Welcome to part two of our series covering the planned amendments to the NIS2 Directive. In the first part, we provided an overview of the suggested changes to NIS2. Now, we will look at the cybersecurity certification that could make compliance of many companies with NIS2 much easier.

Proposals on new cybersecurity certification schemes are set out in the revised EU Cybersecurity Act, which was proposed at the same time as the changes to NIS2. The EU Cybersecurity Act aims to increase and unify cybersecurity capabilities across the EU digital single market and sets out the mandate of the European Union Agency for Cybersecurity (ENISA).

The new cybersecurity certification is two-fold. Member states can oblige certain essential or important entities to obtain a certification. For other essential or important entities, obtaining a cybersecurity certification is voluntary. The idea for those entities is to reduce the cost of compliance with NIS2 and other EU laws that have security requirements and simplify the possibility of demonstrating compliance.  

The certification will be offered to attest to the following: 

• The ICT products, ICT services and ICT processes that have been evaluated comply with specified security requirements in relation to data or the functions or services offered by those products, services or processes.
• The managed security services that have been evaluated comply with specified security requirements in relation to data, and those services are provided by competent staff.
• The cyber posture of an entity that has been evaluated complies with specified cybersecurity requirements.

Cybersecurity certification is proposed to reflect varying levels of assurance: ‘basic’, ‘substantial’, or ‘high’. Companies will be able to obtain the certification for ‘basic’ conformity via self-assessment, whereas other types of certification will be issued by accredited conformity assessment bodies (these may include national cybersecurity certification authorities). 

• ‘Basic’ means the security controls in place are at a level intended to minimise the known basis risks of incidents and cyberattacks. It is suitable for ICT products, ICT services, ICT processes, managed security services, or cyber posture of entities that are of low complexity, that present a low risk and that have a simple design or simple production mechanisms.
• ‘Substantial’ level of assurance means security controls are at a level intended to minimise known risk of incidents and cyberattacks, and the risk of cyberattacks by actors with limited skills and resources.
• A ‘high’ level of assurance means security controls intended to minimise the risk of incidents and state-of-the-art cyberattacks by actors with significant skills and resources.
• The users are encouraged to obtain the certification commensurate with the level of risk associated with the use of the services, products or the nature of the entity subject to certification.

Obtaining a cybersecurity certification would enable entities to provide evidence of their adherence to mandatory security measures, build trust with customers and elevate organisation-wide security standards. Essential entities with a cybersecurity certificate may be exempt from targeted security audits under NIS2. 

Organisations with a cybersecurity certificate will issue an EU statement of conformity demonstrating compliance with the requirements of the certification scheme. Such a statement of conformity must also be filed with a designated national cybersecurity certification authority and ENISA. Organisations will need to pay fees for the maintenance of each cybersecurity scheme. National cybersecurity certification authorities will monitor and enforce the obligations of certified organisations.

ENISA must conduct public consultations before publishing any cybersecurity certification scheme. Generally, the focus of each certification is expected to be on security controls and procedures in place, including the following:

• Security by design and default for ICT products, ICT services, and ICT processes
• Provision of managed security services by competent staff
• Measures to protect data against accidental or unauthorised storage, processing, access or disclosure
• Access control
• Keeping logs to monitor access and modification of data, services, or functions
• Monitoring vulnerabilities and fixing them, facilitating sharing of information about vulnerabilities
• Ensuring availability of services and functions, including after an incident, through resilience and mitigation measures against denial-of-service attacks
• Internal processes in place to ensure services are provided at an appropriate level of quality
• Processes in place to detect and respond to incidents and recover from them
• Ability to provide continued provision of services
• Secure processing of personal data.

Manufacturers of ICT products, ICT services, and ICT processes may be required to publish supplementary information to their users in electronic form about secure configuration, installation, deployment and operation of their products or services.

The European Commission presented the amendment to the Cybersecurity Act in the form of a regulation, and thus, once the draft is agreed, the new legal requirements will be directly applicable in Member States. The certification schemes will be harmonised with national cybersecurity schemes and will also allow for international recognition based on the equivalence principle. 

ENISA will be responsible for running the certification schemes and developing the technical specifications for them. ENISA will run a dedicated website on the EU cybersecurity schemes describing the technical specifications relevant to a specific certification scheme. The website will also list certificates and statements of conformity that are no longer valid, suspended, withdrawn or expired.