In recent years, the cybersecurity regulatory landscape in Europe for ICT security products has been evolving, and things are about to catch cruising speed. At European level, the publication of the cybersecurity act was the formal launch of a new push to develop a common framework to evaluate and certify ICT security products, in a similar fashion as other product verticals, like Radio devices or Atex equipment.
In the meantime, several European countries have developed their own national evaluation and certification schemes, like Certification de Sécurité de Premier Niveau (CSPN) in France or the German Beschleunigte Sicherheitszertifizierung (BSZ). These have been developed as lighter alternatives to Common Criteria, for which the certification process might be too long and laborious for products that only need low and medium levels of security assurances.
In Spain, the Government launched a legislative framework called ‘Esquema Nacional de Seguridad (ENS)’, a National Security Scheme that defines the security policies to be implemented by the Spanish Administration at all levels. This scheme divided ICT security products into 3 levels of assurances: low, medium, high. In order to promote the use of secure products in the administration and its supplier, the Spanish Cryptographic National Center (CCN) published a Catalogue – known as CPSTIC – that lists the products approved to manage classified information as well as products qualified to manage sensitive information.
The catalogue’s goal is to become a reference for the Spanish administration in its tenders. Although being listed in the Catalogue is not mandatory to participate in public tenders, it is highly recommended and many global and local vendors are certifying their products in order to get listed.
Applus+ Laboratories, an accredited security lab for LINCE and Common Criteria.
Our security Labs in Barcelona and Madrid are accredited by the Spanish National Cryptographic Center to evaluate both LINCE and Common Criteria Schemes. In the Common Criteria case, we are actually the only lab in Spain accredited to evaluate the highest CC Evaluation Assurance Levels (up to EAL 6+).
Two routes to get listed: LINCE certification vs Common Criteria Certification
The procedure varies depending on whether the product is to be Approved (classified information) or Qualified (sensitive information). In the latter case, the requirements will depend on whether the product needs to comply with ENS Medium Category or ENS High Category. The CPSTIC Catalogue is organized into product families, and each family has an assigned reference group where applicable Fundamental Security Requirements are defined. The following table summarizes and explains the different routes.
It is important to note that the Common Criteria certificate can also be used for ENS Medium Category products. However having a Common Criteria certificate already in place doesn’t guarantee an automatic listing for any category. The product must comply with all the Fundamental Security Requirements corresponding to its family, otherwise, recertification under either LINCE or Common Criteria would be needed. Even if all family security requirements are met, the product must pass a cryptographic evaluation to validate the conformity of its algorithm, and will also be subject to additional evaluation depending on the risk analysis results.