February 10, 2020

The two studies relate to the standards supporting the EU Cybersecurity Act and the new EU Cybersecurity Certification Framework.

ENISA says that the EU Cybersecurity Certification Framework will make it easier for ICT manufacturers and developers to serve the EU market. A unified Cybersecurity Certification Framework across the EU will reduce the effects that a fragmented market has on the economy. To support the creation of certification schemes under this framework the role of standardisation bodies is key.

On 3 February 2020, ENISA organised a conference “Cybersecurity Standardisation and the EU Cybersecurity Act – What’s Up?” together with the European Standards Developing Organisations, CEN-CENELEC and ETSI.

The conference discussed the challenges in the standardisation landscape for cyber security in light of the EU Cybersecurity Act. The main topics were:

• the role of standardisation to support the certification framework;
• achievements in cyber security standardisation and the rolling plan of standardisation bodies;
• the first EU certification scheme: difficulties and success stories in relation to standards; and
• prospective schemes: the way ahead.

As a follow up to the conference, ENISA has published two studies.

The study on “Standardisation in support of the Cybersecurity Certification” covers the value of standards for cyber security certification and the roles and responsibilities of Standards Developing Organisations (SDOs). It also discusses various ways as to how standardisation can support efficiently the process of creating certification schemes by following a step-by-step methodology, which can be used as a guideline for new certification schemes or standards creators.

As for standardisation, the study proposes a set of recommendations for SDOs and the prospective creators of certification schemes.

The second study, “Standards Supporting Certification” explores five distinct areas, in which frameworks, schemes or standards that currently exist could be adapted into EU candidate cybersecurity certification schemes. These five areas are: (i) the Internet of Things (IoT); (ii) cloud infrastructure and services; (iii) threat intelligence in the financial sector; (iv) electronic health records in healthcare; and (v) qualified trust services.

The study reflects on the standards currently available in these five areas and identifies existing gaps. It further proposes recommendations on how the gaps can be addressed, especially by standardisation bodies, and how the available standards could potentially be adapted to form the basis of future EU cybersecurity certification schemes. To access the studies, click here.