Mandatory cybersecurity certification requirements coming of age in the EU

The EU legislative initiatives have led the global market in the past for market relevant aspects dealing with privacy and data protection, and recent and coming initiatives are shaping the EU market in aspects dealing with cybersecurity requirements for products, services and processes, where compliance is to be demonstrated by certification based on standards.

On one side, the Cybersecurity Act (2019), set the framework to define EU-wide certification schemes, and there are three such schemes being currently developed by ENISA, the EU Agency for Cybersecurity, EUCC (for ICT product), EU5G (for 5G products) and EUCS (for cloud services). On the other side, the NIS2 proposal sets the hook for national strategies that are to secure critical infrastructures to define requirements for the supply chain, and use such schemes to demonstrate compliance. Other initiatives, like the recently announced EU Cyber Resilience Act, will bring a similar approach to the full EU market, not just the critical infrastructures. Industry-driven standardization initiatives have proven to be very successful in the past to provide to such legislative initiatives a solid body of work to be referenced. For the EUCC, for example, the payment sector or the digital identities sector were able to develop a comprehensive set of industry agreed technical standards that are the bases of the high assurance certification in the EUCC. For mobile communication sector, GSMA and 3GPP developed the NESAS certification scheme, which is currently under analysis for consideration as a building block of the EU5G.

This presentation provides an overview of cyber security certification, analyses in more detail these scenarios, and concludes with a call to keyboards to SNIA, to pioneer and lead the development of certifiable cybersecurity technical standards to shape the secure storage market.