Cybersecurity certification under the European Union Cybersecurity Act (CSA) is intended to increase trust and security for European consumers and businesses and help to achieve a genuine digital single market.

This requires that all relevant levels of the ICT market, from sectoral ICT services and systems via ICT infrastructures to ICT products and ICT processes, will be addressed and that the related cybersecurity certification schemes are well accepted by the market. The CSA stipulates specific requirements, which target efficiency and coherence between schemes of the CSA’s cybersecurity certification framework. These requirements include:

• The security and assurance requirements for ICT services, ICT processes or ICT
  products should be defined based on the risk associated with their intended use.
• Assurance levels should be implemented consistently across schemes.
• Support for security-by-design.

The methodology for sectoral cybersecurity assessments described in this document (hereinafter called SCSA Methodology) addresses these objectives in the context of drafting sectoral cybersecurity certification schemes, which address ICT services in individual market sectors. It is designed to be used as a preparatory step for the definition of a candidate scheme involving sectoral stakeholders.

The version of the methodology described in this document is sufficiently mature to allow a first practical use in drafting sectoral cybersecurity certification schemes. Experience gained from this first deployment should be used to improve and consolidate the methodology.
In summary, the proposed methodology not only supports the workflow of drafting the CSA cybersecurity scheme but also offers a potential for a broader use by sectors and providers of infrastructure.