New EN 17640 'Fixed-time cybersecurity evaluation methodology for ICT products’ helps evaluate the cybersecurity of ICT products

The new standard describes how the cybersecurity of ICT products can be examined in a pre-defined time, which means within a time frame set out at the beginning of the examination. This evaluation is usually part of certification procedures for ICT products.

EN 17640 is the first standard that implements by design the requirements of the European Cybersecurity Act (CSA), which establishes the rules for future cybersecurity certification schemes in Europe. For this reason, it provides future CSA schemes with the necessary building blocks to conduct evaluations at the three assurance levels "basic", "substantial" and "high", together with further legal requirements. At the same time, the standard can be adapted to the requirements of specific markets requiring cybersecurity certification or in general security evaluation.

EN 17640 is compatible with already existing certification schemes at the national level that implement fixed time cybersecurity certifications: among them, the French CSPN, the Spanish Lince, the German BSZ and the Dutch BSPA. Experts from these schemes provided their input during the development work within CEN-CLC/JTC 13/WG 3 ‘Security evaluation and assessment’. Consequently, the resulting “evaluation methodology” benefits from over a decade of experience.

Now, thanks to this new standard, product developers and users of certified products will be able to inform themselves on how to perform cybersecurity product evaluations. At the same time, parties involved in developing cybersecurity certification schemes in Europe according to the CSA benefit from a flexible as well as proven toolbox to develop their schemes.

EN 17640 was developed by CEN-CLC/JTC 13 ‘Cybersecurity and Data Protection’, whose Secretariat is held by DIN. 

If you want to learn more about European cybersecurity certification, please visit the ENISA website on this topic.