This part is primarily about cybersecurity certification in the EU. A certification mechanism was a missing element in the logic of the regulatory framework of EU cybersecurity since the adoption of the NIS Directive (or even earlier when member-states adopted their own cybersecurity laws - just as the Czech Republic). 

Essential service operators and other regulated subjects had (and still have) to face considerable uncertainty when national laws laid down performance-based requirements for organizational and technical arrangements that were not particularly defined. Broad flexibility of respective rules provide essential service operators, on the one hand, for an opportunity to develop efficient and even creative solutions that are envisaged to be tailor-made for their specific needs. On the other hand, essential service operators that develop such solutions lack an a priori assurance that they are legally sound. In result, the regulatory model using performance-based rules that worked primarily with compliance approach (instead of liability) lacked an essentially important mechanism for officially-backed checking of the actual regulatory compliance.

In this class, we discuss the cybersecurity certification mechanism, as laid down by the Cybersecurity Act. First part of the Act is dedicated to the establishment of ENISA as the main EU agency for cybersecurity. Cybersecurity certification is legislated under Title III (from Art. 46).

The mechanism is based on cybersecurity certification schemes. These are issued by the Commission in a procedure that is mostly mediated by the ENISA. We discuss the procedure and its actors in class and it can be demonstrated on the following diagram:

Certification schemes - adoption procedure

The mere certification can cover products and services, but also processes. In result, it is possible to imagine certification schemes that would be primarily aimed even at certification of vendors and their development or deployment processes. In class, we discuss why and where this approach might be relevant. Currently, there are pending two certification schemes (the following link is just for information regarding the current state of play - it is not necessary to view its content):

We also discuss in class the levels of assurance and subsequent differences in respective certification procedures as well as complex institutional backing of accreditation of conformity assessment bodies (CABs) and of mere certifications. A simplified overview of these processes is also available here as a video:

Here is the presentation that is used in class: