The European Cybersecurity Scheme on Common Criteria (EUCC) is the first systematic approach to cybersecurity certification. The criteria for the certification scheme have been drafted by the European Union Agency for Cyber Security (ENISA) and now need to be implemented in the member states – the necessary implementing legislation has recently been published. “The EUCC enables manufacturers to monitor the IT security of products such as technology components, hardware and software against a standard and analyse them for vulnerabilities. It also paves the way for manufacturers to implement the upcoming requirements of the Cyber Resilience Act (CRA). The Common Criteria’s goal of increasing the security of new IT products and devices with digital elements in the EU’s internal market also helps in the implementation of upcoming regulations such as the Cyber Resilience Act”, said Jan Wendenburg, CEO of ONEKEY. According to the EUCC, manufacturers must actively monitor the vulnerabilities of their products and perform a vulnerability impact analysis in accordance with Article 33.
Technology platform for automated impact assessment
When implementing the requirements, companies will need external support to carry out the risk analysis in a professional manner and to be certified accordingly. “In view of the major changes and the increased responsibility that manufacturers of digital systems and devices have today, automation is an important aspect of the implementation of the EUCC obligations. We have build ONEKEY’s analysis platform for automated CVE (Common Vulnerabilities and Exposures) impact assessment and can use this automation to reduce companies’ vulnerability impact assessment efforts by up to 50 percent,” adds Jan Wendenburg of ONEKEY. The Duesseldorf-based company operates a product cybersecurity & compliance analysis platform. In addition to an exact listing of all software and firmware components as a Software Bill of Materials (SBOM), ONEKEY enables a detailed analysis with risk assessment of possible known and unknown vulnerabilities of all devices and systems with digital elements. ONEKEY automatically checks and identifies critical security vulnerabilities and compliance violations in embedded software, especially in Internet of Things devices, and monitors and manages them throughout the product lifecycle.
EU certification framework for cybersecurity
ENISA’s executive director, Juhan Lepassaar, also stresses the importance of the Common Criteria (EUCC): It is part of the “jigsaw puzzle of the EU cybersecurity certification framework” currently under construction. “The Common Criteria framework paves the way for the future. The sooner manufacturers and distributors of products with digital elements get to grips with it, analyse the risks and eliminate vulnerabilities, the easier it will be to move towards a future where systems and devices do not contain undetected security risks and hidden software,” summarises ONEKEY CEO Jan Wendenburg. In addition to automated CVE impact assessment, the ONEKEY platform also supports the other processes required to comply with the Cybersecurity Act. Interested parties are invited to a demonstration of the automated impact assessment: https://onekey.com/demo/