Dear All, Ahead of next week’s meeting, you’ll find here<https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13382-Cybersecurity-security-requirements-for-ICT-product-certification/F3437592_en> and below the comments provided on behalf of the SOGIS Management Committee.
The publication of the draft EUCC implementing regulation was welcomed by the participants of the SOG-IS Management Committee of the 6th of October, who strongly support fast adoption of the EUCC as first European cybersecurity certification scheme. Based on the long experience gathered from many years of collaboration among national cybersecurity certification schemes, SOG-IS participants would like to take the opportunity of this public consultation to contribute to the final phase of adoption of the scheme with a specific focus on the transition of national schemes to EUCC and the management organisation for the future maintenance of the scheme. Member States will provide further contributions through comitology. Given the different usage of Common Criteria certificates in EU Member States, SOG-IS participants consider necessary to revise the scope of EUCC as outlined in article 1 to identify the certificates which actually fall into the scope of the EUCC implementing regulation. Pursuant to article 50 of the draft EUCC implementing regulation, all national schemes falling into the scope of EUCC will cease to produce effect. The implications of such provision, i.e. cease to produce effect, are not completely clear from a legal point of view. The certificates already issued by existing national scheme will continue to be valid till their expiry date. However, life-cycle management of such certificates, also following the application of EUCC (12 month after entry into force) shall continue to be guaranteed till their expiry date. For example, maintenance of certificate shall be allowed and include the possibility of revoke certificates before their expiry date. Regarding the mandatory component ALC_FLR (Art. 7, lett. b)) and vulnerability monitoring (artt. 8, 26, 27, 32, 34, 36) it is worth highlighting that ALC_FLR, as of today, does not provide evaluation of the effectiveness/actual application of flaw remediation procedures requested by EUCC. A solution in the EUCC implementing regulation shall be further investigated to best enforce vulnerability reporting and monitoring also considering the need to ease the transition of existing certificates to EUCC. A maintenance infrastructure for EUCC should be ensured prior to the entry into force of EUCC. It should include the creation of an ECCG subgroup on EUCC for acting in tight collaboration with industry groups. Best regards, Pierre-Jean From: [email protected] When: 11:00 - 12:00 18 October 2023 Subject: Save the date - Eurosmart's comment on EUCC Location: Microsoft Teams Meeting ________________________________________________________________________________ Microsoft Teams meeting Join on your computer, mobile app or room device Click here to join the meeting<https://teams.microsoft.com/l/meetup-join/19%3ameeting_ODg0NGQ5ZjAtYjRiZS00MDgwLWExNDctNTVmMDhlZTcwOGNl%40thread.v2/0?context=%7b%22Tid%22%3a%2284f61714-2de2-44d4-90ea-7bc5aa825267%22%2c%22Oid%22%3a%227bc3a0b9-e3a4-4c5b-a0ea-bb599303b742%22%7d> Meeting ID: 348 334 115 041 Passcode: rXCzHT Download Teams<https://www.microsoft.com/en-us/microsoft-teams/download-app> | Join on the web<https://www.microsoft.com/microsoft-teams/join-a-meeting> Learn More<https://aka.ms/JoinTeamsMeeting> | Meeting options<https://teams.microsoft.com/meetingOptions/?organizerId=7bc3a0b9-e3a4-4c5b-a0ea-bb599303b742&tenantId=84f61714-2de2-44d4-90ea-7bc5aa825267&threadId=19_meeting_ODg0NGQ5ZjAtYjRiZS00MDgwLWExNDctNTVmMDhlZTcwOGNl@thread.v2&messageId=0&language=en> ________________________________________________________________________________
