Unlock the Power of Online Signature Legitimateness for Sick Leave Policy in European Union

How to eSign a document: online signature legitimateness for Sick Leave Policy in European Union

18 one year before the publication of the cyber security act the former ea chair ignacio pina and myself had had the first meeting in brussels was a senior manager from inisa that was steve berser and andreas mitrakas in order to discuss about the european cyber security certification framework and the development of potential candidate schemes the reason for starting the cooperation was that the csa would take recourse to conformity assessment and accreditation ing to regulation 765 at this time i have to admit it seems for me almost impossible due to the complexity that he neither would be able to prepare within three to four years a candidate scheme which covers a significant range of ict products processes and services it was indeed a huge challenge but in either established based on the cyber security act several expert groups and invested a lot of resources into this activity and that with success because now three years after the niza ea meeting in brussels in two years after the publication of the cyber security act in either drafted the candidate eocc scheme and the guideline for accreditation and we are happy that this scheme will be presented today to the a community but also to representatives from the national cyber security certification authorities these nccas play an important role under the cyber security group in particular regret regarding caps involved in insurance level high therefore it will be key to have a good cooperation between the national accreditation bodies and the ncc ace therefore welcome also to the nccas and also to the ea recognized stakeholder represented could you please mute your mic is i'm not sure who is yeah thank you i am very happy that we have now speakers with us which are responsible for the eocc schemes scheme and the guidelines for accreditation of laboratory that is especially the first speaker philip blood from enysa he is lead expert certification at inisa chair of the eocc attack working group and responsible finally for the eocc scheme he will present us this first candidate scheme we have also two experts with us who will inform us about the guidelines on the accreditation of laboratories called is this is first javier talor whose technical director at jtsec expert consultant on the common criteria standard and other security assurance standards in the field of information technology and that is miguel bano who is convener of the iso ic joint technical committee working group 3 dealing with security evaluation testing and specification and his management board member of the common criteria users forum i should note that the draft guidelines for labs and national accreditation bodies have been distributed to the participants of this webinar on last wednesday and finally i'm really glad that rosalina ortega from enac is with us she is convener of the ea task force group inisa and she represents ea in various in either technical groups rosalina will make a presentation on the eocc scheme and its application by national accreditation bodies before we start with the first presentation just a couple of administrative issues i mentioned already please mute your mics if you want to have the floor during the discussion sessions please raise your hand and you will get the floor in this case please unmute your mic switch on your camera if you want and say your name and the organization of your you are representing please be aware that this webinar will be recorded if you do not want to be visible on the internet or social medias please switch off your camera if you have any questions then i mentioned we will have some time for discussion but you can also use the chat function if we try to to look at that regularly and then to raise questions mentioned in in the chat also during the discussion sessions and i'm inviting now philip blood from ineither for the first presentation phillip the floor is yours hi sorry hi everyone hi andreas i hope you can hear me yes yes cool um many thanks for the kind words um i'm really happy to have this opportunity to discuss with accreditation colleagues and to have um to have the the um this organization that represents one of the key players into the certification framework to hear from us from enesa what we already have in place in terms of schemes and also in terms of accreditation requirements or guidance we may have towards some of the categories of the cab players and i will explain that in a moment i want also to thank the participation of ea representatives into the the work of enesa as you mentioned andreas this has been a very nice initiative to have you from the very beginning into our discussion so that we can set the bar and share a common objective also with the nccas and the experts at the same time and not discover at the end that we may have missed something um your the invitation you have raised also to to have not only the the nabs but also nccas and the stakeholders is also very appreciated so i i i would like to to insist on that so as you said we i will have javier and miguel to support me and i used also the opportunity because if even if there is an agreed program we always like surprises i also invited eric vtr who is in charge to design the second scheme he ucs which targets cloud services also to have the possibility to give some some indications of where he stands currently and also this is interference with accreditation matters so um we probably use the possibility to have a um is talk a couple of minutes before i close my presentation at a quarter a quarter to 11 and before before we we engage into the questions if that's a it's okay for you so now um so i'm again just a short introduction for myself so i'm philippe blue i've been i joined elisa in november uh um 2019 i previously had been working at ansi the french cyber security authority into a division related to products and services so and which had the following activities uh certification of products and qualification of services approval of products which are designated to protect um sensitive or classified information for national eu nato business export controls relation with industry so um and of course the relation with the naps and the really the at least the national one and the relation with the ecosystem the caps has always been in in my sphere of willingness to develop this important activity which also serves uh into the market and i will insist on that as well so let's start to try and share sorry please yeah no worries and so do you see my screen yes we do could you put it on presentation mode yes thank you okay so um i will present so the the candidate scheme as a global overview of the scheme and then i will present some highlights of the scheme in order to to indicate what might be a difference what might be the difference is as compared to existing sargeant activities we already have in place for many years i will also develop ongoing activities we have especially regarding guidance and pilots um here are some elements of agenda so the um we started before even before i joined a nisa so uh on july 19 there was a request received by elisa from the commission to put in place to develop a candidate scheme so this is a general process an isa receives from the commission a request to develop a scheme this request now was it was established even before there was a the the vision which will be made available as a global vision into a union rolling raw program this is a document that is under discussion still under the sccg which is a community of stakeholders on cyber security certification and this union rolling world program will give a vision of the schemes to be developed and next to come certification schemes requests for any that should more or less be aligned with this document which will be published anytime so based on the request the the the general process is that we set up another working group the other cooking group is set up based on a call we we do on our internet website and we invite people to join we invite experts to join and be them from the developer side so with the the people that develop security offers that relate to the scheme to be developed but also consumer of certified solutions and also the nabs potentially also the caps and we also want it from the very beginning to have the member states associated to the development of the scheme so all we also invited and that's in addition to the selection procedure we had we which were for which we designated 20 representatives from the previous stakeholders i was mentioning we also invited the member state to join and they were designated by the relevant authorities so in total we ended with a group that is more or less composed of 30 35 people um the adorking group so chaired by ennisa delivered a first version of the scheme in july 2020 that was published for review so we parallelized a public review sccg and eccg review based on this review we delivered a second version of the scheme version 1 1 that was delivered to the eccg so accg is the member states representation to the for for for supporting the development of the scheme and the eccg is supposed to give its opinion on the candidate scheme before any incense officially the scheme to the commission and the commission starts engaging into the development of an implementing act so the eccg opinion was received and based on that we delivered version 111 of the scheme to the commission um version 111 was just a small cosmetic review of the documents and we all by the way embedded some updated version of the annexes that are still developed by the sega's committee the commission based on the candidate scheme started to develop an implementing act and the draft of the implementing act was shared with the eccg members submitted to comments and the comments received were also commented by aneesa so we responded to to the comments and now everything is in the hands of the commission for them to develop an implementing act in parallel to this more legal activities we engage into guidance development guidance is key guidance will go into the detail of what a candidate scheme cannot go and will allow to provide harmonized interpretations of the requirements and i will elaborate on that but before i elaborate on that i want to display some information on what we are talking so the eucc scheme what is it it's a scheme for ict products so you remember that the cyber security act covers the certification of ict products services or processes here we are dealing with ict products and we have already um the common criteria so the two standards i'm mentioning here that are the foundation for this for this scheme so you have multiple examples of certified products and in your wallet you probably have a banking card with a chip that was certified and an app that was certified you have id cards or passports with chips that happens and so the this scheme this scheme is based on is the the goal of the scheme is to focus on how to evaluate in a harmonized way the what to evaluate is left to the relevant stakeholders and we will not tell at any other level what should be a good firewall the people that want to procure a good file they will have to define their requirements using the command criteria to select which products have been potentially certified against this six this sectoral or technical requirements and in general these what to evaluate the protection profiles that are defined to support this requirement expression are developed by the communities either at regulatory domains are under standardization organization and here i give some examples we have the edis protection profile which which standardizes security requirements for cryptographic modules to be used as qualified signature creation devices so it's under ideas regulation we have automotive sim specifics tpm which have been designed by the automotive community we have the matching machine readable travel documents uh sac supplemental access control sorry for the long title that has been developed for the authority that deals with passports we have also collaborative protection profiles that have been developed by a community under the ccra so these expressions of the s of the requirements are not in the scheme but what is available in the scheme is the possibility to certify this protection profiles to make sure that they are in line with the above mentioned standards the command criteria the eucc when we received the request at nazar there was a clear definition of the expectation and it aims to serve as a successor to the existing schemes operating under the sages mary and you will find here a link to the sergey's mra and we want it to take advantage of the existing practices of this mra so we address not we address all common criteria levels um and that goes from lower levels to higher levels and for the higher levels the community of the surges has already defined some strong material for the technical domains and i will elaborate also on that later it's a full third party scheme which does not allow allow for self-assessment and it has strong requirements for the cabs acting especially at higher levels including peer assessment the sega is mra is is a recognition arrangement between some of the eu member states that deals with certification but then that's been in place for many years the cyber security act added many improvements as compared to the situation that was available with australia smary in particular the cc asked for assurance continuity of the certificates in order to make sure that certified products would be observed by the relevant bodies the developers cabs and so in terms of whether they would still meet the security requirements they had been certified against so there are new activities that are being introduced ing to the csa into the scheme which relate to monitoring and handling of non-compliances and non-conformities and also variability handling and disclosure in order to ease the adoption of the possibility to update a product in a simple or more simple way as as compared to the full reevaluation of a product we also introduced a patch management mechanism that can be part of the certification the scheme is designed to address the requirement of the cyber security act i hope you are familiar with the different articles of the cyber security act but here i rephrase some of them there is one article that defines security objective of certification scheme so what a scheme in terms of what to certified against should should be targeted and in the candidate scheme we provided a mapping between the security objective of article 51 towards the criteria of the common cri the the relevant functional and assurance requirements of the common criteria um this allows to for a vendor in particular or a developer of solution but also a user of certificates to see how well a product can solve the security objective as expressed in article 51. article 52 defines the assurance level and therefore we worked on working for a comparison between the assurance level of the cyber security act and the command criteria and i will elaborate on that because it's a it's an important part article 54 establishes the elements of a certification scheme and expresses in in in in letters a to v what a scheme should contain we followed article 54 for the design of the scheme and the scheme has a core part which address sees all elements requested by article 54. so the core part of the scheme is about one third of the document i hope you had the chance to take a look at the candidate scheme if not please please do so after after the presentation the document is about 300 pages and one third is dedicated to the core part um this core part um in is is then covering article 54 and it includes not only requirements but also background information background information is there to justify or explain why we went into the different requirements in addition to the core parts elements requested by article 54 we also provided a section on additional elements to the scheme so the the article 54 allows for additional elements and we use that to introduce the possibility to certified protection profiles as i said before protection profiles are not products there are specifications that are approved or agreed defined by a community and we wanted to make sure that the the possibility which is offered currently by the south is to certify these specifications to make sure that they are in line with the criteria of evaluation and certification was still offered and this possibility which sorry this possibility will also be potentially used for higher domains where no technical domain exists we also provided recommendations from the other cooking group both on transition from the solar yes and future maintenance of the scheme in addition to this corporate additional elements and recommendations we provided annexes for mandatory application and here we mostly copy paste it the existing mandatory documents that apply for sergeios certificates we added where necessary new elements and i'm thinking about elements that relate to patch management which is not yet or was not yet covered by the sergeis community and also we elaborated on peer assessment we will provide guidance in addition and this will be available may available through any website dedicated to certification some highlights on mapping the command criteria i'm sorry to go into technical details but um the the common criteria has multiple these comp the common criteria sorry are composed of functional requirements and assurance requirements functional requirements are for example related to authentication or protection of data during transfer or audits related to operation at the product level assurance requirements are related to what an evaluator assessor of the product shall perform to test the product and describes also the evidence that the developer shall provide to support that testing activity among the assurance elements there is one category which has a particular interest as compared to the csa definition of the assurance level which is evie one category the av van defines the criteria of robustness product has and is assessed against and for example it indicates for a particle level how difficult it was for the testing laboratory to set up an attack to design an attack and to apply an attack on the product how difficult it was because it is it necessitates access to one or many samples of the product it necessitates access to detail information on the product or not it necessitates equipment that is on the shelf everywhere accessible or bespoke and it necessitates skills that are common or that are very particular so the e the common criteria has a scale for from one to five for this event levels and based on the long history of the common criteria and on our understanding of the cyber security act we decided to go for the following mapping avavan 1 and 2 map to assurance level substantial and ava van 3 to 5 map to the assurance level high in terms of security it has a meaning but it has also a meaning in terms of market and market players currently sega's activities are mostly run at for cb for certification body activities by member states or national bodies because it's an international scheme so if you refer to saudi as it's mostly member states agencies and if you think into international it's most almost approximately the same so the cb in charge to 35 ing to the common criteria today are mostly national authority national agencies tomorrow with the cyber security act and this delineation between the levels substantial and high commercial caps will be now in the loop meaning that certification activities will no more for this substantial level be handled by the national bodies of course they will be supervised but they will not be money they will be not handled um in terms of actors the we have two categories of actors we have the certification bodies and the testing laboratories so testing laboratories that are in place today there are mostly private entities commercial bodies and the impact potentially on these entities is different because they have been acting always as commercial bodies and private bodies so they will continue most likely to act as before the main change will be for the certification body but it's important to note the caps that have that will play into the for the euccs that will act for the eucc they shall be accredited i mentioned two categories of actors we have the certification bodies and the testing laboratories the seabees they will have to be accredited against 17 or 65. the itself they will have to be accredited to against 70 25. the in addition to their accreditation the csa introduces the possibility to ask for more and if you ask for more they shall be a dedicated process to authorize the caps to operate for the eucc we decided to ask for specific requirements for the authorization of the caps to operate at level on the general principle that accreditation will be key for the selection of the appropriate gaps we want it to harmonize the interpretation of the standards this is something we will of course develop more this morning uh but i want to insist on the fact that the the goal of this activity related to certification is key it will support lots of regulation to come it will enhance the level of confidence that user will have into i.t and therefore we want to make sure that all players in this field of certification dispose of the same rules and have the same interpretation of the standards therefore we engage with the other cookie group and ea on the development of harmonized interpretation as before or now interpretation are national at national level and they are not harmonized one other element of the eucc scheme is that we are developing a website dedicated to cyber security certification that will not only disclose the scheme and associated documentation guidance but also the certificates that are issued by the different certification bodies and related information on the status of this certificate so what you have to understand is that the eu certification scheme is not a scheme that is operated by anything it's defined by eliza as a candidate scheme and then transform into an implementing act by the commission and then it is applied by the member states that will either act as cbs for the level high or supervise the private caps that will operate for level substantial or basic but anything will not certify anything will gather the certificates into one single website so that the users of the certificates they have an easy access to what has been certified and what is the status of this certificate we will offer on this website some search engines or criteria for research and we worked on the taxonomy in order to ease this the research by a potential user of certificates based on criteria i'll be there sectorial so i would like to have an equipment that has been certified to meet some um criteriality to automotive as i was uh mentioning before and we will have uh categories of products based on technologies and also we will have another another third layer which will indicate whether the products are to be composed with for example libraries or of certified software solutions the in addition to this website activity that will allow to display all certificates we are advocating for a label to support the communication on the certificates we provide it into the eucc scheme some provisions for the establishment of such a label and we are working currently on the development of such a label a study not on development directly but on the study as how such a label could be set up to promote certification ing to the cyber security act and for example we want we we are in this study we are dealing with um should there be a label that only covers the eucc or is targeting all schemes that will be developed under the cyber security act what kind information is displayed into the label what kind of elements are accessible when you make an association between the label and the anisa website and so on so this is an ongoing study and we will probably conclude this we will not um probably we will conclude the study by the end of this year we as i said earlier we introduced uh in ance with the cyber security act new elements as compared to the song is related to monitoring compliance and this was an important part of the discussions which goal we wanted to have here i reflect what we have in the scheme and this the goal here we we selected three main streaming targets we wanted to detect non-compliance into the application by a manufacturer or provider of the rules and obligation related to a certificate that has been issued on their ict product so if a developer has obligations related to a certificate we want to make sure that we monitor that and we detect issues and have the possibility to correct we have also non-compliance into the conditions under which certification takes place and the which are not related to an individual ict products so it might be the case where uh by um we sorry we discovered that an itcf missed something um not on in one individual product but on potentially multiple products that which would be associated to a gap into either the accreditation or the authorization related to this testing lab we wanted also to handle the potential non-conformities of individual certified products with their security requirements which might refer to either a change in the threat environment after the issuance of the certificate or vulnerability i identified and related to the products this is all defined in the scheme and i will not go into the very details here because it's not the goal of this session you can have all details when reading the scheme but as a general measure we wanted to have monitoring consisting of preventing measures and we introduce therefore especially for the first non-compliance criteria commitments from the developer so that we want to make sure that when they apply they already know in advance what would be their obligations we will have detection activities which might for example be associated with market surveillance and we also define consequences with associated timelines on the caps activities and and all the certificates this is all detailed in the candidate scheme and again i invite you to read that document we also introduced into the eucci scheme a general process on handling vulnerabilities and also dealing with a disclosure here we selected two standards and we also provided some more specific elements that relate to timelines but also we added requirements to make sure that the developer and deployed remediation on the vulnerabilities would not introduce new vulnerabilities so we wanted to make sure that the third party involved into the assessment of the product would have the necessary goal and material to reassess probably that there would be non-regression as compared to the security of the product when new features were introduced in order to ease the updates on the product we also introduced a non-monetary patch management mechanism we used two tracks for that one is an either track and the other is an s key so working group one is key is a group that is supporting the circus activities so we used this approach um this brand new approach as to define conditions for the cap to partially certify some of the elements of patch management during the certification of her products so that the application of a patch would be after after a correction easier this is also well detailed into the scheme it's a complicated uh it's not it's not a complicated area it's um it's an important and one that the this has implication of the certification process as compared to today and it's detailing scheme we wanted also to introduce the possibility to use a patch management as a fast-track approach 200 functional changes into our certified products the candidate eucc scheme also defines conditions for mutual recognition research country and these conditions may serve as the basis for future future mutual recognition arrangements or agreements however the responsibility to establish such mras or to define conditions under which the current american continue this responsibility is not on any and this is a role for the commission based on the request by the member states to do so so this is we can't define the conditions only ongoing activities so um the the full so the full um quantity scheme is already 300 pages as i said earlier so one third 100 pages the core requirements and the two additional 100 pages relate to mandatory annexes so the annexes that go into the details um as an example and to to let you know um the so the the sergius community that has been acting for for numerous years they have for example define specific requirements and that are applicable for technical domains technical domains have been defined as technical areas for example smartcards where the community approves to establish some harmonized guidelines for the developers to comply with and for the evaluation facilities the testing labs to comply with for example there are requirements on the security of the sites that are used to develop produce the products these elements are into the annex because they are for mandatory application if you want to have a chip that is targeting a high level to be certified you also have requirements that apply for the itself so the testing laboratories for the same type of products for example the smart cars there is an annex that will describe the specific evaluation activities that a testing lab will have to perform on this type of equipments what time what type of testing facilities in terms of equipment they shall use what kind of effects they shall consider and there is a predefined set of measurement of what shall be the result of vulnerability analysis so this is an important material that has been in place and used for many years that is allowing the mutual recognition of the certificates about among the sergeis community so we wanted to keep that important material and so this is just this was just a mention on the annexes um the so the the document that has been delivered to the commission is mostly composed of the shells the mandatory requirements and of course when it comes to monetary requirements they may be interpretations or guidance related to how to understand the requirements and therefore in anticipation of the approval of a scheme in terms of the the adoption of an implementing act we wanted to make sure that at least some of the element of guidance that would be useful to set up the new scheme would be available for different stakeholders so we started to work on the following items harmonized interpretations of 1725 for the accreditation of the itself guidance on the manufacturer's commitments because i mentioned that as an important way to be in a position to prevent issues and to that would be part of the non-compliance monitoring how to use existing soil gas certificates in order to establish ucc certificates this this is key here so against certificates that are in place are important elements for the security of many systems the eucc is an evolution of the sergeants it's it's introducing new features but we want to make sure that there is a smooth transition we want to avoid a situation that where there would be a disruption of certification service based on the fact that people would hesitate engaging now into sergey's certification because they want to wait for the eu certificate the eucc to be available so we we have developed some guidance in order to ease the transition between the two types of certificates we developed also as mentioned the taxonomy of ict products so that we could ease on the anisa website dedicated certification the search for the products that are adapted to specific requirements we also introduce the into the candidate scheme the the need to develop guidance for the debris and publication in due times of certificates and their updates of course is if we gather all certificates on the anisa website it's important to make sure that we have the interface in place for the cbs and national authorities to deliver the certificates and in due time and also to update the information based on the evolution of the status of the certificates we also want to make sure that we ensure the security of information for all the workflows associated with certification activities of course as i mentioned earlier we have some already existing requirements for the higher level on the developers for their sites but we may must make sure that these requirements maybe not at the same level of expectation maybe at a lower one but they that are also requirements that are available for lower levels for the developers but also for the caps for the cbs or itself and also so that the the community will in a harmonized way protect the information related to certification activities will be that be there the information that is related to intellectual property of the developer or the outcome of the certification the certification reports the tv or the technical assessment that the itcf has done which indicates the the level of the attacks that may [Music] the product may face um we also will provide in a future checklist to support pr assessments so there are multiple examples in the candidate scheme of areas where eliza thought there was a need to dig a little bit further into interpretations or guidance maybe we will go for more but at least we have established a list and here is just a sample of that in order to as i said earlier in the planning meanwhile the commission engaged into the development of an implementing act we continued the activity with the other crossing group and started to develop the guidance we also used additional experts in the development into these elements here is the six elements we already wanted to cover in the first in the first phase accreditation transition taxonomy security of information developer commitments and application form i have had it here one which is not in the previous list but which is also important as i mentioned earlier there is a big experience that has been gained on evaluation at higher levels than four and five for technical domains or smart cards or hsms and this kind of equipments van 3 has been defined as the first level of level high ing to the cac and currently there are there were until now no harmonized requirements that would apply on the testing facilities on the labs as to perform advance-free evaluation in a harmonized way even though van3 has been in place for many years and has been used largely for the assessment of software equipments software solutions that also protect sensitive information into eu networks so we have we wanted to also cover the gap that was introduced that that was in in place so we work on that and we have very promising results here high lots um pilot is key eric will present in in a couple of minutes some elements of its his scheme launched pilots for the eu cs on on the cloud and the goal was to assess whether the requirements that were set for the scheme or some elements of interpretation for the requirements were underst under someone could understand them whether they were appropriate whether the application would fill really the requirements and we want to go the same way we want to make sure that the guidance that i was mentioning earlier makes good sense and that the interpretations or the elements we provide into this guidance is applicable is not ambiguous is promising in terms of added value in terms of cyber security level of the ict products and so on so in order to play with these requirements we have called for projects to run pilots the organization was that was put in place was that we would use the addock working with participants to propose topics that they would like to experiment meaning that the outcome would be a kind of report of lesson learned but never a certificate or an accreditation or whatever it would be just an assessment whether the the guidance was good enough or whether they would be required amendments what we or what would be the associated costs and efforts associated to the uh the use of such a requirement and but not a decision on the ict products or of on a cb or on an it set or so on um the other cooking group members proposed some pilots and we have six projects that will be run from now on till the end of the year or maybe a little bit beyond when it comes to some some scenarios but mostly the interests was on the three following topics accreditation of itself transition from sergey s certificates into eucc certificates with the same certified product so as is you take a product that has been certified and you want to see what are the additional requirements and how easy or difficult it takes it is to put in place some monitoring activities at the developer side or at the cab site um and evaluation of ict products at the substantial level the the last one is is all is interesting not that the other ones are not but the last the last one is interesting because it um it is addressing an area where we will have new caps not the national cbs but private cbs operating and we want to analyze how we would go for that so these pilots are under preparation as i said they will provide feedback to the other working group and to propose potentially amendments and we will also maybe provide use feedback not maybe but if you're willing to we will provide feedback on the first item which is related to the accreditation of itself this concludes my presentation and we will go after uh at quarter two uh in a couple of minutes uh two questions but i wanted to offer eric uh the floor for um for for its a short update on the eucs edition please eric thank you um so just want to say a few words um the working certification of cloud services started a few months after the the work on common criteria the key difference is that while well ucc is based on an existing subject ecosystem eucs is a new scheme which is loosely inspired from existing assessment uh schemes you know in various uh member states but there are a lot of new questions about it to be raised so in particular um in the ucs we are certifying a full service where traditional iit security certification typically focuses on management systems so the scheme also covers the three assurance levels defined by the cyber security act so we have developed a set of requirements on security controls that cover these three levels we also developed a specific methodology which drove mostly from the iso 17000 family of standards but also from the isa e family of standards that is used by public auditors so from this methodology we are currently deriving a dedicated set of requirements for conformity assessment bodies based on iso ac 1706.5 that should be used as a basis for accreditation so in terms of where we stand we have a new version of the scheme that will be delivered by the end of this year for opinion by the national authorities in the eccg however the the work on the requirements for camps is still under progress it will be transferred in the coming weeks or month to sentence jtc 13 working group 3 for adoption as a technical specification so the the consequence is that we would be delighted to have representatives of the ea communities or the labs that contribute to the finalization of that document in tkc13 thank you for your attention yes thanks a lot to philip but also to eric so to give us the first introduction to the next candidate scheme the eocs i have not yet discussed that with ineza and especially with eric but of course we have planned another webinar if eric agrees with it where we then can present more in detail to to our members and the nccs to the community also the eocs scheme but thanks a lot for the first information about this very very important activity so thank you to you eric continue now with the guidelines on the accreditation of laboratories it was mentioned already in the presentation from philip and philip will start with this topic and then we will continue with two presentations one from javier and one from miguel but first phillip please okay thanks to be back for that here's the presentation again and let's switch to presentation mode good so uh the second part so goes uh more to the point of the the cooperation between our two communities so we want to tackle here what we have produced on guidelines for the accreditation of the labs so again some background information i sorry for the repetition but sometimes it's good to repeat some elements uh which are because i i feel that this is important that you you understand the key points of the the changes associated to the transition between the sergious activities and the eucc so the mapping again will allow private caps to operate okay the notification of the cabs which which will the responsibility of the national cyber security certification authorities the nccas will be based for the substantial level solely on the accreditation okay that's a big move that's a big move for for the national authorities because for the moment even if there is a strong history based on the accreditation of the cab speed there the itself or the cbs even if the cbs accreditation was not mandatory under the saw gas but whatever um the there were there was always an additional layer of the national authorities which is called licensing to overview some additional points on the capabilities of the itceps so the fact that we will rely on accreditation for the substantial level is a main difference as compared to the current situation so that's why i it's really important that everyone in the community and i again i thank you andreas for setting that meeting that allows both communities to be to all together so that they can share the same views so this this accreditation is really a key element of the notification of the caps and in cyber security that's a brand new element for the consideration of the nccas for the level high we will have uh authorization on top of the accreditation the one information i want to to to highlight here and again it's detailed in this game so i you you can dig for it in the scheme this the delineation between accreditation and authorization it is foreseen that's the the the separation between accreditation and authorization will be based on the fact that in addition to the accreditation the ncca will review the the cb assessment that their related itselfs are capable to perform penetration testing for assurance components than three and higher and it is important to mention here that it's ing to methodology that are not in the public domain nor published standard so we that's therefore the fact that we provide some elements into already the candidate scheme with the mentioned annexes that i i was referring to but and we are developing currently for the main three level some harmonized interpretation of the capability of the itself to perform such activities but it's something that is that was not available yet and which will become available with time over time and the second item where there will be additional review is the protection of security of information probably to stricter requirement that the ones that may apply for the accreditation of the camps and this is again something that is under definition for the different workflows that may apply during certification um so here the strategy we developed ing to regarding the accreditation so based on my national experience where at nc we used to accrue have the itcf accredited and we provided we established with cofrack some interpretation national interpretations of 1725 for the actual education of the perhaps the the itself based on this national experience and the fact that there were also other members um someone is should should uh switch off the mic okay uh based on the national experience and the fact that other member states that were acting on those so guys had also provided national established national interpretations of 1725 for the accreditation of the itself we decided to go for that in the first in the first glance then we want and we want it to have that in place for the substantial level so up to than two the second element we want to to elaborate based on that experience is the the requirements or the interpretation for the accreditation of the seabees for the same level javier and miguel they indicate this is something that is easy to handle based on on the experience gain on the itcf so i will trust them on that and i hope this will be the case uh and here we have potentially a little bit less of experience because there was no obligation under the sauger yes to go for the accreditation of the cb so it's something that is not always common in all the participants to the sergey's mra we will continue to develop requirements for accreditation for itself that will operate at level high so than three and above and we will see whether we have more requirements for the naps for the accreditation of the itself and we again will go do the same for the cvs you may ask why we did not combine all requirements within a single document which would be for camps this is for the eucc scheme and which might be a different case for the eucs because there is an history called delineation between the itcf activities and the cb activity so we want it again as a smooth transition enabler to make sure that we have the possibility to move from an accreditation of an itis ing to today's practices into tomorrow's practices in in a smooth way and the same for seabees of course if it happens in the future that the same entity operates both itcf and cb activities as uh as a company and can benefit from a unique accreditation of ing to seven or 65 under the scheme which is not foreseen at the moment but we we don't know it's we we have version one of the scheme we will have version one of the implementing act and we will update where necessary we can combine things into single simple single documents but for the moment we still work on separate documents i don't want to go too much into the details of what we are done and i rely on uh javi and big will to do that more into detail but one one one important activity was to select the standards that we would rely on to provide the proper interpretations of 17 or 25 are the two ones we select it and here are the domains of interpretations we we handled into our documents one important matter is that not only we provided interpretation that relates to what an itcf should do to comply with the interpretation or to its accreditation criteria but also we provided some recommendations from nabs at the very beginning this is where all combined in a single document but based on the comments we received from you and we thank you again for that we just decided to split the two parts uh so the the documents were already submitted to eccg and ea for review we have taken the con the comments into consideration and this this separation into the two documents is just one illustration of that sorry and uh we will go deeper into the presentation after that but so the the question is the way forward um we we have multiple options and here is uh one option i had we had foreseen with uh with my my two uh colleagues harvey and miguel well and the group in general is considering as a good way forward to submit these elements as a new work item for for sense and like tg17 but we are of course open to other options you will tell us what works best whether you would prefer based on the contents of the elements we provided whether you pref would prefer to have a eea giving recommendations to the knives into whatever accreditation program you set whether you prefer to have this elements in the scheme and then we ask the commission to have this element in the scheme or whether the way forward through standardizations make the strong decision makes best sense from an elisa perspective whatever works in order to protect the information of the evaluation and second one is the technical competence of the personnel mainly the personnel involved in the vulnerability analysis of the of the products well um as you know in the cyber security act uh there are three uh three levels three assurance levels basic substantial and high the basic one is not applicable on this scheme but the the substantial and high are applicable but the requirements are different the the caps the conformity assessment body working on a substantial level need to be accredited but the conformity assessment body that they want to work at high level they need to be accredited and also authorized by the national authority and for this reason we need a very close cooperation among the national accreditation body and the national cyber security certification authority because a close cooperation among them will be a benefit for everyone first for the laboratory the itc because they don't need to be assessed twice for the same requirement second for the naps the national accreditation body but because they will get support they can't find technical assessors from the national cyber security authority and of course it could be also useful for the national cyber security authority that if he relies on the work done by the nap he they make a have a less stressful process for the authorization so this cooperation among accreditation and accreditation bodies and the authorities win win everybody wins with this well as javier told you before there is still a lot of work to be done on this group because at the moment we are only working on the guidance and requirements for itself at substantial level then we will need to work for that on the requirements for certification body acts to substantial level and then the same for high so there is a lot of work ahead still well additional requirements for for the labs in this scheme as it is until the moment they will come from iso standards and interpretation and european interpretation of this standard also and this has been explained but i will to point out in this that this technical isots [Music] part one these have information security requirements for the labs and in the past it was the the national scheme the certification body who assessed this requirement and now is the accreditation body who will have to assess this information security requirements for a itcf at level substantial that is a change for the accreditation body who has been working in this field well the skin will be more than unless like this there is a client or developer with the products the laboratory will evaluate these products ing with this standard and then the accreditation body will evaluate the the laboratory ing with all these standards the for of course the 17 or 25 and the requirements coming from from the scheme and this requirement will be based on these other standards this has been already dealt to you and the same for the certification body we expect to to have a for of course the iso 17065 and additional requirements for the certification board well then let's speak about the guidance pronouns miguel explained to you that there are recommendations for naps on assessors on the knowledge that they need to have on on the possible sources where we can find these assessors mainly from the national services security authority but i would like to also stress that we may face um additional problems when looking for assessors practical problems for instance if we if we are going to assess a laboratory who has evaluated a product at high level and this product it use is a classified the information about this process is classified then you will need to use a assessor that apart from the knowledge they have they need to have one spec specific um abilitation to assess the the classified information maybe a nato clearance security clearance or and this is only for information that we may have to think in on additional things practicalities not only on the knowledge and of the assessors about the confidentiality i also would like to stress that in this scheme requirements about the the security of the information are quite straight while requiring so we will have to face to keep the the information at the same level that the id sets keep the the information of the evaluation so uh we have to be aware that on this particular field of information security maybe that we need to take additional measures that we usually do i would like to say that we have a big help on the cyber security act on article 58 that give a mandate to the national authorities they give them the mandate to actively assist and support the national accreditation bodies in the monitoring and supervision of the activities of the conformity assessment bodies so today they have this mandate but also on the document uh it's been sent to you the guidance for the national accreditation body they give us some recommendations about how to work and how to co-pay before among the the national the national accreditation bodies and the nursing national authorities and this is very important very crucial point because as i told you before it's not easy to find experts in this field so if we have if we can use experts coming from the national cyber security authority or at least a expert that has been approved by them that is a a very truthful for us this is helpful because we can create a climate of cooperation of mutual trust and where there are transparency of the of the activities of the nab are transparent for the for the national authority and i will say from my personal point of view on the enact experience that it this is essential to make the the the skin work in an act we start to work with this field more than 20 years ago i remember that the first lap we evaluate i was the the team leader in that evaluation and we created a team with members from the national authority and other members and that was the the beginning of the fruitful cooperation between our national authority and us and enact and i recommend you all of you to do the same to be transparent in you are working a to to offer then all all the cooperation and to know each other way of work to know the persons involved in these activities because this is a win-win win uh for everyone for review of of the conformity assessment the the accreditation bodies and the national authorities