Cybersecurity certification

The Law on the Implementation of Regulation (EU) 2019/881 of the European Parliament and the Council of April 17, 2019 (Law on the Implementation of Cyber Security Certification) designated the Information Systems Security Bureau as the national body for cyber security certification. In its capacity as a national body for cyber security certification, the Information Systems Security Bureau supervises and requires compliance with the rules from European cyber security certification programs, monitors compliance and fulfillment of obligations of manufacturers or providers of information and communication technology (ICT) processes, actively supports and provides support to the national accreditation body in performing accreditation and supervision of conformity assessment bodies and authorizes conformity assessment bodies when applicable.

The national accreditation body in the Republic of Croatia is the Croatian Accreditation Agency. The Croatian Accreditation Agency grants accreditation to conformity assessment bodies for a period of five years if they meet the requirements and reports to the Information Systems Security Bureau on the initiation of each accreditation procedure as well as on each issued accreditation.

The Information Systems Security Bureau has the task of informing the European Commission about each issued accreditation carried out for the purpose of cyber security certification and authorization to perform European cyber security certification.
On the basis of certain European cyber security certification schemes, cyber security certification is carried out, which refers to the procedure for issuing European cyber certificates, i.e. declarations of conformity for information and communication technology (ICT) products, services and processes at the request of their manufacturers or servers. Cyber security certification confirms that ICT products, services and processes have been evaluated in accordance with European cyber security certification schemes and that they meet established security requirements for the purposes of protecting the availability, authenticity, integrity and confidentiality of stored, sent or processed data, functions or services that are offered by or accessed through those products, services and processes during their life cycle. Cyber security certification is voluntary, unless otherwise provided by Union law or the law of the Member States.

Cyber security certification is carried out for ICT products, services or processes at three guarantee levels – basic, significant and high. Assurance levels are used to inform users about the cyber security risk of ICT products, services or processes and are commensurate with the level of risk associated with the intended use of the products, services or processes in terms of the probability and effect of an accident. A high guarantee level would mean that the certified product has passed the highest safety tests. The obtained  certificate is recognized in all EU member states, which facilitates cross-border trade for companies and for customers to understand the safety features of the product or service.

Conformity assessment is a procedure by which conformity assessment bodies evaluate whether certain requirements relating to an ICT product, service or process have been met. In the Republic of Croatia, conformity assessment bodies  are legal or natural persons accredited by the Croatian Accreditation Agency or an equivalent accreditation that meets the requirements of Regulation (EC) no. 765/2008 of the European Parliament and the Council of July 9, 2008 on the determination of the requirements for accreditation and the repeal of Regulation (EEC) no. 339/93 and which, if determined by the certification scheme, was authorized by the Information Systems Security Bureau.

Depending on the cyber security risk associated with the intention to certify the use of ICT solutions, the appropriate guarantee level is selected for a particular ICT product, service or process for which cyber security certification is carried out.
The manufacturer or provider of ICT products, services and processes may themselves carry out conformity assessment of ICT products, services or processes ("self-assessment of conformity"), exclusively for the basic assurance level for ICT products, services and processes of a low level of complexity that pose a low risk to the public, as which are mechanisms of simple design and manufacture. In such cases, the manufacturer or provider of ICT products, services and processes himself carries out all checks to ensure that the ICT product, service or process is compliant with the European cyber security certification scheme. In this case, the manufacturer or provider of ICT products, services and processes carries out the conformity assessment solely under his own responsibility.

Citizens, organizations and businesses across the European Union now make significant use of networked and information systems, leading to digitization and connectivity becoming key features of an increasing number of products and services. With the growth of digitization and connectivity , cyberattacks are also increasing, as a result of which society's sensitivity to cyber threats increases, and individuals are exposed to ever greater dangers.

Cybersecurity certification is implemented as the European Union's response to the increased risks that come with the increasing digitalization of society. In this sense, the European Union has taken a number of measures to regulate relations in cyberspace, thereby increasing resilience and strengthening its cyber security preparedness. With the aim of increasing trust and security in the Union's Single Digital Market and in view of the rapid spread of connected devices, a framework for security certification of information and communication technology products, services and processes, i.e. all objects in cyberspace, was established by the adoption of Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on cybersecurity certification in the field of information and communication technology and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)

Cyber security certification takes on great importance due to the increasing use of cyber technologies for purposes that require a high degree of reliability and security, and in an increasing number of sectors there is a noticeable increase in dependence on ICT products, services and processes, especially in traffic, in life and health maintenance systems (e-health), in industry and in the realization of human rights and interests (e-citizens).