Requirements

Prerequisites for obtaining the Cybersecurity Label

To obtain the Cybersecurity Label for its product or service, a company must show that the product or service in question meets the requirements set by the NCSC-FI at Traficom. These requirements are presented in the statement of compliance (pdf).

When applying for the Cybersecurity Label for a product or service, a company must submit information on the features of the product or service using the statement of compliance. An external security company then undertakes the inspection and submits the results to Traficom. Once the information and features provided are deemed sufficient, the NCSC-FI at Traficom grants the Cybersecurity Label. Read more about the inspection here.

The statement of compliance contains the following information:

Product description

The product description includes a description of the key information security features of the product or service and the related ecosystem. Information about secure use and the duration of the information security support offered is also provided.

Access control

A description of the methods used to control access to a product or service, such as passwords, certificates or third-party authentication procedures.

Software security

A description of the software used, and how it is kept secure and up-to-date.

Data protection

A description of how, for what purposes, and by whom personal data is collected.

Secure transfer and storage of data

A description of data protection methods during transfer and storage, such as data transfer, authentication and encryption methods, and key management procedures.

Security of network services and ecosystem interfaces

The product or service must minimise unnecessary online services and comply with the principles of minimum rights in their implementation. The interfaces provided by the ecosystem must be secure. All interfaces must check the feeds accessing them.

Secure default settings

The default settings for the product or service should be set to protect the user.