What are the main key ideas?
Roles of the Cybersecurity Act
The European cybersecurity certification framework identifies many roles which can be defined as follow:
- National Cybersecurity Certification Authority (NCCA): each State member designates one national authority to perform supervisory tasks of the Cybersecurity Act. Its mission is defined at the Article 58.
- European Cybersecurity Certification Group (ECCG): this group represents all State members. Its mission is defined in the Article 62.
- Stakeholder Cybersecurity Certification Group (SCCG): this group represents the private sector, the conformity assessment bodies, the standardisation organisations, the accreditation bodies, data protection authority, universities and consumers association. Its missions is defined at the Article 22.
- Conformity Assessment Body (CAB): Body that performs conformity assessment services (including the certification and the assessment). It can exist many CAB in a State member. CAB must be accredited following the regulation (EU) no765/2008.
- National Accreditation Body (NAB): Unique body per Member state in charge of the accreditation, in France, COFRAC is the NAB.
Adoption of a European certification scheme
The regulation details a process to adopt the future European certification schemes.
Five main steps are necessary :
- The Union Rolling Work Programme (URWP): the Commission defines a schedule for the future schemes after consulting the ECCG and SCCG.
- The request: the Commission (or in justified case the ECCG) requests ENISA to prepare a candidate scheme on the base of the URWP.
- The draft scheme: ENISA prepares a draft scheme by creating an ad hoc working group (bringing together experts and representative of the ECCG).
- The technical review: once prepared, the ECCG gives an opinion on the draft scheme.
- The validation: The scheme is delivered to the Commission to be adopted as an implemented act.
Assurance levels of a European scheme
Each scheme can define one or more assurance levels.
The certification process and their assessment methods change depending on the assurance levels.
By default, three assurance levels are defined in the regulation:
- Assurance level Basic:
- This level aims for assessing components largely used (for instance: Internet of things);
- By default, this level allows self-assessment (issuance of a statement of conformity) for manufacturer or provider of products ICT , services ICT or processes ICT (but schemes can force a certification).
- Assurance level Substantial:
- This level intends to minimise the known cybersecurity risks, which can been interesting for the insurers for their risk management.
- This level relies on an assessment performed by a CAB issuing a certificate
- Assurance level High:
- This levels intends products, services or processes to minimise the risk of state-of-
the-art cyberattacks carried out by actors with significant skills and resources.
- This level adds to the Substantial level some penetration testing performed by a third party.
- The certificate is issued by a NCCA which is responsible of the technical skills for the penetration testing activity.