In force since 2021, the Cybersecurity Act (or CSA) sets a framework for risk-based cybersecurity certification in the European Union, going from low risk (assurance level “basic”) to higher risk scenarios (assurance level “high”).
Currently, Europe’s agency for cybersecurity, ENISA, is drafting certification schemes to allow for harmonized cybersecurity certification in the frame of the CSA at EU level. In order to support ICT market players interested in basic assurance certification, three Luxembourgish organizations – the Luxembourg House of Cybersecurity, ILNAS, and the ANEC GIE – are working together on a project entitled CORAL. CORAL stands for cybersecurity Certification based On Risk evALuation and treatment and proposes a methodology and a toolset to assess the cybersecurity maturity of any ICT service, product or process.
Based on this assessment, an organization can position itself as a candidate for CSA certification at the basic assurance level, once official CSA certification schemes are launched by the European Union.
In the video below, the three project partners explain the methodology behind the CORAL approach and provide a demo of the tool, called Fit4CSA. The video provides some basic details about the CSA, explains what resources were used to elaborate the tool, and also describes the envisioned workflow from self-assessment to a certification audit.
The CORAL tool is available online on a dedicated platform and is free and anonymous to use by any SME willing to improve the cybersecurity posture of their ICT service, product or process, in line with existing ENISA candidate certification schemes, selected standards and best practices. We would be happy to receive your feedback on the project approach and the Fit4CSA tool via this email address.
For more information about the project and the tool, please feel free to consult: