Previous Projects: Advancing Cybersecurity Certification Across Europe
Previous Projects: Advancing Cybersecurity Certification Across Europe
In an era where cyber threats are escalating and trust in digital services is paramount, the European Union has taken decisive steps to bolster cybersecurity through the Cybersecurity Act. One of the most impactful initiatives under this framework has been the A4CEF project—Advancing Cybersecurity Certification Capabilities with Cross-border Exchange and Enhancing (business) Flows—which ran from 2021 to 2023.
Building Trust Through Certification
The Cybersecurity Act (Regulation EU 2019/881) laid the foundation for a unified EU Cybersecurity Certification Framework. This framework aims to ensure that ICT products, services, and processes meet rigorous security standards, thereby increasing trust across the EU. ENISA, the European Union Agency for Cybersecurity, has been tasked with developing certification schemes such as the EU Cloud Services (EUCS) scheme, which is central to the A4CEF project.
The A4CEF Consortium
Funded by the Connecting Europe Facility (CEF) Telecom Work Programme, A4CEF brought together partners from Ireland, Cyprus, and France:
- NSAI (National Standards Authority of Ireland)
- CCC (Certification Company of Cyprus)
- DSA (Digital Security Authority of Cyprus)
- Red Alert Labs (France)
These organizations collaborated to enhance internal capabilities, share best practices, and contribute to the development of the EUCS scheme.
Key Activities and Outcomes
1. Capability Development
NSAI conducted a gap analysis to assess its readiness as a Conformity Assessment Body (CAB). Training materials were developed and shared among partners to strengthen expertise in cloud certification.
2. Reference Model Architecture
A modular reference model was designed to streamline certification processes. It supports real-time monitoring, process optimization, and stakeholder interaction—laying the groundwork for future IT systems that will facilitate efficient certifications.
Three ISO 27001-certified Cloud Service Providers (CSPs)—two from Ireland and one from Cyprus—participated in pilot certifications:
- Basic Assurance Level: 2% compliant, 9.5% partially compliant, 84% non-compliant.
- High Assurance Level: 17% compliant, 10% partially compliant, 66% non-compliant.
These results highlighted the complexity of EUCS requirements and the need for clearer guidance and centralized platforms for evidence exchange.
Strategic Importance for Ireland
Ireland’s robust ICT sector, with nearly 50 data centers and global cloud providers like Microsoft, Oracle, and Google, underscores the strategic importance of a strong national cybersecurity certification infrastructure. A tailored model for Ireland will not only support national capabilities but also contribute to EU-wide resilience.
Recommendations
The project concluded with several key recommendations:
- Launch awareness campaigns targeting industry and government.
- Provide comprehensive training on certification processes.
- Develop centralized platforms for stakeholder collaboration.
- Explore additional certification lifecycle activities, such as vulnerability handling.
📥 For more details, the full article and process models developed during the A4CEF project will be available for download. These resources offer deeper insights into the EU Cybersecurity Certification Framework and the practical steps taken to support its implementation.