About the Project
CORAL, which stands for cybersecurity Certification based On Risk evALuation and treatment, is a European Union-funded project under CEF Telecom Call, that aims to elaborate a toolkit and methodology to speed up the certification process in line with the EU Cybersecurity Act or CSA (Regulation EU 2019/881). The project aims to address challenges concerning self-certification and the basic level of assurance, as well as to enhance the exchange of good practices, collaboration and information sharing related to performing evaluations in line with the CSA.
The CORAL project is being developed in a Luxembourgish context, but it aims to become known and used beyond the Luxembourg market and borders. Its target audience is primarily small and medium enterprises who have a product or service for which, they wish to assess the basic cybersecurity requirements.
Objectives
The teams behind the CORAL project are very ambitious and have set the following objectives :
- develop a light, efficient and straightforward evaluation method in line with the technical objectives of Art. 51 of the EU Cybersecurity Act (CSA) and based on risk assessments, to achieve a basic assurance level. This evaluation method will apply to SMEs that are in charge of ICT products, services, or processes, acting in any sector. This method will also be used for conformity self-assessments, also possible with the entry into force of the CSA;
- create a set of building blocks of the process of certification including terminology, auditor profile, template of auditor report, risk scoring. These elements are relative to the self-certification and basic level of CSA assurance;
- promote its outcomes and whenever possible, ask for peer support from its contact and support network in Luxembourg and abroad, in view of cross-border collaboration and exchange of good practices.
The Approach
The project is organised in different activities in order to achieve the define objectives:
1. methodology for the Conformity Self-assessment and basic assurance
- understanding the state-of-the-art standardisation approaches;
- identification of Target audience and services/products;
- identification of Technical scope;
- identification of a list of questions for self-assessment and basic assurance;
- validation of question set;
- validation of automated answer verification and recommendations.
2. prove of concept for the self-assessment and basic level of assurance
- PoC for basic tools;
- report generator with recommendations;
- document generator for easy review by the auditor;
- testing and validation
3. proposal of a process to evaluate conformity based on cybersecurity risks
- basic steps and actors in the certification process;
- definition of terminology, risks, scoring scale, and doc. Structure;
- validation of elements proposed above;
- development of auditor profile
- feasibility study
4. training and dissemination
- workshops and train the trainer session organisation;
- promotion materials and videos
- introduction of the topic and action to valorous EU and local bodies
Partners
The CORAL project brings together the expertise of 3 key players of the Luxembourg cybersecurity and normalisation, that have a wide range of expertise in the areas of Cybersecurity and security certification.
- Luxembourg House of Cybersecurity (LHC) / NC3
- L’Institut luxembourgeois de la normalisation, de l’accréditation, de la sécurité et qualité des produits et services (ILNAS)
- Agence pour la normalisation et l’économie de la connaissance (ANEC g.i.e.)
NC3
The purpose of the Luxembourg National Cybersecurity Competence Center (NC3) is to strengthen the Country’s ecosystem facing cyber threats and risks.
NC3 is a government-driven initiative offering awareness-raising, information security risk management, privacy, and self-assessment tools such as MONARC, Fit4cybersecurity, Fit4privacy, etc. with the focus on making the understanding and management of information security issues easier for SMEs.
ILNAS
The Institut Luxembourgeois de la Normalisation, de l’Accréditation, de la Sécurité et qualité des produits et services (ILNAS) is a public administration under the authority of the Minister of Economy. ILNAS’ missions include normalisation, Accreditation & Notification, Digital trust, Market Surveillance and Metrology.
ANEC
The Agency for Standardization and the Knowledge Economy (ANEC) is an economic interest grouping (EIG) whose purpose is to support ILNAS in the execution of its strategies in the fields of standardization and metrology, as well as applied research with the aim of supporting the competitiveness of companies in Luxembourg or improving the socio-economic knowledge of the country.