Requirements
The Cybersecurity Label shows customers directly that the following features of the product or service have been implemented in a secure manner.
Passwords
Access control ensures that only the owner of a product has control over what the product does and how it operates. The methods used to control access to a product, device or service, such as passwords, certificates or third-party authentication procedures, comply with best practice.
Software updates
Measures have been taken to ensure that the software used in the product is secure and kept up to date. Software updates are provided for the entire lifecycle of the product.
Data protection
Product owners are informed of how and for what purposes personal data is collected and who processes the data.
Secure transfer and storage of data
Data is protected during transfer and storage. The product uses appropriate data transfer, authentication and encryption methods, and key management procedures.
The network services associated with the product must be implemented in accordance with secure practices. All necessary services must be disabled. A description must be provided about the network services and ecosystem interfaces used with the product.
Secure default settings
The default settings for the product or service should be set to protect the user.
Cybersecurity Label is based on ETSI EN 303 645
The requirements of the Cybersecurity Label are based on the ETSI EN 303 645 standard, a collection of information security requirements for consumer devices connected to the internet. The requirements of the Cybersecurity Label have been selected and prioritised based on the OWASP IoT TOP 10 list of vulnerabilities. The ultimate objective is to tackle the most common information security threats that consumer products are exposed to via the internet.
Products that carry the Cybersecurity Label consider the device’s entire ecosystem. Other applicable standards include OWASP Mobile Application Security Verification Standard (MASVS), EUCS, ISO 27k and Cloud Security Alliance (CSA).
Prerequisites for obtaining the Cybersecurity Label
When applying for the Cybersecurity Label, a company must fill in a statement of compliance form that contains information on the features of the product or service. The NCSC-FI reviews the information given on the form. An independent third party then undertakes an information security inspection on the product or service that the application concerns. The results are compared against the Cybersecurity Label requirements. Once the information and features provided are deemed sufficient, the NCSC-FI grants the Cybersecurity Label.