Security certification for digital products and solutions is a hallmark of reliability. What does this certification entail, and how does it ensure a high level of cybersecurity?
Definition of a Security Certification
Security certification for computer solutions and software involves evaluating a product according to specific cybersecurity standards. This process is now crucial for ensuring the protection of data and systems in the face of increasing cyber threats. Security certification also supports businesses in their search for secure digital solutions for their strategic and sensitive uses. It ultimately helps to harmonize the security levels of solutions and contributes to the creation of a trusted digital system.
Types of Security Certifications
Product Certifications: Focus on the security aspects of a specific product. They assess whether the product meets the required security standards and can resist potential cyber attacks.
System Certifications: Evaluate the security of an entire system, including the products, processes, and people involved. This type of certification is broader and considers the systemic aspects of cybersecurity.
There are various security certifications internationally and in Europe. Here’s an overview:
International Cybersecurity Certifications
Common Criteria (CC)
Common Criteria is the international standard for cybersecurity certification of information technology. Also known as “Common Criteria for Information Technology Security Evaluation”, this international standard (ISO/IEC 15408) allows for the assessment of IT product security by accredited and independent laboratories based on demanding technical and organizational criteria. The certificates are internationally recognized by the signatories of the Common Criteria Recognition Arrangement (CCRA), which includes ANSSI in France.
FIPS 140-3
Developed by the National Institute of Standards and Technology (NIST) in the United States, the FIPS 140-3 standard is specifically concerned with verifying the security of encryption modules. Essential for products used in government and sensitive environments, the standard analyses in particular :
– the features and capabilities of the encryption module
– interactions with other systems
– management of access and authorised operations
– software component security
– secure maintenance and updates
– measures against various forms of potential attack.
This standard proposes four qualitative levels of security (basic to very high), adapted to different applications and IT environments.
European cybersecurity certifications
The European Cybersecurity Certification project
The EUCC certification scheme is based on the international Common Criteria scheme for certifying ICT products, their hardware and software (firewalls, encryption and electronic signature devices, routers, smartphones, bank cards, etc.). In October 2023, a first draft implementing act for the EUCC was published by the European Commission and opened for comments.
EUCS (European Certification Scheme for Cloud Services) under study
In the same vein as the EUCC, EUCS certification is aimed specifically at approving the security of products and services hosted in the cloud. The proposed text is now being studied by the European Cybersecurity Certification Group (ECCG) and will help to strengthen the security of cloud computing in Europe.
As part of the NIS 2 directive and the Cyber Resilience Act, these European certification projects aim to harmonise the security levels of IT solutions.
In France: ANSSI security certification
The security certification issued by ANSSI (Agence nationale de la sécurité des systèmes d’information) is a benchmark in France and throughout Europe. Based on the Common Criteria international certification standard, this national certification scheme assesses the robustness of a specific version of a product at a given time, based on the state of the art of cyber attacks. To award it, the approved laboratories and experts analyse a number of security criteria, including :
– Compliance with current national and international information systems security standards and regulations
– Technical and organisational security measures
– Resistance to attacks, including attempted intrusions, hacking and exploitation of vulnerabilities.
– Access management and authentication to control access to data and resources.
– Encryption and data protection
– Resilience and incident management
– Security maintenance and updates, to respond to new threats and vulnerabilities.
The ANSSI is also offering security qualification for digital products and services intended for critical and strategic sectors (OIV and OSE). This qualification will meet specific regulatory requirements, such as the French military programming law. The ANSSI’s security qualification attests to the suitability of the solutions for the sensitive needs identified by companies. The publisher must prove that it can meet its commitments over the long term.
Which products are eligible for security certification?
A wide range of IT products and solutions are eligible for security certification if they expose data and/or are used by sensitive organisations. Here are some of the types of products covered by security certification:
IT hardware: servers, routers, firewalls and other network equipment, etc.
Software: operating systems, applications and databases, etc.
Cloud Solutions: Cloud computing services, storage and cloud-based applications…
Mobile Security Solutions: Security applications and infrastructures for mobile devices…
Industrial Control Systems (ICS) and Internet of Things (IoT): connected devices in various industrial sectors…
Tixeo, certified and qualified by ANSSI for over 5 years
Tixeosecure video conferencing software has been certified and qualified by ANSSI for over 6 years. Thanks to its end-to-end encryption and its on-premise version, it offers businesses in critical sectors total confidentiality for their exchanges and, above all, a high level of operational resilience. Through its certification and qualification, the French government recommends its use for sensitive applications. Other European labels confirm the security of its solution.
To prove their dependability, IT solutions may acquire a security certification. This becomes a significant advantage in the IT market, especially in an era where cybersecurity is a key concern for organizations. However, how can one ensure the credibility of a security certification across different countries?
What is a Security Certification?
Security certification for IT solutions and software involves appraising the product based on specific cybersecurity standards. These standards can vary depending on the industry and the regulations in effect within the issuing country. Therefore, certifications from different countries may not meet the same cybersecurity requirements, underscoring the importance of analyzing the criteria that establish the credibility of a cybersecurity certification.
Criteria for determining credibility
The Cyber Power of the Nation
A nation’s cyber power plays a role in its international influence. It encompasses the ability to utilize digital technologies and cyberspace to achieve national and international goals through government strategies, defensive operations, and resource mobilization. Various global indices help in determining a nation’s level of cyber power.
The Harvard Belfer Center’s NCPI Index
The National Cyber Power Index (NCPI) from the Belfer Center is a measure of nations’ cyber power. This index uses qualitative and quantitative data models to assess the capabilities and objectives of states. It includes 29 indicators, divided into two categories:
Intent indicators
Intent indicators reflect a country’s priorities and motivations in terms of cybersecurity. In other words, it shows how the country plans to use its cyber capabilities, in line with its strategic and political objectives. These can range from defence, espionage and information control to influencing the definition of cyberspace norms and offensive operations.
Capacity indicators
Capability intent indicators assess a country’s technical capabilities and cyber resources, regardless of how it chooses to use them. This includes technical expertise, infrastructure, available tools and technologies, and qualified human resources in cyber security.
The 2022 NCPI Report Findings
In the NCPI 2022 report, the authors assessed the cyber power of 30 countries around the world. In the top 10 are the United States, China, Russia, the United Kingdom and France in 9th position. Germany and the Netherlands are lower down the ranking.
France achieves a capability score of around 40 for the objective of “influence in defining cyberspace norms”, putting it in 4th place. In terms of intention score, France is in the top 4 of nations most involved in the defence objective.
The Internal Institute for Strategic Studies (IISS) Assessment
IISS has also developed a methodology for determining a nation’s cyber capabilities and how these contribute to its power. The institute classifies these capabilities into 7 distinct categories:
France is also said to be more transparent on the issue of cyber security. Indeed, the report states that the country “maintains a clear separation between defensive and offensive cyber operations“. Thus, the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Informations) is exclusively dedicated to defensive operations and is not part of the intelligence community, unlike the National Security Agency (NSA) in the United States or the Government Communications Headquarters (GCHQ) in the United Kingdom. “This distinction is important to some in France, based on the assumption that the objectives and remit of an intelligence agency, including its disposition towards secrecy, may interfere with some of the objectives and practices necessary for civilian sector cybersecurity, including the need for greater transparency regarding cybersecurity breaches.”
A nation’s cyber power is therefore one of the essential criteria to be taken into account when assessing the credibility of a security certification issued by a country. Indeed, when a country is highly ranked, it demonstrates its high standards and capacity in terms of cybersecurity. Another decisive criterion is the national certification scheme.
The national certification scheme
Common Criteria (CC) is the only international standard for assessing the security of IT products and systems. This analyses technical criteria, as well as organisational criteria and criteria relating to company processes, in order to assign a more or less high level of security (7 levels).
These criteria are very demanding and require organisations to put in place significant resources. As a result, only large companies or groups can afford to apply for CC certification. This difficulty in awarding certification runs counter to the desire to develop a trusted digital system, bringing together organisations of all sizes, from multi-nationals to smaller businesses.
To facilitate this certification process, France and Germany, drawing on their experience as certifying countries, have created national certification schemes focusing on the technical evaluation of products:
These schemes have made it possible to extend certification to a wider range of IT solutions, boosting their visibility while guaranteeing their high level of security. Indeed, the credibility of these national certification schemes rests above all on that of the issuing country.
The nation’s experience in issuing certification
Number of CC certifications issued in 2022 by country (Common Criteria Statistics Reports 2022)
The nation’s experience in issuing certifications is a major factor in the credibility of its certification scheme. And for good reason: the number of certified products demonstrates expertise and a particular commitment to cybersecurity.
In 2022, according to the Common Criteria Statistics report, France, via ANSSI, is the world leader in the number of Common Criteria certifications issued, with 74 certified products. Over the last 5 years, France is the second country to have issued the most certifications, just behind the United States.
To sum up, the credibility of a safety certification is based on three main criteria:
The cyber power of the nation issuing the certification
The country’s commitment to developing a trusted digital system, through its national certification scheme
The nation’s experience in certification
France, one of the most credible cyber powers
France appears to be one of the most credible and experienced cyber powers. Firstly, because of the various “cyber power” indices and because of its experience in evaluating IT products.
ANSSI-certified solutions offer significant security guarantees and greater confidence.
Tixeo, the only secure video conferencing solution certified and qualified by ANSSI
Thanks to its sovereign end-to-end encryption technology and secure on-premise videoconferencing offering, Tixeo has been certified and qualified by ANSSI since 2017.
With three ANSSI security certificates received in 6 years, the company marks continuity in its commitment to security. A high level of cyber requirements that goes beyond the purely “marketing” aspect of certification.
Complementing the NIS2 directive, the DORA (Digital Operational Resilience Act) regulation adds another layer of cybersecurity to the financial sector. To protect their assets and the economic interests of European nations, financial institutions must strengthen their digital operational resilience.
The financial sector is heavily affected by cyber threats
Cyber attacks on the increase
Massive cyber attacks target financial sector infrastructures. Cyber risk now represents a major risk to financial stability. In its Financial System Risk Assessment report published in June 2023, the Banque de France notes that “the financial system remains exposed to a very high level of risk from cyber attacks“. This is due to the geopolitical context and also to artificial intelligence, which opens the way to highly sophisticated attacks that are harder to counter.
The very rapid digitisation of companies in the finance sector also explains this massive exposure to cyber risk. While the digitisation of banking services began very early on, information systems were not secured as quickly. In addition, employees of banking organisations make greater use of mobile devices and are more exposed to the risk of cyber attacks.
Because of the many risks and challenges involved, the European Union has classified the banking sector as highly critical under the NIS2 directive. As a result, organisations will need to strengthen their cybersecurity and train their decision-makers. Furthermore, DORA regulations are forcing financial institutions to redouble their efforts to better manage their cyber risk and become more agile.
Key points of the DORA regulations
Which organisations are concerned?
DORA is relevant to most organisations operating in the financial sector, such as :
Credit institutions,
Investment, payment and electronic money companies,
Management companies,
Insurance and reinsurance companies,
Insurance and reinsurance intermediaries.
Objective: strengthen digital operational resilience
Better mapping and management of cyber risks
Like the “all-risks approach” in the NIS2 directive, the DORA regulation aims to improve risk awareness in the financial sector. Financial institutions must take into account the risks inherent in their operations. The regulation therefore calls for these risks to be identified and their level of impact on the organisation to be quantified, both internally and externally. In this way, organisations will have better visibility of the measures to be put in place and will be more agile.
Risk management also helps to reassure the company’s ecosystem. This is the case for customers, whose assets and personal data must be fully protected.
ICT service providers covered by the regulations
Today’s banks and financial institutions are dependent on information and communication technologies. If they are not sufficiently secure, these technologies expose the sensitive data they transmit.
Under the DORA regulations, the financial sector will have to be resilient in the face of operational disruptions linked to these technologies. Organisations will be responsible for identifying and classifying ICT-related risks and developing incident management processes.
Moreover, supervisory authorities will carry out checks on ICT compliance with risk management measures. Sanctions may be imposed in the event of non-compliance.
Choose ANSSI-qualified service providers
The French National Agency for Information Systems Security (ANSSI) recommends highly secure products and service providers, thanks to its security visa. It helps organisations in sensitive sectors, such as finance, to assess the reliability of communications solutions.
In the event of a cybersecurity incident, teams need to be able to continue exchanging information in a highly secure environment. This will guarantee business continuity and ensure operational resilience.
ANSSI has published a guide to the operational and strategic management of a cyber crisis.
ANSSI security approval: a guarantee of reliability
For over 5 years, Tixeo has been the only secure videoconferencing solution in France to be certified and qualified by ANSSI, thanks to its Secure By Design approach and end-to-end encryption technology.
DORA regulation came into force in the European Union on 16 January 2023. Implementation of the regulation is therefore already underway. The deadline for transposing the regulation in all Member States is 17 January 2025.
“Cyber stress test” campaigns in the pipeline
Banking system regularly undergoes stress tests linked to social and economic conditions. Soon, it may also have to undergo cyber stress tests. The ECB (European Central Bank) has announced plans to test the cyber resilience of financial institutions from 2024. This will be done through cyber security stress tests. Increasing cyberthreats, teleworking and the use of the cloud are increasing the severity of cyberattacks and have therefore motivated this initiative.
A good way for organisations in the finance sector to put their DORA preparations to the test.
With the forthcoming application of the NIS 2 Directive in Europe, essential service operator (OES) and operator of vital importance (OIV) are preparing for new obligations to strengthen their cybersecurity.
A new name for essential service operator (OES)
The creation of essential entities (EE) and important entities (IE)
The main aim of this amendment to the NIS1 Directive is to maximise the security of the networks and information systems of sensitive European organisations. One of the changes is the end of the term OES (essential service operator). This used to refer to essential services whose cessation would have a major impact on the functioning of the French economy or society.
The NIS2 Directive does away with the term “essential service operator” in favour of two categories of entity:
Essential Entities (EE), which would mainly include large companies in sectors classified as highly critical.
Important Entities (IE), which would mainly concern medium-sized organisations in sectors classified as highly critical and organisations in critical sectors.
“Digital Service Providers” fall into these categories. It should be noted that there has been no change to the designation OIV (operator of vital importance). These are covered by NIS2.
Obligations for essential entities, important entities and OIV
Use ANSSI-certified security solutions
The security measures recommended by NIS2 include “the use of secure voice, video and text communications and secure emergency communication systems within the entity, as required”. For OIV, the use of security solutions certified by the ANSSI, thanks to its Security Visa, is even becoming compulsory. In the event of a crisis, operators of vital importance need to react quickly and demonstrate resilience. Secure communications solutions are therefore essential. They enable employees to carry on working. Various technologies, such as end-to-end encryption, guarantee data protection.
Security Visa from ANSSI: a guarantee of reliability
The ANSSI Security Visa makes it easy to identify the most reliable cybersecurity solutions. These solutions have been checked and assessed by approved laboratories.
For over 5 years, Tixeo has been the only French secure videoconferencing solution to be certified and qualified by ANSSI, thanks to its Secure By Design approach and end-to-end encryption technology.
Protecting network architecture
The NIS2 directive recommends partitioning networks and remote access. This is particularly the case when using on-premise security solutions. These must be able to function in an isolated network. The organisation will also need to be aware of all their impacts on its network architecture.
The benefits of secure on-premise videoconferencing
TixeoServer is Tixeo’s secure on-premise videoconferencing solution, certified and qualified by the ANSSI. Security is part of every step from its design to its deployment. For example, only one network port needs to be opened for installation, in order to limit the impact on the organisation’s information system security policy.
Actors in the supply chain, whether subcontractors or service providers, are subject to the NIS2 Directive. They generally have access to their customer’s infrastructure and therefore represent a security risk. In the event of security breaches within their infrastructure, the network security of the more or less critical entities for which they work would be impacted.
Find out all you need to know about the NIS2 directive :
These European-wide cybersecurity regulations are unprecedented. There are many requirements to ensure that European organisations can demonstrate a common high level of IT security. Companies will have to comply, and quickly. Here are the main changes in the new NIS2 directive.
NIS2 directive: extending the scope of NIS1
In 2016, the Network and Information Security (NIS) Directive was adopted by the European Parliament and the Council of the European Union. Its main objective was to increase the level of cybersecurity of major organisations in around ten high-risk business sectors. In France, this represented around a hundred players.
With the intensification of cyberthreats, in a tense geopolitical context, more and more companies and institutions are concerned by the risk of IT incidents. That’s why Europe has published NIS2, an extension of the NIS1 directive, to take effect at the end of 2022. The aim is to broaden the scope of the sectors concerned and to strengthen cybersecurity requirements.
The new directive employs an “all-risks approach”. In other words, it requires a wide range of organisations to better protect their networks and information systems, through a combination of multiple cyber strategies. These include:
Risk analysis,
incident handling,
business continuity,
supply chain security,
and the use of secure emergency communication systems within the organisation.
Virtually all sectors affected
NIS2 will now affect thousands of entities in more than 18 business sectors. All private or public entities with more than 50 employees, or with a turnover in excess of €10 million, are affected. These include digital companies and certain public authorities, which have been particularly targeted by cyber attacks in recent months. These sectors are classified in two categories: highly critical sectors and critical sectors.
Sectors classified as highly critical include :
energy
transport
banking
financial market infrastructures
health
drinking water
waste water
digital infrastructure
ICT service management
public administration
Space
The sectors considered critical are :
postal and shipping services
waste management
manufacture, production and distribution of chemical products
production, processing and distribution of foodstuffs
Manufacturing
digital suppliers
Research
Two new entity categories (EE and EI)
The other new feature of NIS2 is the classification of entities into two distinct categories: essential entities (EE) and important entities (EI). This classification is based on the level of criticality, the number of employees and the global turnover of the companies concerned. A large company employs at least 250 people and/or has an annual turnover of at least €50 million. A medium-sized company employs at least 50 people and/or has an annual turnover of more than €10 million.
Thus, essential entities would mainly include large companies in sectors classified as highly critical. Important entities would mainly concern large and medium-sized organisations in sectors classified as critical and medium-sized organisations classified in highly critical sectors. This distinction will make it possible to tailor requirements and penalties for organisations in proportion to their resources and the stakes involved in protecting their data.
It should be noted that in certain sectors, the high level of criticality may justify designation as an essential entity, regardless of the size of the organisation. This is particularly the case for entities identified as critical at national level by the CER Directive.
Tougher penalties
Lastly, the NIS2 directive also strengthens the penalty system. An organisation that fails to put in place appropriate risk management measures or to notify a security incident quickly enough will risk a fine proportional to its turnover and level of criticality. Companies could therefore be subject to fines of between 1.4% and 2% of their turnover, up to a maximum of €10 million.
EU Member States are also able to require entities to carry out audits or inspections. If necessary, they can issue warnings and instructions.
Focus on two new obligations for organisations
Reporting security incidents
With NIS2, when a cyber security incident occurs, organisations will have 24 hours to report it to ANSSI. This deadline is not yet definitive and may be reviewed before the directive is transposed into national law. However, all the organisations affected by NIS2 will have to get organised in order to react quickly. This initial notification is similar to a preliminary report, which will have to be supplemented by a final report. The aim is to improve the responsiveness of the authorities in the event of an incident and to trace cyber attacks more accurately.
Cybersecurity training for executives, managers and employees
In-house training is a key point in this new directive, and is encouraging massive awareness of the subject of cybersecurity.
Indeed, the main challenge of NIS2 is to force the implementation of technical measures, but also and above all operational and organisational measures. The entire organisation must be mobilised for its cybersecurity, not just the IT department. That’s why the directive requires cybersecurity training for senior managers, who must systematically approve all security measures. What’s more, the directors representing the organisation could be held liable if they fail to comply with the directive’s obligations.
With a view to extending cybersecurity to all functions, the NIS2 directive could redefine the role of the DPO (Data Protection Officer) by giving him or her tasks relating to the application of this directive. These new tasks will be consistent with those required to comply with the General Data Protection Regulation (GDPR). It’s a way of looking at cybersecurity as a legal risk, and no longer as the preserve of CISOs.
Firstly, the directive will be transposed at national level in 27 countries from 17 September 2023. Then, from October 2024, it will be mandatory for all companies and administrations concerned. However, organisations need to start preparing for these new cybersecurity standards now, by increasing their level of security. In this way, they will be able to counter the growing number of cyber threats.
How do you prepare for the NIS2 directive?
As of now, organizations affected by the NIS2 Directive can be assisted by experts to assess the security level of their information system and receive recommendations.
As a trusted service provider, certified and qualified by the ANSSI, Tixeo supports essential service operator and operator of vital importance in their NIS2 compliance. The use of secure communication systems is one of the recommendations to ensure business continuity in the event of a crisis. Protecting online communications is therefore a guarantee of cyber resilience for organisations.
