The European Union Agency for Cybersecurity (ENISA) is in the final stages of its development of the European Cybersecurity Certification Scheme for Cloud Services, with the formal contribution set to be sent to the European Commission in Q2 2022.
Speaking to CS Hub as part of the Government and Critical Infrastructure Digital Sumit, Eric Vétillard, lead certification expert at ENISA, discusses how harmonization was a key focus for the cloud certification scheme.
Harmonization
According to Vétillard, a lot of EU member states consider cloud services in particular “important and highly sensitive”.
“This means that there are many certifications, or at least assessment, schemes. There are [certification schemes] in place in France, Germany and the Netherlands that are very formal and there are other less formal things happening in nations like Spain and Italy of which cloud is part of a larger framework,” Vétillard explained.
“One of the key issues here is harmonization. Today a cloud vendor needs to get some kind of assessment done in some but not all European countries. This is resource intensive and it doesn’t help in terms of having similar expectations and interoperability between member states,” he added.
The harmonization element of the scheme may not be directly linked to cyber security itself but Vétillard explains that it allows cloud service providers to better allocate resources to the security of their services rather than compliance to up to 27 different schemes across the EU member states.
In addition, the scheme will result in member states having a single agreement on what constitutes a security cloud service.
“It is really streamlining everything that has naturally developed as cloud has evolved,” Vétillard says.
In order to keep up pace with ongoing technological developments within cloud services the certification aims to be technology neutral.
Government and critical infrastructure
“The first objective is to ensure that…governments and sensitive industries like critical infrastructure have the tools they need to verify their suppliers in terms of the quality of their cloud services,” Vétillard says.
“I would love [the certification scheme] to be adopted further later, but I would say that it’s not the top priority at the beginning.”
ENISA launched a public consultation for the scheme between 22 December 2020 and 7 February 2021.
Catch up on demand here for the Government and Critical Infrastructure Digital Sumit.
