Cyber resilience and the future EU Cybersecurity Certification Framework

By Khalimatou Samirah

Ireland builds its capabilities for the EU Cybersecurity Certification Framework.

Cybercrime has increasingly raised concerns these last few years and continues to be an issue to organisations and states security. Governments around the world are responding to this issue and within the European Union (EU) the Cybersecurity Act 2019 was adopted. This regulation sets out a framework for Cybersecurity Certifications that will be recognised throughout the EU region, to increase trust in ICT products, processes, and services.  

The Cybersecurity Act also strengthen the role of the European Network and Information Security Agency (ENISA) that develops schemes upon request from the EU commission, covering different type of ICT products, processes, or services such the EU Cloud Services (EUCS) scheme for Cloud Services. It is probable that schemes will be mandated for certain categories of products or services. According to the new rules, vendors in the EU will have to certify these products or services before placing them on the EU market. 

At national level within the EU states, it will be necessary to appoint or establish entities to meet obligations under the Cybersecurity Act 2019 and the Cybersecurity Certification Framework. These entities include Conformity Assessment Bodies (CABs), National Cybersecurity Certification Authorities (NCCAs) and National Accreditation Bodies (NABs) assuming different responsibilities

In 2020, the National Standards Authority of Ireland (NSAI) and a consortium of European partners, were successful in  securing funding under Connecting Europe Facility (CEF) Telecom Work Programme in order to develop capabilities as a CAB under the EU Cybersecurity Act. The project entitled “Advancing Cybersecurity Certification Capabilities with Cross-border exchange and Enhancing (business) Flows” (A4CEF) than ran from July 2021 to June 2023 and has enhanced NSAI’s capabilities in respect of provision of new cybersecurity service offerings including certification of cloud products and services. An Advisory Committee provided regular oversight from a technical perspective. The technical Advisory committee included the Irish Government Chief Information Officer, Cyber Ireland, IDA Ireland, ICT Skillnet and other key organisations. 

The activities of the project involved 

  • Training and cross border exchange between Ireland, France, and Cyprus, 
  • Pilot certifications involving SMEs in Ireland and Cyprus in accordance with EUCS – CLOUD SERVICES SCHEME – DECEMBER 2020,
  • The development of process flows covering the cybersecurity certification framework from A to Z, which can be used as a basis for the development of an IT system to support efficient cybersecurity certifications as envisaged by the Cybersecurity Act and the EU schemes.

This initiative provided an opportunity for NSAI and Ireland to develop its capabilities in the context of Cybersecurity, moving into a rapidly growing technology area and keeping Ireland relevant in the future term as a leading ICT player in Europe. Having a strong cyber security accreditation and certification infrastructure would be strategically important for Ireland, and for the EU particularly given the considerable number of cloud data centres in Ireland that are used by many EU businesses and citizens. However, it is important that an appropriate model is established for Ireland, and one that would help build national capabilities and capacity in a key area of cyber infrastructure. For further information please see