Key elements of the new EU cybersecurity certification framework

• Importantly, the framework creates a mechanism to establish European cybersecurity certification schemes based on existing European or international standards.  The regulation recognizes that the certification schemes “should be non-discriminatory and based on European or international standards.”
• The schemes will be implemented and supervised by national cybersecurity certification authorities.  Certification schemes operated by industry or other private organizations fall outside of the scope of the regulation, but may be proposed and approved as formal European cybersecurity certification schemes.
• New schemes will replace existing national certification schemes – with the exception of schemes for national security purposes – and certificates should be recognized throughout the Union.  This is in order to avoid companies, for example, having to certify to multiple national schemes in order to participate in national procurement procedures.  (The regulation recognizes that existing mutual recognition of certificates within the Union have only been partly successful.)  Once a certification scheme is adopted, manufacturers of relevant products, services and processes should be able to submit an application for certification to a conformity assessment body of their choice anywhere in the Union.  Certificates issued under schemes also should be valid and recognized throughout the Union.
• The schemes and certificates issued under the schemes may specify different assurance levels: ‘basic’, ‘substantial’ or ‘high.’  Assurance levels are intended to be commensurate with the level of risk associated with the intended use of the ICT product, service or process “in terms of the probability and impact of an incident.” Security requirements corresponding to each assurance level are intended to reflect the “rigour and depth of the evaluation” of the ICT product, service or process.
• In addition to more formal certification, certification schemes may provide for “conformity self-assessment.”  However, conformity self-assessment is only for low complexity ICT products, services or processes that present a low risk to the public and correspond to assurance level ‘basic.’
• The new certification schemes initially will be voluntary.  That said, the Commission is required to evaluate by 2023 whether specific schemes should become mandatory for certain ICT products, services or processes.
• EU Member States will establish penalties for infringing European cybersecurity certification schemes.  Penalties must be “effective, proportionate and dissuasive.”

> leroux (Community Champion) posted a new topic in Industry News on 03-16-2019

> On March 12,The EU Parliament  passed into law its new Information and
> Communication Technology cybersecurity certification, also known as the
> Cybersecurity Act, which will enable EU nations to monitor the cyber resilience
> of Network and information systems and telecommunications networks and services
> sold and operated within their juridictions

Some years back, a group attempted to assess the resilience of networks and
utilities in the US. Apparently, the US has laws which prevent the utilities from
cooperating with such an assessment ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
That ball of shiny blue/Houses everybody anybody ever knew
- `ISS (Is Somebody Singing)' http://is.gd/3cO943
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB