European cybersecurity labels are coming. Who's signed up?

Scheme will pave the way for upcoming certification schemes: EUCS on cloud services and EU5G on 5G security

European cybersecurity labels are coming. Who's signed up?

The European Union has launched a cybersecurity labelling scheme for hardware, software and other IT services – with the EU Agency for Cybersecurity Executive Director, Juhan Lepassaar describing it this week as “a milestone towards a trusted EU digital single market.”

The certification scheme grew out of the 2019 Cybersecurity Act. It is entirely voluntary and does not yet have any early adopters, but follows a scheme that has seen over 1,300 products and services approved.

The cybersecurity certification scheme on Common Criteria (EUCC) is expected to pave the way for two more upcoming certification schemes: EUCS on cloud services and EU5G on 5G security. (Ed: Because where Europe lags on innovation, it loves to lead on acronyms and new rules.)

The voluntary EUCC scheme allows ICT suppliers who wish to showcase proof of assurance to go through an EU commonly understood assessment process to certify ICT products such as technological components (chips, smartcards), hardware and software.

The scheme is based on the existing SOG-IS Common Criteria evaluation framework already used across 17 EU Member States. It proposes two levels of assurance based on the level of risk associated with the intended use of the product/service across probability and impact of an incident.

The framework lists out security functional requirements and security assurance requirements for the products in question. Under the scheme, products can be evaluated by independent, licensed laboratories with the expectation that the existing signatories to the similarly voluntary Common Criteria technical agreement will recognise the certification.

Despite this being a voluntary certification process, the European Union Agency for Cybersecurity (ENISA) has noted an uptake in the number of certified ICT products in the five years up to 2022. An ENISA spokesperson told The Stack that as the new EU wide certification scheme was in its first transitionary year, no recent adoption statistics were available.

"The scheme will be voluntary, but certificates will ease access to procurement for public administration use and offers a great business opportunity for other vendors to access awarding authorities,” they said.

"More effective recognition in global markets provides more opportunities to European vendors. For consumers, the cybersecurity criteria assessed through certification will become more transparent through marks and labels," the spokesperson added. 

ENISA said that “Vendors will be able to convert their existing SOG-IS certificates into EUCC ones after assessing their solutions against added or updated requirements as specified in the EUCC” – the European Commission meanwhile has also proposed an amendment to the Cybersecurity Act that foresees a scheme for MSSPs.

See also: Europe's banks steel themselves for a tough ECB cyber resilence test after blistering criticism