Since June 2021, the Cybersecurity Act (or CSA, officially known as Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013) has been fully in force.
The CSA sets a European framework aiming to harmonize at the EU level the parameters related to the rules, requirements, standards and procedures that should apply to risk-based cybersecurity certification schemes for ICT products, ICT services and ICT processes. To this end, it introduces three assurance levels – ‘basic’, ‘substantial’ and ‘high’ – in cybersecurity certification, going from low risk to higher risk scenarios. In the same context, Europe’s agency for cybersecurity, ENISA, is tasked with drafting certification schemes on specific topics at one or more of these assurance levels. Crucially, a certificate in the CSA framework obtained in one Member State shall be automatically recognized across the entire European Union. The CORAL project is an attempt to make CSA certification at basic level more manageable for ICT market players.
CORAL is a three-year project co-financed by the Connecting Europe Facility of the European Union (EU) involving three partners from Luxembourg: the Luxembourg House of Cybersecurity, ILNAS, and the ANEC GIE. CORAL – which stands for cybersecurity Certification based On Risk evALuation and treatment – aims at addressing basic-level cybersecurity certification in the context of the CSA, and is, to the best of our knowledge, the first EU project in Luxembourg to focus on the topic. The project has the objective of putting together a process to help make CSA certification concretely achievable for market actors in low-risk scenarios, and typically operating with less resources devoted to cybersecurity.
In this framework, CORAL places itself as a companion methodology for CSA certification schemes that address the basic level of cybersecurity assurance. It suggests an approach and a toolset based on existing official criteria to assess the cybersecurity maturity of any ICT service, product or process. Based on this assessment, an organization can position itself as a candidate for CSA certification at the basic assurance level, once official CSA certification schemes are launched by the European Union. At the moment, two draft schemes exist, that have yet to be activated via European Commission implementing acts:
- The EUCC, covering ICT products in general, at assurance levels ‘substantial’ and ‘high’. Since the EUCC does not target ‘basic’ assurance, it is not in the scope of the CORAL framework;
- The EUCS, covering cloud services, at assurance levels ‘basic’, ‘substantial’, and ‘high’. The ‘basic’ level requirements of this scheme place it in the scope of CORAL.
The CORAL toolset, composed of a series of security questionnaires as well as an overall framework, addresses two main categories of users:
- SMEs who aim to assess the level of cybersecurity maturity of their proposed ICT product, ICT service or ICT process, eventually aiming to obtain a CSA certification at level ‘basic’, and
- Auditors working on behalf of conformity assessment bodies competent to deliver certifications against the EU schemes described above, and who can perform the audit based on the answers given in the tool questionnaires.
The CORAL questionnaires are themselves based on well-known information security resources: international or European standards, internationally recognized good practices, and even draft CSA scheme requirements, in an effort to allow the CORAL methodology to be flexible enough to be aligned with existing and future CSA schemes. As for the auditor profile proposed by CORAL, it is rooted in ENISA’s Cybersecurity Skills Framework.
The CORAL tool is available online on a dedicated platform and can be already tested. We would be happy to receive your feedback on the project’s ideas, no matter whether you are a consumer, an SME or a larger organization with an interest to demonstrate your cybersecurity trustworthiness. Any feedback related to the CORAL project and tool can be shared via this email address.
Note that in Luxembourg, ILNAS has been appointed as the National Cybersecurity Certification Authority in charge of supervision activities. Enquiries regarding the CSA in general can be addressed to ILNAS via the email [email protected]. ILNAS is also Luxembourg’s national standards body, which national market actors can contact at [email protected] to get involved in standardization activities, for example in relation to the technical standards supporting the CSA. Finally, the LHC provides open-source tools and general guidance in the cybersecurity maturity assessment phase for small and medium-sized organizations.
For more information about the project and the tool, please feel free to consult: