On December 22, 2020, the European Union Agency for Cybersecurity (“ENISA”) published a draft scheme for cloud services (see press release here and scheme here). Cloud services that meet the security requirements of the scheme will be able to obtain a certification attesting their level of cybersecurity. The draft scheme is available for public consultation until February 7, 2021.

The draft scheme sets out criteria that apply to the design and implementation of cloud services, including their security features and the essential processes used throughout their lifecycle. It supports three assurance levels: “basic”, “substantial”, and “high”. And it allows the cloud industry to define dedicated requirements for specific areas of application (e.g., health and transport). The draft scheme explicitly states that it does not aim to verify compliance with the EU General Data Protection Regulation.

The draft scheme is based on the CSP-CERT Working Group recommendations issued in June 2019 and the international standards ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017 mentioned in those recommendations. The definition of the assurance levels relies some concepts defined in the ISO/IEC 15408-3 standard, while the conformity assessment methodology is based on the ISO/IEC 17065 international standard.

The draft scheme also relies significantly on the German C5 scheme and French SecNumCloud scheme. The draft scheme sets out the conditions for transforming a certification under these German and French schemes into an EU certification. Under the EU Cybersecurity Act, national schemes that are covered by an EU certification scheme cease to have effect from the date the final EU scheme is adopted although the European Commission and the relevant EU Member States (i.e., Germany and France) may adopt a one-year transition period. In time, the EU certification scheme will thus replace the German and French schemes. Existing certificates issued under the French and German schemes will remain valid until their expiry date.

The draft scheme is the second cybersecurity certification scheme issued by ENISA. The first scheme, published in June 2020, was the Common Criteria Based European Cybersecurity Certification Scheme, which aims to replace the existing schemes operating under the SOG-IS MRA for ICT products.

Tags: C5 Scheme, Certification Scheme, Cloud Services, Cybersecurity, ENISA, France, Germany, SecNumCloud scheme
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Read more about Anna Oberschelp de MenesesEmail
Show more Show less