European and International standards supporting Cybersecurity in the world as well as the Cybersecurity Act in Europe

Check out the latest CEN European Standards, CENELEC European Standards and ISO/IEC standards (International standards) covering Cybersecurity, Information Security and Privacy Protection on a single page at Genorma.com.

Genorma.com has created a single page covering the topic of cybersecurity, Standards are classified by the following subjects:

• Cybersecurity
• Requirements for the competence of it security testing and evaluation laboratories
• Information security, cybersecurity and privacy protection
• Evaluation criteria for IT security
• Security techniques
• IoT security and privacy
• Information security management systems
• New concepts and changes in ISO/IEC 15408:2022 and ISO/IEC 18045:2022
• Guidelines for information security management systems auditing
• Verification of cryptographic protocols
• Fixed-time cybersecurity evaluation methodology for ICT products
• Security evaluation standard for IoT platforms
• Supplier relationships

It also provides sector applications of cybersecurity, such as road vehicles, health informatics, railway, maritime or nuclear:

• Health informatics - device interoperability
• Road vehicles — guidelines for auditing cybersecurity engineering
• Road vehicles — cybersecurity engineering
• Road vehicles — safety and cybersecurity for automated driving systems
• Railway applications - cybersecurity
• Maritime navigation and radiocommunication equipment and systems - cybersecurity
• Nuclear power plants - instrumentation, control and electrical power systems - cybersecurity requirements
• Nuclear power plants - instrumentation and control systems - requirements for coordinating safety and cybersecurity

Even if most of the above standards are not directly cited in the EU Cybersecurity Act or related implementing legal acts, such as draft legislation that intends to establish an 'European Common Criteria-based cybersecurity certification scheme (EUCC), they can support companies to meeting the cybersecurity requirements.

For instance, the scheme should be based on established international standards. Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) is an international standard for computer security evaluation. It is based on third party evaluation and envisages seven Evaluation Assurance Levels (‘EAL’). The Common Criteria is accompanied by the Common Methodology for Information Technology Security Evaluation.

A certification body should be accredited in accordance with standard ISO/IEC 17065 by the national accreditation body for assurance level ‘substantial’ and ‘high’. In addition to the accreditation in accordance with Regulation (EC) No 765/2008, conformity assessment bodies should meet specific requirements in order to guarantee their technical competence for the evaluation of cybersecurity requirements under assurance level ‘high’ of the EUCC, which is confirmed by an ‘authorisation’. To support the authorisation process, ENISA should develop and maintain guidance and publish it after endorsement by the European Cybersecurity Certification Group.

The technical competence of an ITSEF should be assessed through the accreditation of the testing laboratory in accordance with ISO/IEC 17025 and complemented by ISO/IEC 23532-1 for the full set of evaluation activities that are relevant to the assurance level and specified in ISO/IEC 18045 in conjunction with ISO/IEC 15408. Both the certification body and the ITSEF should establish and maintain an appropriate competence management system for personnel that draws from ISO/IEC 19896-1 for the elements and levels of competence and for the appraisal of competence. For the level of knowledge, skills, experience and education, the applicable requirements for the evaluators should be drawn from ISO/IEC 19896-3. Equivalent provisions and measures dealing with deviations from such competence management systems should be demonstrated, in line with the system’s objectives.

The holder of an EUCC certificate should implement necessary vulnerability management procedures and ensure that those procedures are embedded in their organisation. When becoming aware of a potential vulnerability, the holder of the EUCC certificate should perform a vulnerability analysis. Where the vulnerability analysis confirms that the vulnerability can be exploited, the certificate holder should send a report of the assessment to the certification body which should in turn inform the national cybersecurity certification authority. The report should inform about the impact of the vulnerability, the necessary changes or remedial solutions that are required including possible broader implications of the vulnerability as well as remedial solutions for other products. Where necessary, the standard EN ISO/IEC 29147 should supplement the procedure for the vulnerability disclosure.

For the purposes of this Regulation, the following definitions shall apply: - ‘Common Criteria’ mean the Common Criteria for Information Technology Security Evaluation, as set out in ISO standard EN ISO/IEC 15408; - ‘Common Evaluation Methodology’ means the Common Methodology for Information Technology Security Evaluation, as set out in ISO standard EN ISO/IEC 18045;