ENISA report on standardisation in support of the cybersecurity certification

ENISA report on standardisation in support of the cybersecurity certification

This report has been drafted by Sławomir Górniak (ENISA), Roland Atoui, Jesus Fernandez, Jean-Pierre Quemard and Martin Schaffer.

Executive summary

The EU Cybersecurity Act (CSA) has made a dramatic change in the domain of cybersecurity evaluation by creating a single framework federating different evaluation schemes to harmonize Cybersecurity evaluation across the EU and therefore create a single European Cybersecurity Market.

The EU Cybersecurity Certification Framework makes it easier for ICT manufacturers and developers to serve the EU market. A unified certification framework across all of EU reduces the effects a fragmented market has on the economy. To support the creation of certification schemes under this framework the role of standardisation bodies is very important.

The SDOs (Standardisation Developing Organisations) will provide the necessary standards to support the framework to be defined by ENISA under request from the European Commission. There is a significant risk of creating inconsistent standards focused on vertical domains, despite the fact that cybersecurity is highly transversal. There is a strong necessity to create horizontal standards with a potential international coverage. The role of ENISA and its involvement in Standardisation tasks is essential, creating a harmonized frame to develop such standards.

Europe aims to be leading the cybersecurity certification and standardisation area for ICT products, processes and services. The EU Cybersecurity Act is an opportunity to have a harmonized market for cybersecurity. It brings a whole field of work, putting the consumers and the citizens in the centre of businesses’ reflections and aims to improve EU cyber resilience and response by building upon existing instruments provided by SDOs keeping networks and information systems secure.

In this document, we present how valuable the cybersecurity standardisation efforts could be for certification, what are the roles and responsibilities of SDOs in this context, and how standardisation can support efficiently the process of certification schemes creation by following a step by step methodology.