As set out in Regulation (EU) 2019/881, the EU cybersecurity certification framework lays down the procedure for the creation of EU cybersecurity certification schemes, covering ICT products, services and processes. Each scheme will specify one or more level(s) of assurance (basic, substantial or high), on the basis of the level of risk associated with the envisioned use of the product, service or process.

The European Union Agency for Cybersecurity (ENISA) has opened a public consultation for interested parties to share feedback on the draft of the candidate European Union Cybersecurity Certification Scheme on Cloud Services (EUCS). The outcome of this consultation will be processed and shared with the public. The consultation wa closed on February 2021.

The scheme aims to further improve the Union’s internal market conditions for cloud services by enhancing and streamlining their cybersecurity guarantees. The draft EUCS candidate scheme intends to harmonise the security of cloud services with EU regulations, international standards, best industrial practices, as well as with existing certifications in EU Member States.

The diverse set of market players, complex systems and constantly evolving landscape of cloud services, along with different schemes in Member States, pose challenges to the certification of cloud services. The draft EUCS candidate scheme tackles these challenges by calling for cybersecurity best practices across three levels of assurance and by allowing for a transition from current national schemes in the EU. By defining a security baseline for every assurance level, the draft EUCS candidate scheme is a horizontal and technological scheme that intends to provide cybersecurity assurance throughout the cloud supply chain, and form a sound basis for sectoral schemes.

More specifically, the draft EUCS candidate scheme:

• Is a voluntary scheme;
• The scheme’s certificates will be applicable across the EU Member States;
• Is applicable for all kinds of cloud services – IaaS, PaaS, SaaS, and other cloud services;
• Boosts trust in cloud services by defining a reference set of security requirements;
• Covers three assurance levels: ‘Basic’, ‘Substantial’ and ‘High’;
• Proposes a new approach inspired by existing national schemes and international standards;
• Defines a transition path from national schemes in the EU;
• Grants a three-year certification that can be renewed;
• Includes transparency requirements such as the location of data processing and storage.