On December 22, 2020, the European Union Agency for Cybersecurity (“ENISA”) published a draft scheme for cloud services (see press release here and scheme here). Cloud services that meet the security requirements of the scheme will be able to obtain a certification attesting their level of cybersecurity. The draft scheme is available for public consultation until February 7, 2021.

The draft scheme sets out criteria that apply to the design and implementation of cloud services, including their security features and the essential processes used throughout their lifecycle. It supports three assurance levels: “basic”, “substantial”, and “high”. And it allows the cloud industry to define dedicated requirements for specific areas of application (e.g., health and transport). The draft scheme explicitly states that it does not aim to verify compliance with the EU General Data Protection Regulation.

The draft scheme is based on the CSP-CERT Working Group recommendations issued in June 2019 and the international standards ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017 mentioned in those recommendations. The definition of the assurance levels relies some concepts defined in the ISO/IEC 15408-3 standard, while the conformity assessment methodology is based on the ISO/IEC 17065 international standard.

The draft scheme also relies significantly on the German C5 scheme and French SecNumCloud scheme. The draft scheme sets out the conditions for transforming a certification under these German and French schemes into an EU certification. Under the EU Cybersecurity Act, national schemes that are covered by an EU certification scheme cease to have effect from the date the final EU scheme is adopted although the European Commission and the relevant EU Member States (i.e., Germany and France) may adopt a one-year transition period. In time, the EU certification scheme will thus replace the German and French schemes. Existing certificates issued under the French and German schemes will remain valid until their expiry date.

The draft scheme is the second cybersecurity certification scheme issued by ENISA. The first scheme, published in June 2020, was the Common Criteria Based European Cybersecurity Certification Scheme, which aims to replace the existing schemes operating under the SOG-IS MRA for ICT products.