Reality Check of the Reliance on EUCC Cybersecurity Certificate: the Case of QSCD Certification (S12a)
The QSCD certification as defined in eIDAS regulation is necessary so that a product can produce a qualified signature i.e. legally equivalent to a handwritten signature. As per the latest update of the eIDAS regulation, the QSCD certificate is bound to the validity of the underlying Common Criteria security certificate. Within this talk, the shortcomings stemming from a strict reliance on valid EUCC cybersecurity certificate without consideration of risk management within a sector specific legislation (here QSCD) will be explored. The importance to take into consideration risk management of products in the field within sector specific legislations will be highlighted, and approaches to overcome these issues will be proposed. In addition, key learnings will be drawn for (1) bridging the conformity assessment under the CRA and EUCC cybersecurity schemes and (2) enhancing CSA.