Common Criteria and the EU Cybersecurity Act
The European Union (EU) is pacing up the efforts to keep its citizens safe
21 June 2022
The Cybersecurity Act, REGULATION (EU) 2019/881 of 17 April 2019 is operational. The Act mandates and demands the European Union Agency for Cybersecurity (ENISA) to be the focal point for many aspects of Cybersecurity. Amongst many tasks, ENISA is the reference point for advice and expertise on preventing and mitigating cyber threats and should amongst other things support the development and enhancement of national and Union computer security incident response teams ('CSIRTs').
While ENISA has been around since 2004, things are evolving and the Cybersecurity Act (CSA) has significantly increased both mandate and scope. The CSA introduces several EU-wide cybersecurity certification frameworks for ICT products, services, and processes. ENISA is responsible to put this into action, and the first one out is the Common Criteria-based European cybersecurity certification scheme (EUCC). In the EU we believe in standardisation and reusing already existing standards if they are any good. The common understanding is that Common Criteria (CC) has been proven particularly efficient in the last two decades in Europe for the certification of chips and smartcards, e.g., making passports more trustworthy. In recent years, CC has been frequently used for the evaluation and certification of the cybersecurity of ICT software products.
Why establish the new EUCC when there are already existing CC schemas in several of the EU member states cooperating under the SOG-IS MRA? And, furthermore, there is the Common Criteria Recognition Arrangement (CCRA).
The answer is: because of shortcomings in acceptance and license recognition between the different countries and for the EU specifically, only a few of the member states are part of any CC arrangement. With the new EUCC, the ambition is to significantly contribute to strengthen the cybersecurity posture and at the same time make EUCC certificates valid and available throughout the member states. The ambition is of course also to effectively cooperate internationally.
Will the CSA and CC be a success? We don't know yet. It will be routinely evaluated and assessed as will ENISA. To its favour, there are a few significant developments going on pushing the development forward.
On December 16, 2020, the European Commission announced the new EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient. This new strategy is a key component in Shaping Europe's digital future, Recovery plan for Europe, and European Security Union. The same year, the EU provided an unprecedented response to the coronavirus crisis that hit Europe and the world. On top of the EU's 2021-2027 long-term budget, an extra EUR 806.9 billion (EUR 750 billion in 2018 prices) was put through NextGenerationEU, a temporary instrument to power the recovery, e.g., the Recovery plan for Europe.
These initiatives and extra focus on building, not only a strong and resilient base for modern tech within EU, but also for the entire world as it will benefit from and make use of the CSA as well as CC.
Bring it on!