Cybersecurity has become a topic of high importance for a variety of stakeholders, including businesses and countries. To help raise the bar in cybersecurity maturity in the EU, a regulation on cybersecurity certification, known as the Cybersecurity Act (or CSA), has been fully in force since June 2021.
The CSA sets a European framework aiming to harmonize at EU level the parameters (e.g., the rules, requirements, standards and procedures) that apply to risk-based cybersecurity certification schemes for ICT products, ICT services and ICT processes. The CSA introduces three assurance levels – ‘basic’, ‘substantial’ and ‘high’ – in cybersecurity certification, going from low risk to higher risk scenarios. In the same context, Europe’s agency for cybersecurity, ENISA, is tasked with drafting certification schemes on specific topics at one or more of these assurance levels. To facilitate the adoption of good cybersecurity practices and their expansion throughout the digital single market, a certificate in the CSA framework obtained in one Member State shall be automatically recognized across the entire European Union.
Until now, preparing for and obtaining a certification required considerable effort from organizations. In an attempt to make CSA certification at level ‘basic’ more manageable for ICT market players, and SMEs in particular, three partners from Luxembourg ran the European project CORAL. CORAL stands for cybersecurity Certification based On Risk evALuation and treatment and as a project came to an end on October 31st, 2023, after having produced several practical tools helping the basic-level cybersecurity certification process.
CORAL was a three-year project co-financed by the Connecting Europe Facility of the European Union (EU). The three partners involved from Luxembourg were the Luxembourg House of Cybersecurity, ILNAS, and the ANEC GIE. CORAL aimed at addressing basic-level cybersecurity certification in the context of the CSA, and was, to the best of our knowledge, the first EU project in Luxembourg to focus on the topic.
The project had the primary objective of putting together a process to help make CSA certification concretely achievable for market actors in low-risk scenarios, and typically operating with less resources devoted to cybersecurity. Thus, CORAL first put together a companion methodology for CSA certification schemes that address the basic level of cybersecurity assurance. It suggested an approach and a toolset based on existing official criteria to assess the cybersecurity maturity of any ICT service, product or process. Following this assessment, an organization can evaluate its security posture with a view towards positioning itself as a candidate for CSA certification at the basic assurance level, once official CSA certification schemes are launched by the European Union. At the moment, two draft schemes exist, that have yet to be activated via European Commission implementing acts:
- The EUCC, covering ICT products in general, at assurance levels ‘substantial’ and ‘high’. Since the EUCC does not target ‘basic’ assurance, it is not in the scope of the CORAL framework;
- The EUCS, covering cloud services, at assurance levels ‘basic’, ‘substantial’, and ‘high’. The ‘basic’ level requirements of this scheme place it in the scope of CORAL.
Note that a third scheme on 5G is currently in development and that additional topics for schemes are under consideration.
The CORAL toolset, composed of a series of security questionnaires, an online tool, as well as an overall framework, addresses two main categories of users:
- SMEs who intend to assess the level of cybersecurity maturity of their proposed ICT product, ICT service or ICT process, eventually aiming to obtain a CSA certification at level ‘basic’, and
- Auditors working on behalf of conformity assessment bodies competent to deliver certifications against the EU schemes described above, and who can perform the audit based on the answers given in the tool questionnaires.
The CORAL questionnaires are themselves based on well-known information security resources: international or European standards, internationally recognized good practices, and draft CSA scheme requirements, in an effort to allow the CORAL methodology to be flexible enough to be aligned with existing and future CSA schemes. Concretely, the main outcome of the project, the CORAL Fit4CSA tool, is available online on a dedicated open-source platform and can be already used.
Among the other resources that the project proposes, one can also find an auditor profile, rooted in ENISA’s Cybersecurity Skills Framework, that can be useful for the development of frameworks on competence requirements for CSA basic-level certification auditors. There are also two videos that can be consulted: one overviewing the project itself, and one specifically dedicated to a description of existing standards that are relevant in the frame of the CSA and gives pointers to the organizations regarding all three levels of assurance. Finally, the project also explored the impact the CSA is likely to have on related incoming European legislation, and where CORAL might be of service, and on the role that Computer Security Incident Response Teams could have in the CSA certification lifecycle.
The project held a closing event which took place in the context of the Cybersecurity Week in October 2023 at the premises of the LHC in Luxembourg and featured presentations from ENISA and the Ministry of Economy, in addition to those from the project partners. The CORAL consortium would be happy to receive your thoughts on the project’s tools and approach, no matter whether you are a consumer, an SME or a larger organization with an interest to demonstrate your cybersecurity trustworthiness. Any feedback related to the CORAL project and tool can be shared via this email address: [email protected].
Note that in Luxembourg, ILNAS has been appointed as the National Cybersecurity Certification Authority in charge of supervision activities. Enquiries regarding the CSA in general can be addressed to ILNAS via the email [email protected]. ILNAS is also Luxembourg’s national standards body, which national market actors can contact at [email protected] to get involved in standardization activities, for example in relation to the technical standards supporting the CSA. Finally, in its role as the national cybersecurity agency of Luxembourg, the LHC provides a wealth of open-source tools, awareness raising events and general guidance in the cybersecurity maturity assessment phase for small and medium-sized organizations.
For more information about the project and the tool, please feel free to consult:
The contents of this publication are the sole responsibility of ILNAS and ANEC G.I.E. and do not necessarily reflect the opinion of the European Union.