The European Union Agency for Cybersecurity (‘ENISA’) has published two reports on the standards to be established for the new Cybersecurity Certification Framework and the Cybersecurity Act.
The Cybersecurity Act Regulation (EU) 2019/881 which entered into force on the 27th June 2019 empowered ENISA to support the establishment of a new Cybersecurity Certification Framework which will introduce cybersecurity certification schemes applicable across the European Union (‘EU’). The framework is intended to eradicate barriers in the European Single Market and will include rules, technical requirements, procedures and standards for a common EU risk-based certification scheme.
In this light, ENISA has published two reports establishing standards for the Cybersecurity Act and the Cybersecurity Certification Framework. The Report on Standardisation in Support of the Cybersecurity Certification lays out the role of Standardisation Developing Organisations (‘SDOs’) and proposes a step by step methodology which could be used for new certification schemes and highlights the importance of standardisation for the creation of certification schemes. The report also establishes Key Performance Indicators (‘KPIs’) to facilitate this process both during the creation and operation phase.
The Report on Standards Supporting Certification analyses the current standards of five areas which have frameworks, schemes or standards in place which could be relevant to the proposed certification schemes and identifies any gaps and suggests methods for their rectification. These areas are Internet of Things (IOT), cloud infrastructure and services, threat intelligence in the financial sectors, electronic health records, and qualified trust service providers. The report subsequently identified potential products which could be certified, for example in the sphere of the Internet of Things smart home devices were identified as potential candidates for certification.