ENAC is in a position to accredit laboratories in accordance with the requirements of the new European cybersecurity scheme, EUCC

The European Common Criteria-based cybersecurity certification scheme (EUCC), developed by the European Union Agency for Cybersecurity (ENISA), has become the first cybersecurity certification scheme adopted in the EU within the framework of Regulation (EU) 2019/881, popularly known as the Cybersecurity Act.

The new scheme is part of the EU's cybersecurity certification framework, aiming to raise the level of ICT cybersecurity for their products, services, and processes in the EU market. Specifically, this scheme allows suppliers in the sector who wish to demonstrate their ICT products' security, such as the technological components (chips, smart cards), hardware and software, to undergo a common EU assessment process to certify these products.

The scheme is the result of intense work carried out within ENISA where ENAC has played a leading role as an EA representation member, in particular, in putting together the documents "Accreditation of ITSEFs for the EUCC Scheme" and "Accreditation of CBs for the EUCC Scheme”.

“Since 2020, we have been working on developing this certification scheme" explains Rosalina Porres, in charge of ENAC's accreditation schemes in cybersecurity field, who has participated in this work, "firstly, in proposing what the accreditation requirements should be for laboratories carrying out product assessments within the EUCC scheme and, currently, we are still working on the requirements that will apply for certifiers”.

In addition, a few months ago at the request of the National Cryptologic Center (Centro Criptológico Nacional, CCN), ENAC launched a pilot program that has made it possible to start the assessment processes prior to the scheme being published. For this pilot programme, ENAC has worked together with the CCN, analyzing the most important changes introduced by the scheme and has created tools to help auditors in these assessments. All this work means that once the scheme is approved there will already be different assessment processes in an advanced stage, which significantly shortens the time for granting the first accreditations and will also make it easier for Spanish industry to start the scheme's assessment processes as soon as possible.

As the first EU cybersecurity certification scheme to be adopted, the EUCC is expected to pave the way for upcoming schemes that are currently being prepared, such as the EU Certification scheme on Cloud Services (EUCS) and the EU 5G certification scheme.

For more information, please contact Rosalina Porres, Head of ICT section in ENAC's Laboratories and Product Certification department.