Logotyp

Cybersecurity

The EU has developed a comprehensive cybersecurity strategy to strengthen security across the union. This strategy includes guidelines and policies to address cyber threats and enhance cooperation between member states. The EU encourages cooperation through initiatives like the European Union Agency for Cybersecurity (ENISA). ENISA works to improve the EU’s capacity to prevent and respond to cyber threats by sharing information and best practices among countries.

Accreditation plays a vital role in the EU’s efforts to ensure that IT products, services, and processes meet specified standards and other requirements for a high level of cybersecurity. Through the EU Cybersecurity Act, adopted in 2019, a European framework for cybersecurity certification of IT products, services, and processes has been established. Accreditation is a central part of this framework as it ensures that certification bodies have the required competence to perform reliable and standardized certifications.

The EUCC (European Common Criteria-based cybersecurity certification scheme) is the first certification scheme adopted within the EU’s cybersecurity certification framework. The EU is also working on developing additional certification schemes for various types of products and services, including a scheme for cloud services. This ongoing work is expected to increase the number of accreditation opportunities within the cybersecurity field. We will update this page as new accreditation areas become relevant.

EUCC

EUCC is a cybersecurity certification scheme that is part of the EU’s cybersecurity certification framework. The purpose of this certification is to enhance the security of products, services, and processes in the field of Information and Communication Technology (ICT) within the EU. By harmonizing cybersecurity standards across the EU, the EUCC certification helps improve collective protection against cyber threats and ensures that the digital market operates smoothly and securely.

EUCC highlights two types of conformity assessment bodies: product certification bodies and testing laboratories. Product certificates can be issued at assurance levels ”significant” and ”high.” The ”significant” level corresponds to Common Criteria’s AVA_VAN levels 1 or 2, while the ”high” level corresponds to AVA_VAN levels 3, 4, or 5. Certification bodies and testing laboratories (ITSEFs) seeking accreditation will need to demonstrate their competence at the highest level for which they intend to offer accredited services. Additionally, the EUCC requires authorization from the national cybersecurity certification authority (FMV) to issue certificates at the ”high” level.

As Sweden’s national accreditation body, Swedac accredits both certification bodies and testing laboratories (ITSEFs) within the EUCC framework. In Sweden, the Swedish Defence Materiel Administration (FMV) is the national cybersecurity certification authority. FMV is responsible for overseeing and coordinating certification activities at the national level and for collaborating with EU bodies such as ENISA, the European Commission, and serves as the national representative in the European Cybersecurity Certification Group (ECCG). FMV is also responsible for notifying the EU of accredited bodies, as well as those authorized under the Cybersecurity Act.

 

Requirements and guidance documents:

Common Criteria – Testing
Specific documents for the accreditation scheme
Acceptance criteria for objects/systems/persons assessed by the accredited body
Common Methodology 3.1 Common Methodology 3.1

General documents for the conformity assessment procedure
Requirements to be fulfilled for accreditation to be issued
SS-EN ISO/IEC 17025:2018 General requirements for the competence of testing and calibration laboratories (ISO/IEC 17025:2017)
STAFS 2020:1 Swedac’s regulations and general guidelines on accreditation

Instructions and guidance for meeting the accreditation requirements
EA-4/02 M:2022 Evaluation of the Uncertainty of Measurement in Calibration
EA-4/18 G:2021 Guidance on the level and frequency of proficiency testing participation
EA-4/21 INF:2018 Guidelines for the assessment of the appropriateness of small interlaboratory comparisons within the process of laboratory accreditation
ILAC G24:2022 Guidelines for the determination of recalibration intervals of measuring equipment
ILAC G8:09/2019 Guidelines on decision rules and statement of conformity
SWEDAC DOC 01:14 Assessment of quality systems in an electronic environment
SWEDAC DOC 03:9 Swedac’s policy on accreditation with flexible scope
SWEDAC DOC 04:2 Swedac’s policy on metrological traceability, calibration, and measurement uncertainty
SWEDAC DOC 05:6 Internal audits – Guidance for laboratories and inspection bodies
SWEDAC DOC 06:9 Swedac’s policy for accredited laboratories’ and inspection bodies’ participation in proficiency testing
SWEDAC DOC 10:5 Guidance for information security work
SWEDAC DOC 12:7 Guidance on the use of scales in testing laboratories and inspection bodies
SWEDAC DOC 20:1 Swedac’s policy on referencing accreditation

Common Criteria – Product Certification
Specific documents for the accreditation scheme
Acceptance criteria for objects/systems/persons assessed by the accredited body
Common Criteria, Part 1 Common Criteria, Part 1
Common Criteria, Part 2 Common Criteria, Part 2
Common Criteria, Part 3 Common Criteria, Part 3

General documents for the conformity assessment procedure:
Requirements to be fulfilled for accreditation to be issued
SS-EN ISO/IEC 17065:2012 Conformity assessment – Requirements for bodies certifying products, processes, and services
STAFS 2020:1 Swedac’s regulations and general guidelines on accreditation

Instructions and guidance for meeting the accreditation requirements

EA-2/20 G:2020 Consultancy, and the Independence of Conformity Assessment Bodies
IAF ID 3:2011 IAF Informative Document For Management of Extraordinary Events or Circumstances Affecting ABs, CABs and Certified Organizations
IAF MD 12:2016 Accreditation Assessment of Conformity Assessment Bodies with Activities in Multiple Countries
IAF PL 8:2023 Rules for the Use of the IAF Logo
SWEDAC DOC 03:9 Swedac’s policy on accreditation with flexible scope
SWEDAC DOC 20:1 Swedac’s policy on referencing accreditation