Discover our high-level set of guidelines for certification under the EU Cybersecurity Act
25 November 2020
ECSO is excited to release this Product Certification Composition document, which serves as a high-level set of guidelines when seeking a certification by composition under the requirements defined by the EU Cybersecurity Act. The concept of composite certification is already known in the EUCC community and in certain domains the re-use of evidence within a single certification scheme.
The document aims to focus on composition in an agnostic way with respect to the standards and certification schemes, targeting the value of the composition to decrease time to market and certification costs while maximising assurance for multi component products.
“Certifying each component of an ICT product separately is meaningless during integration. At the same time, certifying the whole product each time is unrealistic especially from resource and economical perspectives. This document is therefore indispensable: it supports certification stakeholders during the creation or the operation of cybersecurity certification schemes by defining the principles of the composition model. This allows independently certifying an application while relying on results of previously certified component in a risk-based approach,” said Roland Atoui, co-chair of the ECSO SWG1.1 and one of the main editors of the Product Composition Document.
“In the context of the Cybersecurity Act and the EU future certification schemes, the availability of standardised means to reuse EU certificates is critical for cost effectiveness of the security certification and thus for the market acceptance of the schemes. The certification by composition of EU certificates will bring a significant added value to the EU certification schemes along with a consistent end to end cybersecurity,” said Boutheina Chetali, co-chair of the ECSO SWG1.1 and one of the main editors of the Product Composition Document.
“The ECSO document on composition is an important guide for the cybersecurity community. It highlights the market diversity we are inserted into and the importance of extracting all the value certification can offer to its stakeholders. It shows the importance to address certification composition in a multi-scheme context” said Mario Jardim, co-chair of ECSO Working Group 1 on standardization, certification and supply chain management and one of the main editors of the Product Composition Document.
Stayed tuned for a second document release, which is planned to build on this first paper to provide more technical details and a practical approach for scheme composition with the first European certification schemes.