In recent years the ICT market has evolved toward a cloud-based approach. This shift together with the rapidly changing legal and regulatory landscape has heavily impacted security assurance, governance and compliance. The information security market players have tried to provide suitable solutions to cope with issues such as i) lack of means to provide higher level of assurance (e.g continuous monitoring and auditing), ii) privacy not adequately taken into account, iii) limited transparency and iv) lack of means to streamline risk management and compliance. In the certification space this has resulted in the creation of several schemas creating an additional problem, i.e. the proliferation of certification scheme. The project EU-SEC will improve the effectiveness and efficiency of existing approaches for assurance and compliance. The EU-SEC aims to create a framework under which existing, certification and assurance approaches can co-exist. The three core ideas behind the EU-SEC project are that an effective and efficient approach to trust, assurance and compliance has to: (1) balance the need of nations and business sectors to develop their specific certification schemas with the need of CSPs to reduce compliance costs (2) avoid that humans (auditors) do activities that can be performed by machines (e.g. collecting data) (3) make sure that accurate and reliable evidences/information are provided to relevant people, in a timely fashion, leveraging as much as possible automatic means. The EU-SEC framework will equip stakeholders in the ICT security ecosystem with a validated governance structure, a reference architecture, and the corresponding set of tools to improve the efficiency and effectiveness of their current approach to security governance, risks management, assurance and compliance. The EU-SEC aims to enhancing trustworthiness and transparency in the ICT supply chain through business cases developed and piloted by industrial partners.

Despite the evident benefits of cloud computing, its adoption is still limited partially because of EU customers’ perceived lack of security and transparency in this technology. Cloud service providers (CSPs) usually rely on security certifications as a mean to improve transparency and trustworthiness, however European CSPs still face multiple challenges for certifying their services (e.g., fragmentation in the certification market, and lack of mutual recognition). In this context, the new EU Cybersecurity Act (EU CSA) proposes improving customer's trust in the European ICT market through a European certification scheme. The proposed EU CSA’s cloud security certification scheme conveys new technological challenges due to its notion of “levels of assurance” (e.g., high-assurance through continuous certification for the whole supply chain), which need to be solved in order to bring all of EU CAS’s expected benefits to EU cloud providers and customers. In this context, MEDINA proposes a framework for achieving a continuous audit-based certification for CSPs based on EU CSA’s scheme for cloud security certification. MEDINA will tackle challenges in areas like security validation/testing, machine-readable certification language, cloud security performance, and audit evidence management. The MEDINA consortium is composed of academic and industrial partners, which play key roles in the EU cloud security certification ecosystem (e.g., research, cloud providers/customers, and auditors). MEDINA will provide and empirically validate sustainable outcomes in order to benefit EU adopters.

Cloud-based services have grown from basic computing services to complex ecosystems, comprising (virtual) infrastructure, business processes and application code. These advanced services also increasingly leverage the usage of Artificial Intelligence, including Machine Learning or Natural Language Processing techniques, raising the complexity even higher. Due to the cascade of dependencies among the different products and services, the need arose to bring more agility to the certification process of cloud-based services, e.g., using continuous monitoring and assessment, as evidenced by references to it in the certifications of the EU Cybersecurity Act (EU CSA). To transform the continuous assessment and certification concept into the complete realization of a Certification-as-a-Service (CaaS), several challenges need to be solved: 1) current proposed proofs of concepts for continuous monitoring lack interoperability at technology level, 2) the adoption of cloud and edge computing and the incorporation of regulations on specific topics or domains, such as AI, put significant strain on companies to comply with a multitude of different security schemes, 3) existing market fragmentation for continuous certification (scope, methodologies), hinder transparency and accountability in the provision of European cloud services, 4),smart tools and models need to be adopted to ease the agile application and implementation of the CaaS concept reducing complexity in the whole cloud certification value chain easing the adoption of CaaS by the different stakeholders. To overcome these challenges, the design and implementation of the EMERALD CaaS solution leverages the H2020 project MEDINA’s outcomes and advances them to TRL 7 in the EMERALD core. Two PoCs will be provided; one for composite certification and one for mapping requirements to upcoming AI certification schemes. EMERALD will pave the road towards CaaS for continuous certification of harmonized cybersecurity schemes.