On December 22, 2020, the European Union Agency for Cybersecurity (“ENISA”) published a draft scheme for cloud services (see press release here and scheme here). Cloud services that meet the security requirements of the scheme will be able to obtain a certification attesting their level of cybersecurity. The draft scheme is available for public consultation until February 7, 2021.

The draft scheme sets out criteria that apply to the design and implementation of cloud services, including their security features and the essential processes used throughout their lifecycle. It supports three assurance levels: “basic”, “substantial”, and “high”. And it allows the cloud industry to define dedicated requirements for specific areas of application (e.g., health and transport). The draft scheme explicitly states that it does not aim to verify compliance with the EU General Data Protection Regulation.

The draft scheme is based on the CSP-CERT Working Group recommendations issued in June 2019 and the international standards ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017 mentioned in those recommendations. The definition of the assurance levels relies some concepts defined in the ISO/IEC 15408-3 standard, while the conformity assessment methodology is based on the ISO/IEC 17065 international standard.

The draft scheme also relies significantly on the German C5 scheme and French SecNumCloud scheme. The draft scheme sets out the conditions for transforming a certification under these German and French schemes into an EU certification. Under the EU Cybersecurity Act, national schemes that are covered by an EU certification scheme cease to have effect from the date the final EU scheme is adopted although the European Commission and the relevant EU Member States (i.e., Germany and France) may adopt a one-year transition period. In time, the EU certification scheme will thus replace the German and French schemes. Existing certificates issued under the French and German schemes will remain valid until their expiry date.

The draft scheme is the second cybersecurity certification scheme issued by ENISA. The first scheme, published in June 2020, was the Common Criteria Based European Cybersecurity Certification Scheme, which aims to replace the existing schemes operating under the SOG-IS MRA for ICT products.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital…

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital Fairness Act, turning legal requirements into practical, business-friendly solutions.

In data protection, I support tailored GDPR compliance, international data transfers, and privacy-conscious marketing. On cybersecurity, I guide clients through risk assessments, incident response, and evolving laws such as NIS2 and the Cyber Resilience Act. Regarding consumer protection, I advise on existing laws to help businesses revise their terms and conditions for compliance and review online interfaces to ensure all mandatory consumer information is clearly provided, tackling issues like dark patterns and unfair contract clauses.

Fluent in multiple languages and experienced across borders, I’m passionate about helping clients embed compliance into their operations and thrive in the fast-changing digital landscape.