final public-private recommendation for a european cloud … · 2019-06-12 · ccal: refined...
TRANSCRIPT
![Page 1: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/1.jpg)
Final Public-Private recommendation for a European Cloud Security Certification Scheme
Amsterdam 12th June 2019
![Page 2: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/2.jpg)
2
Timeline
Data Economy Package (Sept 2017)FFD & Cybersecurity Package (CSA Sept 2017)
Mobilization of relevant Stakeholder
☁Kick-off of two WGs (12th Dec 2017)
Preparatory phase (Governance & composition)
Sept2017
April2018Jan 18Dec 17
To explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act and come up with a recommendation that will be presented to the European Commission and ENISA
![Page 3: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/3.jpg)
3
Working Group Composition
3
CSP CERT WG
DraftingMember
Balanced/Commitment/effectivenessObservers
Transparency
Relevant expertise & legitimate interest
Public
Access Partnership, Amadeus, Bitkom/Deutsche Bundesdruckerei, CISCO, CISPE, CTO Security Networks AG, DINSIC, Danish Business Authority, Digital Europe, European Banking Federation, Google, Government of Ontario, HUAWEI, Microsoft, Nokia, OVH, Outscale, Palo Alto, PWC, Santander bank, SALESFORCE, Sistemas de Datos/Digital SME, SCOPE EUROPE, Swedish civil contingencies agency, Upcloud, VARAM, Virtustream (DELL), VdTuev, VMWare
Accenture, AMAZON, ANSSI, BBVA/EBF, Bosch GmbH, BSI, CSA, CISCO, Danish Tax Authority, Deutsche Börse Group, Erasmus University, Eurocloud, Fabasoft, Google, HSBC, IBM, JPMorgan, LEET Security, LSEC, Norea, Oodrive, ORACLE, Orange, PWC, SAP, Secura, Securemailbox, TECNALIA, Trusted Cloud, UCIMU/Confindustria/Business Europe, UNINFO, Zeker Online
Co-chairs● Borja Larrumbide, BBVA-EBF (User)● Helmut Fallmann, FABASOFT (CSP)
Rapporteur● Hans Graux, Timelex
European Commission:● DG-CONNECT● DG-DIGIT● JRC● DG-JUST
ENISA
32 Drafting members
29 Observers
![Page 4: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/4.jpg)
Working Methodology and tools
Online Collaborative tool (Community site / Blog)
Strong approved Governance document
Comprehensive approved Rules of Procedure document
Monitor attendance and relevant contribution
Webinar formats by default every two weeks with actions and deliverables assigned to drafting members
Quarterly rotating plenary sessions
www.cspcert.eu
![Page 5: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/5.jpg)
5
Goal & Milestones
5
Continuous
Over a
period oftime
Regular
One time
Incomplete Very comprehensive
Underlying Security Objectives / requirements / Implementation
(Assurance Levels)
High Independence, trust and/or expertise
Conformity AssessmentMethodologies
Continuity & Robustness of:• Reporting • Monitoring compliance
Low Independence, trust and/or expertise
![Page 6: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/6.jpg)
6
Goal & Milestones
6
To explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act and come up with a recommendation that will be presented to the European Commission and ENISAMilestone
1
Milestone2
Milestone3Open
Consultation
Jan-Oct2018
Oct-Dec2018
Jan2019
Jun2019
![Page 7: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/7.jpg)
7
Timeline
Data Economy Package (Sept 2017)FFD & Cybersecurity Package (CSA Sept 2017)
Mobilization of relevant Stakeholder
☁Kick-off of two WGs (12th Dec 2017)
Preparatory phase (Governance & composition)
☁Brussel plenary (17th April 2018)
Approval of governance and RoP & work on first deliverable (22nd June 2018)
☁Paris plenary (4th & 5th of July 2018)
☁Rome plenary (16th & 17th of October 2018)- Milestone 1 completed and we start milestone 2
☁Vienna plenary (6th & 7th of December 2018)- Milestone 2 initiated
Sept2017
July2019
Political agreement on Free Flow of Data between Council and Parliament
Trialogues on Cybersecurity Act in progress
Open consultation (Jan 2019)
April 18 Dec 18Jan 18 July 18 Oct 18☁Madrid plenary(26th & 27th Feb 2019)- Initiate draft of milestone 3
☁Berlin plenary2nd & 3th of April 2019)
☁Amsterdam plenary (12/13th June)- Milestone 3 ends- Proposal ends too
![Page 8: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/8.jpg)
Prof. William OchsCertification Enablement Manager
Cisco Global CertificationsUSA
Cloud Computing Assurance Levels (CCAL)
![Page 9: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/9.jpg)
CCAL Overview
● Scope of the Certification● Refined Objectives for the European CSP Service Certification● Assurance Levels
○ Role of Risk Management in Determination
○ Characteristics and Requirements for the Assurance Levels
● Ensuring EU-wide Recognition of Certificates through Consistency of Assurance Levels
![Page 10: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/10.jpg)
CCAL Overview● CSPCERT WG Defines 26 Recommendations for ENISA and the EU
Commission Related to Certification Assurance Levels● Recommendations are tied directly to the European Union Cybersecurity Act
(EUCA)● CCAL Focus Primarily on Article 51 and Article 52 of the EUCA● Provides for Examples that could be utilized in the selection of a Certification
Level of Assurance based on risk scenarios and risk assessments taken by an end-user for a Cloud Service
● Provides for CSP certification perimeters and the addition of new sectoral requirements or overlays to the certification
● Provides for Cybersecurity act’s assurance requirements and their correspondence to the different assurance levels
![Page 11: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/11.jpg)
CCAL: Scope of the Certification
“In order to be certified, the cloud service must meet all the requirements of the certification scheme reference documents that are applicable to the service
boundary (e.g. IaaS, PaaS, SaaS, XaaS) and the chosen level of assurance.”CSPCERT, Milestone 3.
![Page 12: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/12.jpg)
CCAL: Refined Objectives for the European CSP Service Certification
“The assessment of the correct implementation of the controls that achieve the security objectives listed in the Milestone 1 document (see Annex 1) with a
methodology from the ones listed in the Milestone 2 document should be a guide to ensure that all these objectives are fulfilled regarding a certain assurance
level.” CSPCERT, Milestone 3.
![Page 13: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/13.jpg)
CCAL: Refined Objectives for the European CSP Service Certification
● Focused on Article 51 of EUCA● First 10 Recommendations Fall Under Article 51● All CSPCERT Recommendations are numbered and come with a Justification
statement.
![Page 14: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/14.jpg)
CCAL: Assurance Levels and Risk Assessment Correlation
● Focused on Article 52 of EUCA● Recommendations 11-21, Fall Under
Article 52● “Performing a proper risk analysis
requires that both dimensions need to be considered and assessed. Based on the outcome of the risk assessment, a required level of assurance can be determined.” CSPCERT, Milestone 3.
![Page 15: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/15.jpg)
CCAL: Assurance LevelsDefined Areas Impacted by Recognized Risks
Personal
Business
Societal
![Page 16: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/16.jpg)
CCAL: Assurance Levels as Defined in EUCA Article 52
Basic
Substantial
High
![Page 17: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/17.jpg)
CCAL: Assurance LevelsCSP Certification Perimeter & Addition of New Sectoral Requirements
![Page 18: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/18.jpg)
CCAL: Ensuring EU-Wide Recognition
● Recommendations 22-26 Focus on Level of Trust, Fidelity, and Certificate Acceptance
● Introduce the Concepts of Audit Level of Detail relevant to Assurance Level● Introduce Peer Review Mechanisms● Introduce Governance’s Import (Addressed in Detail in SGOV)● Recommends NCCA Endorses the Final Audit Reports and Issuance of
Certificate
![Page 19: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/19.jpg)
Tom VreeburgIndependent IT Risk and Assurance professional
Advisor to the board of NOREA.NOREA
Netherlands
Cyber Security Act Requirements (CSAR)
![Page 20: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/20.jpg)
EU Cybersecurity Act (EUCA) provides cybersecurity certification framework (Section III, Art 46 a.o.)
CSPCert provides recommendations for ENISA to prepare a European Cybersecurity Certification Scheme for Cloud Service Providers
EUCA, Art 46: ‘European cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services or ICT processes;
Requirements for a scheme in particular in EUCA art 54 and 55
CSAR Part
![Page 21: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/21.jpg)
Elements of European cybersecurity
certification schemes22 elements provide
minimum requirements
CSPCert added 20+ recommendations to provide guidance to ENISA how to detail these elements in the
EU Cybersecurity Certification Scheme for Cloud Service Providers
EUCA Art 54
![Page 22: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/22.jpg)
● Purpose of the scheme:
○ Provide stakeholders with statement on scope, reliability and security of cloud service
○ Enhance credibility/confidence/ trust of statement by CSP
● Scoping in a cloud environment
Scope
![Page 23: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/23.jpg)
● Purpose of the scheme:
○ Provide stakeholders with statement on scope, reliability and security of cloud service
○ Enhance credibility/confidence/ trust of statement by CSP
● Scoping in a cloud environment
Scope
![Page 24: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/24.jpg)
Information needed for issuance of the certificate
IdentificationCSP’s Conformity statementCSP’s description of the serviceControl objectives, related controlsand tests of controlsOther information
Supplementary cybersecurity information (EUCA Art 55)
Consequences of non-compliance with requirements of the scheme
Information provided by Cloud Service Provider
![Page 25: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/25.jpg)
Maximum period of validity
Required level of assurance
High
Continuous audit strategy or
annual audit
Substantial
Continuous audit strategy or
annual audit
Basic
Max validity 3 years with
annual control check
![Page 26: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/26.jpg)
Scheme Governance (SGOV)
Clemens Doubrava
Head of Section of Information Security in the cloudBSI
Germany
Aurelien Leteinturier
Head of security products and services approval unitANSSIFrance
![Page 27: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/27.jpg)
● Commons parts between all assurance levels● Committee and groups● Complaints management● Peer Review● Community management
● Specific governance recommendations● For each assurance level● Basic, Substantial and High
SGOV Part
![Page 28: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/28.jpg)
JointExpert Group
Management Committee
Conciliation CommissionJoint
Expert Group
JointExpert Group
Set Up /Mandate
Report Appoint
Committee and groups (EU level)
![Page 29: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/29.jpg)
Complaints Management
![Page 30: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/30.jpg)
Peer reviews
![Page 31: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/31.jpg)
NCCA &Experts
NCCA &Experts
NCCA &Experts
Community management
![Page 32: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/32.jpg)
Monitoring Body CSP Service
Approve& Supervise
Evaluate & monitor
Supervise evaluations
IssueCertificate
Community Management
National Cybersecurity Certification Authority
(NCCA)
Assurance level Basic
![Page 33: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/33.jpg)
Assurance level Substantial
![Page 34: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/34.jpg)
Conformity Assessment Body (CAB) CSP Service
Accreditate Approve
Evaluate
Supervise evaluationsMonitor certificates
IssueCertificate
Community Management
Accreditate National Cybersecurity Certification Authority
(NCCA)NationalAccreditation Body (NAB)
Assurance level High
![Page 35: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/35.jpg)
Conclusion and recommendations
LeireOrue-Echevarria Arrieta
Project Manager Cloud technologies and securityTecnalia
Spain
![Page 36: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/36.jpg)
General recommendation
To include the development of an EU-wide cloud security certification scheme in the EU rolling work programme for European cybersecurity certification framework under the EUCA
To request ENISA to prepare a candidate scheme on the basis of the present proposal
CSPCERT does not recommend a completely new certification scheme but rather for a scheme based on
existing practices/schemes/standards used by the industry and internationally recognized
![Page 37: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/37.jpg)
Cloud Computing Assurance Levels (CCAL)
3 levels of assurance: Basic, Substantial and High, depending on the risk level associated
Clear guidance on how to perform this risk assessment and link the assurance level to the cloud service
A description of what the basic/substantial/high assurance level indicates
Examples of which level of assurance should be associated with which service
Assurance levels
![Page 38: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/38.jpg)
Cloud Computing Assurance Levels (CCAL)
Defined a set of Security Objectives, with a taxonomy and a methodology to include new ones, when required
Evaluation criteriaKeep a similar taxonomy and update it when appropriate
Keep a similar methodology for the inclusion of new controls and update it accordingly
![Page 39: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/39.jpg)
Third-party
Cloud Computing Assurance Levels (CCAL)
3 conformity assessment methodologies (CAM)
Conformity Assessment Methodologies
Evidence-based
ISO-based
ISAE-based
To reduce the level of bias, assess third-party conformity assessment methodologies for safeguards to ensure a common level of trust
Clear guidance on the required procedures and criteria per assurance level
Evaluate the possibility of including continuous monitoring for High
CAMs must measure operational effectiveness in S and H, and not merely control existence Frequency of renewal and
what triggers it
![Page 40: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/40.jpg)
Cybersecurity Act Requirements (CSAR)
Baseline certification requirements and security objectives that could be enhanced with further regulatory requirements coming from regulators, supervisors or the industry
CSPs shall retain the ability toprovide services outside the scopefor which they are being certified, butcannot, in this case, use thiscertification for the purpose ofproviding these services
![Page 41: Final Public-Private recommendation for a European Cloud … · 2019-06-12 · CCAL: Refined Objectives for the European CSP Service Certification “The assessment of the correct](https://reader034.vdocuments.mx/reader034/viewer/2022042310/5ed8a37d6714ca7f47684bca/html5/thumbnails/41.jpg)
Scheme Governance (SGOV)
Establish governance requirements as a part of the scheme, to implement and maintain the scheme
Involve relevant stakeholders (e.g. regulators, supervisors, industry) to avoid overlaps with other regulations and facilitating security, trust, privacy, transparency and free flow of data
Maintain a dedicated website with information on the scheme, and related data on certified CSPs and the validity