The promulgation on 27 June 2019 of the European Cybersecurity Act effectively reinforces the mandate of ENISA, enabling the agency to take on increased responsibilities and resources, and offer better support to Member States as regards tackling cybersecurity threats and attacks. The Act also establishes an EU framework for cybersecurity certification across the full gamut of ICT products, processes and services throughout the EU, and also for skills training for cybersecurity professionals.
In a statement released on 26 June, ENISA Executive Director Udo Helmbrecht welcomed the 'reinforced role' of ENISA in the European cybersecurity ecosystem and said the organisation would be preparing ‘European cybersecurity certification schemes’ that will serve as the basis for certification of ICT products, processes and services. The candidate schemes prepared by ENISA and with the cooperation of national certification authorities and industry experts will be submitted to the European Commission for adoption.
Since the establishment of the Public-Private Partnership on cybersecurity in 2016, the European Cybersecurity Organisation (ECSO) has been working on increasing the understanding of needs, requirements and challenges in terms of standardisation and certification. ECSO members include large companies, SMEs, research centres and universities, end-users, operators, clusters and associations as well as local, regional and national administrations of European Member States. Their recently published State-of-the-Art (SOTA) Syllabus of certification schemes and standards, contains a full analysis of existing cybersecurity standards and schemes for security professionals.
Upcoming publications from ECSO include guidelines and best practices for evaluating items to be certified and criteria to be considered in establishing a harmonised definition of cybersecurity certification schemes.