the evaluation shall include at least a review of technical documentation of the object.
Substantial: the object has been evaluated at a level intended to minimise the known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources. For a certificate with an assurance level of ‘substantial’, the evaluation activities shall include at least proof of the absence of publicly known vulnerabilities and testing to demonstrate that the product, service or process correctly implements the necessary security functionalities.
High: the object has been evaluated at a level intended to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources. At the assurance level ‘high’, the minimum requirements of evaluation shall include, in addition to the above, an assessment of the resistance of the product/service/process to skilled attackers, using penetration testing.
More detailed requirements for certificates at different assurance levels have been specified in the applicable certification scheme.
Mandatoriness of certification
Obtaining a cybersecurity certificate is voluntary, unless it has been made mandatory by national or EU legislation for example for certain products, services or processes.
Even though obtaining a certificate is not mandatory, it is a good way to show that the security requirements have been taken into account and implemented correctly.
Tip:
Even if you do not intend to obtain a cybersecurity certificate, learning about the security requirements of certification schemes is a good way to assess the cybersecurity maturity of your own product, service or process compared to the requirements of the certificate!
European cybersecurity certification schemes
The certification scheme describes the requirements to be met for certification by different parties and provides more details on how compliance with the requirements is monitored.
You can find more information on the cybersecurity certification schemes that are in force as well as the ones in progress on the page Cybersecurity certification schemes .