My favourites

TITLE III – Cybersecurity certification network (Art. 46-65)

Art. 46 CSA - European cybersecurity certification framework arrow_right_alt

Art. 47 CSA - The Union rolling work programme for European cybersecurity certification arrow_right_alt

Art. 48 CSA - Request for a European cybersecurity certification scheme arrow_right_alt

Art. 49 CSA - Preparation, adoption and review of a European cybersecurity certification scheme arrow_right_alt

Art. 50 CSA - Website on European cybersecurity certification schemes arrow_right_alt

Art. 51 CSA - Security objectives of European cybersecurity certification schemes arrow_right_alt

Art. 52 CSA - Assurance levels of European cybersecurity certification schemes arrow_right_alt

Art. 53 CSA - Conformity self-assessment arrow_right_alt

Art. 54 CSA - Elements of European cybersecurity certification schemes arrow_right_alt

  1. A European cybersecurity certification scheme shall include at least the following elements:
    1. the subject matter and scope of the certification scheme, including the type or categories of ICT products, ICT services and ICT processes covered;
    2. a clear description of the purpose of the scheme and of how the selected standards, evaluation methods and assurance levels correspond to the needs of the intended users of the scheme;
    3. references to the international, European or national standards applied in the evaluation or, where such standards are not available or appropriate, to technical specifications that meet the requirements set out in Annex II to Regulation (EU) No 1025/2012 or, if such specifications are not available, to technical specifications or other cybersecurity requirements defined in the European cybersecurity certification scheme;
    4. where applicable, one or more assurance levels;
    5. an indication of whether conformity self-assessment is permitted under the scheme;
    6. where applicable, specific or additional requirements to which conformity assessment bodies are subject in order to guarantee their technical competence to evaluate the cybersecurity requirements;
    7. the specific evaluation criteria and methods to be used, including types of evaluation, in order to demonstrate that the security objectives referred to in Article 51 are achieved;
    8. where applicable, the information which is necessary for certification and which is to be supplied or otherwise be made available to the conformity assessment bodies by an applicant;
    9. where the scheme provides for marks or labels, the conditions under which such marks or labels may be used;
    10. rules for monitoring compliance of ICT products, ICT services and ICT processes with the requirements of the European cybersecurity certificates or the EU statements of conformity, including mechanisms to demonstrate continued compliance with the specified cybersecurity requirements;
    11. where applicable, the conditions for issuing, maintaining, continuing and renewing the European cybersecurity certificates, as well as the conditions for extending or reducing the scope of certification;
    12. rules concerning the consequences for ICT products, ICT services and ICT processes that have been certified or for which an EU statement of conformity has been issued, but which do not comply with the requirements of the scheme;
    13. rules concerning how previously undetected cybersecurity vulnerabilities in ICT products, ICT services and ICT processes are to be reported and dealt with;
    14. where applicable, rules concerning the retention of records by conformity assessment bodies;
    15. the identification of national or international cybersecurity certification schemes covering the same type or categories of ICT products, ICT services and ICT processes, security requirements, evaluation criteria and methods, and assurance levels;
    16. the content and the format of the European cybersecurity certificates and the EU statements of conformity to be issued;
    17. the period of the availability of the EU statement of conformity, technical documentation, and all other relevant information to be made available by the manufacturer or provider of ICT products, ICT services or ICT processes;
    18. maximum period of validity of European cybersecurity certificates issued under the scheme;
    19. disclosure policy for European cybersecurity certificates issued, amended or withdrawn under the scheme;
    20. conditions for the mutual recognition of certification schemes with third countries;
    21. where applicable, rules concerning any peer assessment mechanism established by the scheme for the authorities or bodies issuing European cybersecurity certificates for assurance level ‘high’ pursuant to Article 56(6). Such mechanism shall be without prejudice to the peer review provided for in Article 59;
    22. format and procedures to be followed by manufacturers or providers of ICT products, ICT services or ICT processes in supplying and updating the supplementary cybersecurity information in accordance with Article 55.
  2. The specified requirements of the European cybersecurity certification scheme shall be consistent with any applicable legal requirements, in particular requirements emanating from harmonised Union law.
  3. Where a specific Union legal act so provides, a certificate or an EU statement of conformity issued under a European cybersecurity certification scheme may be used to demonstrate the presumption of conformity with requirements of that legal act.
  4. In the absence of harmonised Union law, Member State law may also provide that a European cybersecurity certification scheme may be used for establishing the presumption of conformity with legal requirements.
Related
Close tabsclose
  • 74
  • 76
  • 84
  • 96
  • 105

Recital 74

The provisions of this Regulation should be without prejudice to Union law providing specific rules on the certification of ICT products, ICT services and ICT processes. In particular, Regulation (EU) 2016/679 lays down provisions for the establishment of certification mechanisms and of data protection seals and marks, for the purpose of demonstrating the compliance of processing operations by controllers and processors with that Regulation. Such certification mechanisms and data protection seals and marks should allow data subjects to quickly assess the level of data protection of the relevant ICT products, ICT services and ICT processes. This Regulation is without prejudice to the certification of data processing operations under Regulation (EU) 2016/679, including when such operations are embedded in ICT products, ICT services and ICT processes.

Recital 76

The technical specifications to be used in European cybersecurity certification schemes should respect the requirements set out in Annex II to Regulation (EU) No 1025/2012 of the European Parliament and of the Council (19). Some deviations from those requirements could, however, be considered to be necessary in duly justified cases where those technical specifications are to be used in a European cybersecurity certification scheme referring to assurance level ‘high’. The reasons for such deviations should be made publicly available.

Recital 84

The Commission should prepare, with the support of the European Cybersecurity Certification Group (the ‘ECCG’) and the Stakeholder Cybersecurity Certification Group and after an open and wide consultation, a Union rolling work programme for European cybersecurity certification schemes and should publish it in the form of a non-binding instrument. The Union rolling work programme should be a strategic document that allows industry, national authorities and standardisation bodies, in particular, to prepare in advance for future European cybersecurity certification schemes. The Union rolling work programme should include a multiannual overview of the requests for candidate schemes which the Commission intends to submit to ENISA for preparation on the basis of specific grounds. The Commission should take into account the Union rolling work programme while preparing its Rolling Plan for ICT Standardisation and standardisation requests to European standardisation organisations. In light of the rapid introduction and uptake of new technologies, the emergence of previously unknown cybersecurity risks, and legislative and market developments, the Commission or the ECCG should be entitled to request ENISA to prepare candidate schemes which have not been included in the Union rolling work programme. In such cases, the Commission and the ECCG should also assess the necessity of such a request, taking into account the overall aims and objectives of this Regulation and the need to ensure continuity as regards ENISA’s planning and use of resources.

Following such a request, ENISA should prepare the candidate schemes for specific ICT products, ICT services and ICT processes without undue delay. The Commission should evaluate the positive and negative impact of its request on the specific market in question, especially its impact on SMEs, on innovation, on barriers to entry to that market and on costs to end users. The Commission, on the basis of the candidate scheme prepared by ENISA, should be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives laid down in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject matter, scope and functioning of the individual scheme. Those elements should include, among other things, the scope and object of the cybersecurity certification, including the categories of ICT products, ICT services and ICT processes covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended assurance level (‘basic’, ‘substantial’ or ‘high’) and the evaluation levels where applicable. ENISA should be able to refuse a request by the ECCG. Such decisions should be taken by the Management Board and should be duly reasoned.

Recital 96

European cybersecurity certification schemes should take into account current software and hardware development methods and, in particular, the impact of frequent software or firmware updates on individual European cybersecurity certificates. European cybersecurity certification schemes should specify the conditions under which an update may require that an ICT product, ICT service or ICT process be recertified or that the scope of a specific European cybersecurity certificate be reduced, taking into account any possible adverse effects of the update on compliance with the security requirements of that certificate.

Recital 105

In order to further facilitate trade, and recognising that ICT supply chains are global, mutual recognition agreements concerning European cybersecurity certificates may be concluded by the Union in accordance with Article 218 of the Treaty on the Functioning of the European Union (TFEU). The Commission, taking into account the advice from ENISA and the European Cybersecurity Certification Group, may recommend the opening of relevant negotiations. Each European cybersecurity certification scheme should provide specific conditions for such mutual recognition agreements with third countries.

Art. 55 CSA - Supplementary cybersecurity information for certified ICT products, ICT services and ICT processes arrow_right_alt

Art. 56 CSA - Cybersecurity certification arrow_right_alt

Art. 57 CSA - National cybersecurity certification schemes and certificates arrow_right_alt

Art. 58 CSA - National cybersecurity certification authorities arrow_right_alt

Art. 59 CSA - Peer review arrow_right_alt

Art. 60 CSA - Conformity assessment bodies arrow_right_alt

Art. 61 CSA - Notification arrow_right_alt

Art. 62 CSA - European Cybersecurity Certification Group arrow_right_alt

Art. 63 CSA - Right to lodge a complaint arrow_right_alt

Art. 64 CSA - Right to an effective judicial remedy arrow_right_alt

Art. 65 CSA - Penalties arrow_right_alt