Certification is essential to enhance the trust and security of key digital good and services. Currently certification schemes for ICT services and products exist within the EU, but without a coherent EU-wide framework, the risk of fragmentation and growing barriers between Member States will continue to increase. Therefore, it is necessary to create a harmonious approach in this area. European certification is supposed to confirm that ICT products and services that have been certified under such a system comply with all required specification. How winding will the path to create a uniform certification across the Union be, and will it ultimately be possible at all?
Requirement to use certified ICT products, services and processes
The NIS2 Directive (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022) states at the beginning that “For the purpose of demonstrating compliance with cybersecurity risk-management measures and in the absence of appropriate European cybersecurity certification schemes adopted in accordance with Regulation (EU) 2019/881 of the European Parliament and of the Council (Regulation (EU) 2019/881 of 17 April 2019 on ENISA and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013) (Cybersecurity Act), Member States should, in consultation with the Cooperation Group and the European Cybersecurity Certification Group, promote the use of relevant European and international standards by essential and important entities or may require entities to use certified ICT products, ICT services and ICT processes.” Further, it also specifies that the European Commission will indicate which categories of essential and important entities may be required to use certain certified ICT products, services and processes or to obtain certification based on the European cybersecurity certification system. The NIS2 Directive provides that EU Member States may require entities covered by the NIS2 Directive to be certified under the Cybersecurity Act.
The Cybersecurity Act for the first time introduces a EU-wide rules for certification of cybersecurity products, processes and services. The document was published on 7 June 2019 but presented already in September 2017 as a part of the so-called cybersecurity package. This is the second, after the NIS Directive (Directive (EU) 2016/1148 of 6 July 2016), legal act in the area of cybersecurity at entire EU level. The Cybersecurity Act consists of two parts. The first creates a new permanent mandate for ENISA, whose role has been significantly strengthened. By building a technical foundation for some certification schemes, ENISA will play a key role in their development and in maintaining the European cybersecurity framework. It will also inform the public about certification programs and granted certificates, through a dedicated website. The second part related to European cybersecurity certification framework for ICT products and services. This change is crucial as it will change the currently existing SOGIS model.
EU certification scheme for the cybersecurity
One of ENISA’ objectives is to create an EU certification scheme for the cybersecurity of cloud services. The aim of this program is to further improve the conditions of the EU’s internal market for cloud services by strengthening and streamlining cybersecurity guarantees for services. It is a comprehensive set of rules, standards and procedures agreed at European level to access the cybersecurity properties of a specific product, service or process. This program is a part of the European Cybersecurity Certification Framework (along with general ICT and 5G security standards).
It needs to be underlined that while cybersecurity certification programs are prepared at the EU level, the certification process itself is carried out in individual Member States. Therefore, it is necessary to establish relevant national authorities responsible for certification, accreditation and conformity assessment for this purpose.
The European Union has also defined its position in an innovative and at the same time very far-reaching in its implications, provision of the Cyber Resilience Act (Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020, COM(2022) 454 final) (CRA), a new regulation proposal, that is under preparation. Article 18, par. 3 CRA states that “products with digital elements and processes put in place by the manufacturer for which an EU statement of conformity or certificate has been issued under a European cybersecurity certification scheme adopted as per Regulation (EU) 2019/881 and specified as per paragraph 4, shall be presumed to be in conformity with the essential requirements set out in Annex I in so far as the EU statement of conformity or cybersecurity certificate, or parts thereof, cover those requirements.”
Both the NIS2 Directive and several other regulations (for instance the CRA or in general, actions taken by ENISA) indicate certification as one of the most important cybersecurity elements. Companies under the NIS2 Directive should pay a particular attention to the development of certification schemes and start preparations as soon as the appropriate procedure is available. In particular, the creation of an appropriate certification system may prove to be one of the ways to reduce the costs associated with the implementation of the new requirements by individual entities. In addition, a single and consistent certification within the entire EU will remove the need to apply for a certificate in each country where a company plans to offer its products or services. Developing a certification system at the European level will address the current flawed approach that does not guarantee the security of a given ICT product or service, but only confirms the certification process itself.
