Applying for the Cybersecurity Label is easy
For companies, the Cybersecurity Label is a simple way to communicate responsibility and demonstrate that information security has been taken into account in the design of a product or service.
Application process description
The length of the process varies between 5 and 20 working days, depending largely on the product’s complexity and the company’s readiness to provide information during information security testing. Reserving required resources for the project should be secured as early as possible. Information about the service or product and its security features requires in-depth expertise, and experts from the company and any third party should be reserved in good time.
The Cybersecurity Label is a simple way for a company to communicate its responsibility to consumers in information security matters. See the Company section here for more information on the benefits of the label and related costs.
For more information about preparing for the process and meeting the requirements, contact Traficom or an inspection body. A prerequisite for obtaining the Cybersecurity Label is that the product or service is protected against the most common threats targeting smart devices. The NCSC-FI at Traficom has set certain information security requirements for products. Compliance with the requirements is checked by a third-party information security company. You can read more about the requirements here.
To obtain the Cybersecurity Label, the product or service must pass an inspection performed by a third party. The company completes the statement of compliance and sends the physical device (if any) to the inspection body. The inspection checks that the product meets the set requirements and documents the results of the inspection. Read more here.
Experts from the NCSC-FI at Traficom assess the results of the inspection and check that the requirements are fulfilled.
If the information is considered adequate and corresponds to the requirements, the Cybersecurity Label is granted. If any deficiencies are revealed, these are rectified. The company and the inspecting body will be sent a summary of the results of the interface testing and the inspection results, and any information security deficiencies that must be corrected.
The company takes the corrective action and submits the updated data to Traficom and the inspecting body.
After the Cybersecurity Label has been granted, the company may use the label with the product or service in question and in its marketing and communication channels. The product or service is also added to the Cybersecuritylabel.fi website. Read more about maintaining the label here.
MAINTENANCE OF THE LABEL
Labelled products’ and services’ compliance with the requirements is monitored annually. The annual evaluation is a lighter process than the inspection, covering the impact of possible changes on the information security of the labelled product or service. Read more about the inspection process here.