The European Union Agency for Cybersecurity (ENISA) today published a report containing recommendations to establish an EU-wide cybersecurity certification scheme for cloud service providers.
The report was created by the Cloud Service Provider Certification Working Group (CSPCERT WG) at the request of the European Commission. Instead of proposing a completely new certification scheme, the working group has advised giving guidance for a program "based on existing practices/schemes/standards used by the industry and internationally recognized."
CSPCERT WG recommends the introduction of a cloud security certification scheme featuring three levels of assurance: "basic," "substantial," and "high." The assurance level awarded would be commensurate with the level of risk associated with the intended use of the ICT product, service, or process, in terms of the probability and impact of a cybersecurity incident.
A risk analysis would be performed to define the requirements of a particular level of certification, taking into account the benefits versus cost, the risk level, and the impact of a cyber-incident on the cloud service.
According to the report, the certification program should be designed to allow a cloud service provider to bundle services into a single certification, as long as those services are transparently included in the original or subsequent audit cycles and meet the required assurance for that certification level.
ENISA said: "A single European cloud certification is critical for enabling the free flow of non-personal data, which allows for the unrestricted movement of data across borders and information systems within the EU.
"The cybersecurity certification of cloud services will bring enhanced trust and legal certainty in the security of cross-border data processing, as acknowledged by the Free Flow of Data Regulation. Certified cloud services will reinforce the impact of this regulation helping the EU data economy to further contribute to GDP growth."
The report, entitled CSPCERT WG—Recommendations for the Implementation of the CSP Certification Scheme, was published ahead of plans to launch a call for applications to select members for a corresponding Ad-Hoc Working Group for Cloud Cybersecurity Certification. The call will be posted soon on the ENISA website.