NISA published the study ‘Overview of the ICT Certification Laboratories practices in Europe’ which seeks to identify and analyse the current landscape of Information and Communication Technology (ICT) security certification laboratories within the EU Member States. In addition, the study provides a comparison to the practices used in non-EU countries.
Prof. Dr. Udo Helmbrecht, Executive Director of ENISA, stated that “the findings of this study will constitute a valuable input to the preparation of an EU-wide ICT security certification framework.”
Certification plays an important role in raising the level of trust and security in ICT products and services. As technology proliferates, expectations about security sometimes cannot be met. Therefore, certification functions as a means to help bridge this gap and give consumers the confidence they need to embrace new technology without doubt.
As a result, individual Member State initiatives have sought to set high cybersecurity requirements for ICT technologies on existing infrastructure. Even though those initiatives are important as they provide guidelines for ICTs, they also increase the risk of market fragmentation and increase the challenges regarding interoperability.
The current legal framework for certification labs is structured as follows:
- General requirements defined in the Regulation (EC) No 765/2008 of the European Parliament and of the Council;
- Member State level requirements from relevant accreditation bodies;
- Certification or evaluation requirements from various standards;
- Requirements emerging from international arrangements.
The study concludes that most laboratories currently operate under their respective Member State schemes. Although these schemes provide services to evaluate the security of ICT products based on an approved and unified methodology, the legal and business framework they operate in varies across countries, often reflecting the characteristics of local economies and policies of the certification lab’s home country.
By evaluating additional non-EU laboratories, the report goes one step further and identifies relevant patterns, similarities and differences.