British Standards Institution

Source:: CEN/CLC
Committee:: EPL/47 - Semiconductors
Categories:: Information management | Standardization. General rules

Scope

The category of products in scope of the Standard are secure platforms for smart cards and similar devices including secure elements. Secure platforms for smart cards and similar devices including secure elements consist of - the high end tamper resistant hardware (discrete or integrated one) on which smart card/secure element/similar devices are always based which have JIL High/Moderate attack potential resistance and - the generic software layer like cryptographic libraries and the Operating Systems which can run on them which have JIL High/Moderate attack potential resistance. The JIL ratings for attack potential have been defined as part of the SOG-IS scheme for the technical domain for smart cards and similar devices evaluations and certifications in Common Criteria. The JIL rating is inherited by the EUCC scheme which will supersede SOG-IS and are available on the EUCC website. NB: The secure platform for smart cards and similar devices including secure elements rely on the same type of technology. In what follows and for the sake of simplicity of the language the term “smart card" platforms can be used to refer to “smart cards and similar devices including secure elements” platforms.

Purpose

Purpose In september 2024 the European Commission published a draft standardisation request to the European Standards Organisations in support of the Union policy on cybersecurity requirements for products with digital elements. The request is part of the preparatory measures in view of the adoption of the legislative proposal COM/2022/454 (Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020). The Standardisation request requests a series of 15 horizontal standards (1-15) to provide a coherent generic framework, methodology and taxonomy that can be used to develop further product-specific standards according to market needs and a set of 26 vertical standards (16-41) for important or critical categories of products in the Cyber Resilience Act, covering a specific set of risks appropriate to a given intended purpose and foreseeable use. The developed standard will address the smart card/secure element/similar devices platform conformance to the CRA essential requirements as per the item “European standard(s) on essential cybersecurity requirements for smartcards or similar devices, including secure elements” in the standardisation request of the European Commission. An important part of the work will be a gap analysis between the essential cybersecurity CRA requirements (CRA, Annex I of the CRA draft proposal text) and the Common Criteria Protection Profiles for platforms of smart cards and similar devices, including secure elements. The TC47X WG3 has been created to cover such activity in preparation of its assignment to CENELEC by the European Commission. Justification Secure platforms for smart cards and similar devices, including secure elements, offer robust protection against sophisticated and costly cybersecurity attacks. This is because smart card technology inherently addresses threats from highly skilled and well-resourced attackers with strong motivations. In Europe, the security of smart cards and similar devices, including secure elements, has been validated over decades through third-party evaluation and certification under the Common Criteria (CC) standard within the SOG-IS scheme, which will transition to the EUCC framework starting in 2025. These certifications are based on well-established Protection Profiles specific to the smart card and similar devices sector. The Common Criteria process provides a high level of confidence, maturity, and transparency regarding the cybersecurity of smart card and similar devices technology. Thus, the aim of the standard will be to demonstrate where relevant that these Protection Profiles under the EUCC cover the essential requirements of the CRA and can establish a presumption of conformity with these.

Comment on proposal

Required form fields are indicated by an asterisk (*) character.

How important do you think standardization is in this area? *

Do you agree that a standard on this subject is feasible?: *

Please give reasons for your selections above: *

Would you or your organization use the standard? *

Would you or your organization be prepared to participate in the development of the standard or to comment on the draft when it is available? *

Are you aware of any regulation, existing standards and other good practice information in this area in the UK (e.g. Industry codes of practice; company specifications, international or European Standards)? *

Would the development of a standard(s) in this area have a particular impact/relevance to SME, consumer, environmental or societal interests? *

Are you aware of any other organizations to which this proposal may be relevant? If so please provide details below. *

Additional comments on the scope or proposal:

Although BSI will not usually enter into correspondence regarding individual comments or suggestions we may wish to contact you to seek further clarification. Please indicate whether this will be acceptable: *

Discard

Please email further comments to: debbie.stead@bsigroup.com

Standard timeline

1. Proposal

Proposal start date:

01/12/2024

Proposal end date:

27/12/2024

2. Draft

3. Public Comments

4. Comment Resolution

5. Approval

6. Publication

Learn more about the standards development process

Standards Development

CLC/TC 47X NWIP - WI 80922 prEN 50XXX Cyber Resilience of EUCC certified platforms of Smart Cards and Similar Devices Including Secure Elements

Scope

Purpose

Comment on proposal

Discard changes?

Submit comment

Submit comment

Follow standard

Unfollow standard

Error