Eurosmart IoT Certification Scheme

Eurosmart IoT Certification Scheme

Thanks to the dynamism of its members, Eurosmart has been launching its first pilot projects on the Eurosmart IoT device certification scheme at the level “substantial” (eIoT SCS) which has been built up to be fully compliant with the European Cybersecurity Certification Framework.

This framework as defined by the European Cybersecurity Act, enables their users to ascertain the level of security assurance (basic, substantial and high), and ensures that these security features are independently verified.

Eurosmart has been developing its own certification scheme for IoT devices with a focus on the Substantial security assurance level, based on this regulation. (view the documents)

The beta release of this scheme is open to public consultation until the end of 2019, you will find on this page the documents, a form and a table of comments. (view the comment section)

Eurosmart is also looking for CAB reviewer, CAB evaluators and pilots to test the certification scheme. (view the pilot Section)

Public Consultation Beta release – IoT Security Certification Scheme (e-IoT-SCS)

Eurosmart has been developing its own certification scheme for IoT devices with a focus on the Substantial security assurance level, based on this regulation. The beta release of this scheme is open to comments until the 8th of September 2019  you will find on this page the documents, a Formular and a table of comments.

Executive summary

The European Cybersecurity Certification Framework helps in creating a single cybersecurity market for the EU. A harmonized approach at EU level defines mechanisms that establish EU-wide cybersecurity certification schemes which assess the ICT (Internet and Communications Technology) products, ICT services and ICT processes and make sure they comply with specified security requirements.

The scope of the Eurosmart IoT Security Certification Scheme (e-IoT-SCS) is the Internet of Things (IoT) Device with a focus on the Substantial security assurance level as defined by the Cybersecurity Act. At this level of assurance, the certification is intended to minimize the risks of successful attacks commonly taking advantage of poor design in IoT devices bringing severe consequences to consumers and vendors, due to non-presence or ineffective security controls. It is indeed vital that IoT devices have security designed-in and verified-in from the outset.

Since these IoT Devices at the low end of the range may have security features constrained by cost, available processing power and performance, size, type of power source, this Certification Scheme considers the trade-off between such constraints, the risks and the cost of certification.

This Certification Scheme introduces 3 new important properties:

1. Security Profile (the “What”)

A Security Profile (SP) defines the security functional requirements and security assurance activities specific security problem definition of a type of an IoT Product/Solution (thermostat, smart cam, etc.) while considering the sensitivity of assets, the context of the operational environment and the risk factor. Its definition is a step towards an economic way of dealing with security risk analysis and security targets. It helps to scale security controls and security-related process activities in accordance to the identified risks, i.e. to spend most effort where the highest risks are. This Certification Scheme defines a methodology allowing a harmonized and quick creation of Security Profile covering the full attack surface threat model from Chip to Cloud including the Applications (Business and Mobile), Gateways, the Connectivity and the Cloud.

2. Risk-Based Evaluation (the “How”)

The evaluation activities to be undertaken within this Certification Scheme are based on a risk[1] approach and includes a review to demonstrate the absence of publicly known vulnerabilities and testing to demonstrate that IoT Devices implements the necessary security functionalities. Risk-based security evaluation is useful when an ICT product is intended to work in a complex system such as the IoT which requires numerous evaluation activities for adequate coverage in limited time.

[1] Risk itself is considered a metric that indicates the combination of the consequences of an unwanted incident with respect to an asset and the associated likelihood or estimated frequency of occurrence

3. Certification Validity (the “What if”)

Millions of IoT devices are expected to be granted certifications. These certifications must be maintained in a proper and cost-efficient way to guarantee the level of assurance and the certificate in the operational phase. This Certification Scheme defines efficient policies, processes and tools allowing IoT Service Providers, Business Lines, Risk-Owners a Decision Makers to increase their trust in certified IoT Devices.

For a higher level of assurance (level “High” as per the Cybersecurity Act), Eurosmart recommends relying on other relevant Certification Schemes addressing state of the art of attacks.

Finally, within this Certification Scheme, the Cybersecurity Act definitions supersedes over any other definition.


Eurosmart IoTsCs - Pilot release

Download the full set of documents


E-IoT-SCS Certification Scheme Process & Policy - This document defines the policies and processes that govern the IoT device certification scheme.


E-IoT-SCS Generic Protection Profile - This document is a generic representation of common security requirements on IoT devices. It is based on a security risk analysis approach of an IoT Device operating in a typical infrastructure without considering a specific type of data or a context for risk calculation. The main output of this document is a list of security goals and requirements qualifying the need to counter security threats identified on a typical IoT device


E-IoT-SCS Evaluation Methodology - Document defining the evaluation activities to be performed by an evaluator and links between them in order to conduct properly an evaluation. It lists evaluation evidences required to perform actions as defined in the security assurance requirements. It defines way to report evaluation results in Evaluation technical report and observation report. It also provides rules to define verdict and criteria of failure.


CABs Agreement - Guidelines listing the rules for setting up agreement between CABs and Certification Scheme stakeholders (e.g. other CABs – CAB reviewer, CAB evaluator, NABs, etc.)


CABs Accreditation Policy - Guidelines describing policy for CABs accreditation


Vulnerability Management, Maintenance & Continuous Assurance Policy: Document describing vulnerability management procedures and the life-cycle management of the Certificate after issuance


Mark & Certificate Usage Policy for e-IoT Certification Scheme: Document describing the procedure and conditions which govern the use of the e-IoT SUBSTANTIAL mark and certificate by IoT device vendors, CABs and end-users


The Metadata Certification Policy for e-IoT Certification Scheme: Document describing the Metadata Certification Concept and Requirements guaranteeing the relevancy and Authenticity of the Certificates.


Templates (Vendor Questionnaire, Impact Analysis Report, Security Profile, Evaluation Report, Mapping Table Concept)

Informative Annexes

A set of informative annexes complementing the e-IoT Security Certification Scheme deliverables such as the “e-IoT-SCS Candidate Certification Scheme Pre-Study – v1.0 RELEASE”, or “Risk Assessment Methodologies”.

Send you feedback

You can either provide your feedback by downloading the commenting template or by filling-in the following form (2 comments max.)

Your comment 1

your comment 2

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

with the support of

Join the Pilot
  • Interested CABs evaluator / reviewers in the pilot phase can join the pilot project by contacting Eurosmart,
  • CAB evaluator and CAB reviewer can propose products from their ecosystems ;
  • Relationship between CABs evaluator, CABs reviewers and vendors will be carried out under business confidentiality requirements. With respect to the antitrust rules, non-disclosure agreements (NDAs) should be signed amongst the partners ;
  • Eurosmart provides a certificate template to the CABs reviewer who act as if they were performing their conformity assessment activities under ISO 17065 and 17025. Therefore, private CABs will issue the certificate for the pilot phase.
  • Security profile shall be defined by the vendors/CABs though to a questionnaire.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.