Certification: the crucial connection between NIS2 and the Cybersecurity ACT

In today's interconnected world, where digital goods and services play an integral role in our lives and business, the need for robust cybersecurity measures has never been more evident. In this blog I will address a practical perspective on the topic of cybersecurity certification and related developments to consider moving forward.

Boosting the overall level of cybersecurity with the new NIS2 directive – as EU-wide legislation – is the talk of the town in the cybersecurity world. A lot of blogs and papers have been written about this topic, but rarely I get an answer on the “What do I have the do?”-question.  In this blog I will address a more practical perspective on the topic of certification and relevant developments to consider moving forward

As individuals, businesses, and governments continue to rely on technology for communication, commerce, and critical operations, the assurance of safety and reliability is paramount. This is where certification steps in as a powerful tool for enhancing trust and security in the Digital realm.

Understanding Certification in Cybersecurity

Certification in the context of cybersecurity refers to the process of subjecting digital products, systems, or services to a rigorous evaluation by independent third-party organizations. The goal is to determine whether these entities meet predefined security standards and requirements. This evaluation often involves comprehensive testing, assessment, and audits to ensure that vulnerabilities are identified and addressed.

Certification serves as a beacon of trust for users, signaling that the certified digital entity has undergone meticulous scrutiny and has met or exceeds industry-recognized security benchmarks.

Here are some key aspects highlighting the symbiotic relationship between certification and cybersecurity:

What is the NIS2 directive saying about certified ICT products, services and processes?

The NIS2 Directive (article 21) states that “For the purpose of demonstrating compliance with cybersecurity risk-management measures and in the absence of appropriate European cybersecurity certification schemes adopted in accordance with Regulation (EU) 2019/881 …, Member States should, in consultation with the Cooperation Group and the European Cybersecurity Certification Group, promote the use of relevant European and international standards by essential and important entities or may require entities to use certified ICT products, ICT services and ICT processes.”

Furthermore it states that “Member States “may require” essential and important entities to certify certain ICT products using a European certification scheme”

The Center of Cybersecurity Belgium has published a CyberFundamentals framework  with specific audit objectives. This tool can help and advice companies to raise awareness about their resilience level right away.

The CyberFundamentals Framework is a set of concrete measures to protect data, significantly reduce the risk of the most common cyber-attacks and increase an organization’s cyber resilience.

The framework is based on and linked with NIST CSF, ISO 27001 / ISO 27002, CIS Controls and IEC 62443four as the most commonly used cybersecurity frameworks.

The EU Cybersecurity Act

This act introduces an EU-wide cybersecurity certification framework for ICT products, services and processes. Companies doing business in / with the EU will benefit from having to certify their ICT products, processes and services only once and see their certificates recognized across the European Union.

For this purpose ENISA (European Union For Cybersecurity) has been appointed, by the EU cybersecurity ACT, to develop Cybersecurity certification schemes.

A EU cybersecurity certification scheme is a comprehensive set of rules, technical cybersecurity requirements, standards and evaluation procedures, defined at the EU level and applying to the certification of specific ICT products, services or processes. The certificate attests that an ICT product, process or service has been certified in accordance with such a scheme and that it complies with the specified cybersecurity requirements and rules. Certification is performed by a Conformity Assessment Body (CAB), which can audit and/or test and/or certify. All certificates will be published by ENISA on a dedicated website.

Depending on the potential cybersecurity risks associated with the intended use of the ICT solution to be certified, a different cybersecurity level can be chosen. Each EU scheme indicates if the certification is possible for an assurance level ‘basic’, ‘substantial’ or ‘high’

Currently, there are three EU Cybersecurity certification schemes under development:

• One scheme, covering ICT products  and called “EUCC”, is almost ready. It is based on an existing international scheme called “Common Criteria”.
• There is a second scheme covering cloud services (this is the “EUCS” scheme) and a third one on 5G networks (“EU5G”).

National cybersecurity certification authority

For those in need to attain a European cybersecurity certificate, individuals or entities must adhere to the stipulated criteria of the cybersecurity frameworks. The process involves either drafting a declaration of conformity or seeking certification from a conformity assessment body (CAB) or the designated national cybersecurity certification authority (NCCA). In Belgium the Center of Cybersecurity Belgium (CCB) has been appointed as the Authority for Certification of Cybersecurity (NCCA), therefor the CBB is expanded with a Certification team (CCB-Certification) that will provide guidance and support to Belgian companies in the EU cybersecurity certification process.

Conclusion

Companies which are in scope of the NIS2 Directive should pay a particular attention to the development of certification schemes and start preparations as soon as the appropriate procedure is available.

I can imagine that after reading all this complex and perhaps boring information, you must be a bit lost. Don’t worry as CGI can help you find your way (faster). Our accredited international cybersecurity labs have a proven track record in preparing lots of systems and software for certification, so just reach out to us.

Working for a long time now in this domain with both government and industry bodies we’ve come to understand the use and challenges of these frameworks also utilising a wider variety of tooling and checklists in the field, working with relevant technology partners to support our clients in both (asset) discovery and identification of vulnerabilities and advise in appropriate mitigation efforts. This is where the rubber meets to road so to say as we build experience in various industry domains transforming operations to become more resilient.