All Posts By

tcab

Introduction to the concept of Conformity Assessment Body

By | Sin categoría | No Comments

A Conformity Assessment Body (CAB) is a company responsible for carrying out audits or conformity assessments for Trusted Service Providers (TSPs).

Every Conformity Assessment Body must carry out audits in accordance with the regulations applicable in the sector. In the case of Trust Conformity Assessment Body (TCAB), we conduct our audits in accordance with the eIDAS Regulation and other relevant standards in the IT security sector such as ETSI, ENISA, CA/B Forum and Spanish local regulations such as SEPBLAC, among others.

The audit process is carried out in the following three phases:

  1. Planning and programming:

The audits are carried out with an Audit Plan, which will be carried out by the audit team each year. In this Plan, the audit data are established (date, duration, scope, points to be audited, audited area, contact persons) and checklists (date, time, points of the standards to be audited, audited area, contact persons) , auditors)

To prepare it, the reports of other audits already carried out will be collected. Once this is done, the Technical Committee will review and approve the audit plan.

  1. Execution:

To initiate the audit, an initial meeting will be held with the client to confirm the scope of the audit, the data collected in the Audit Plan, establish a sequence of the audit and analyze the points that both parties consider necessary. After this step, the audit will begin following the Audit Plan as a work guide. There are two steps at this point:

Documentary review: we will verify the conformity of the system (documents, records) through compliance with the points of the standards / laws of reference.

On-site inspection: verifications of compliance with the established controls will be carried out. A sampling inspection of the objective evidences will be carried out to prove the correct functioning of the technical and organizational processes related to the scope of the audit.

  1. Audit report:

Once the audit is completed, the audit team will write a results report, clearly and definitively identifying the detected non-conformities. In addition, there will be a final meeting in which the audit team will present the report to the client, so that he can review and sign it. In those cases where significant non-conformities are present, a new date will be scheduled for the next audit to verify the elimination of these non-conformities.

It is mandatory to send the CAR (Conformity Assessment Body) to the Supervisory Body, within 3 days after it is received, so that it may decide if it is granted the status of qualified and, consequently, if I can be included in it. the EU Confidence Lists.

In general, the CABs have a character of authority, since it is usually accredited by the National Certification Entities (in the case of Spain, ENAC) in order to be able to provide their services.

Click here to access the list of Conformity Assessment Bodies accredited against the requirements of eIDAS Regulation.

Conference: EU Cybersecurity Certification Framework for Products and Services

By | Sin categoría | No Comments

The conference on the preparations for the new “EU Cybersecurity Certification Framework for products and services”, jointly organized by the European Commission and ENISA, will take place on March 1, 2018 in Brussels.

This new Cybersecurity Certification Framework is one of the key elements of the proposed Cybersecurity Act Proposal.

If you wish to register to attend the event, click here.

Event data

Date: March 1, 2018

Place: Crowne Plaza Brussels – Le Palace, Belgium

Digital Day 2018 will take place in Brussels

By | Sin categoría | No Comments

Digital Day 2018 will take place in Brussels on 10th April 2018. This one-day event will bring together high-level stakeholders in the fields of digital technology and telecommunication. The event is co-organised by the European Commission and the Bulgarian Presidency of the Council of the European Union.

Digital Day 2018 will aim to reach joint commitments related to the digital future of Europe in order to encourage investment in European digital technologies and infrastructures. A digitally strong EU will contribute to a competitive and socially secure society, better public services and security.

To achieve these goals, Digital Day 2018 will present sessions on the following priorities:

  • EU Artificial Intelligence Initiative
  • 5G connectivity and corridors for connected automated mobility
  • Public blockchain infrastructure

The event will also follow-up on the agreements reached during Digital Day 2017 in Rome. Last year’s event concluded agreements and actions related to High-Performance Computing (HPC), digital transformation of jobs and skills, digitisation of industry, and connected automated mobility.

Source: https://ec.europa.eu/digital-single-market/en/events/digital-day-2018

The European Commission promotes the Digital Single Market

By | Sin categoría | No Comments

The European Commission published an article on the state-of-the-art of the Digital Single Market reproduced below:

The Digital Single Market is a strategy of the European Commission to ensure access to online activities for individuals and businesses under conditions of fair competition, consumer and data protection, removing geo-blocking and copyright issues.

A Digital Single Market (DSM) is one in which the free movement of persons, services and capital is ensured and where the individuals and businesses can seamlessly access and exercise online activities under conditions of fair competition, and a high level of consumer and personal data protection, irrespective of their nationality or place of residence.

On 10 May 2017, the Commission published a mid-term review of the Digital Single Market Strategy. It evaluates and presents the progress in implementing the Strategy since 2015 and where further actions are needed.

The European Commission has identified the completion of the Digital Single Market (DSM) as one of its 10 political priorities. Vice-President Andrus Ansip leads the project team “A Connected Digital Single Market”.

Ongoing Digital Single Market Public consultations help to define the objectives for the implementation.

The Digital Single Market strategy

The Digital Single Market strategy was adopted on the 6 May 2015. It includes 16 specific initiatives which have been delivered by the Commission till January 2017. Legislative proposals are now discussed by the co-legislator, the European Parliament and the Council.

A Digital Single Market creates opportunities for new startups and allow existing companies in a market of over 500 million people. Completing a Digital Single Market can contribute EUR 415 billion per year to Europe’s economy, create jobs and transform our public services.

Also, it offers opportunities for citizens, provided they are equipped with the right digital skills. Enhanced use of digital technologies improve citizens’ access to information and culture and improve their job opportunities. It can promote modern open government.

The Pillars

The Digital Single Market Strategy is built on three pillars:

  1. Access: better access for consumers and businesses to digital goods and services across Europe;
  2. Environment: creating the right conditions and a level playing field for digital networks and innovative services to flourish;
  3. Economy & Society: maximising the growth potential of the digital economy.

Digital Single Market’s achievements

The Digital Single Market mid term review factsheet shows the main achievements of the Digital Single Market srategy implementation.

Download the full pdf version of the factsheet in EnglishFrenchGerman.

See the Commission priority on the Digital Single Market.

The mid-term review of the Digital Single Market Strategy

The Digital Single Market strategy has delivered the main legislative proposals set as priority, specifically in the topics of e-commerce, copyrightaudiovisual and media servicestelecoms review, ePrivacy, harmonisation of digital rights, affordable parcel delivery, harmonised VAT rules.

In order to ensure a fair, open and secure digital environment, the Commission has identified three main emerging challenges:

  1. to ensure that online platforms can continue to bring benefit to our economy and society,
  2. to develop the European Data Economy to its full potential, and
  3. to protect the Europe’s assets by tackling cybersecurity challenges.

In addition, the review explores a number of important policy areas critical for unlocking the true value of the data economy:

The mid-term review focuses also on the investments needed in digital infrastructures and services, not forgetting the global dimension of the European Digital Single Market.

Source: https://ec.europa.eu/digital-single-market/en/policies/shaping-digital-single-market

International Security Forum 2018 (FIC) to be held in Lille shortly

By | Cybersecurity | No Comments

The tenth edition of the International Security Forum 2018 (FIC) will be held next 23 January to 24 January 2018 in Lille (France).

This event is considered as the leading event on Cybersecurity and Digital Trust in Europe. It aims at promoting a collective European vision of cybersecurity and strengthening fighting against cybercrime.

This year’s topic is “Hyperconnection: the resilience challenge”. We are inmersed in a “hyperconnection” era like never before, people are connected at all times and interact continuously.

In order to communicate, we use networks, which pose resilience challenges. Networks are vulnerable and, therefore, they respond in different ways to the consequences of an attack. Most Governments and IT companies in the world are trying to respond to these threats by developing new security technologies and adopting their behaviors and practices. This set of changes and new practices is now called “Cyber Resilience”.

The International Security Forum 2018 (FIC) will count with the presence of important public personalities such as the French Interior and Defense Ministers, the the Secretary of State for Digital Economy and the European Commissioner for the Security Union.

There will also be numerous speakers with different backgrounds, i.e. engineering and IT companies (Thales, Airbus, Google, among others), Universities (University of Grenoble Alps), Public Sector (Ministry of the Armed Forces of France, European Commission, European Parliament, etc.) and International Think Tanks (Carnegie Endowment for International Peace).

The fair is divided in the following sections:

  • A Trade show to bring together members of the industry and their products and services.
  • A Forum to discuss and debate with experts, to gather ideas and to share professional lessons .
  • An Observatory to continue exchanging views and information after the FIC, to explore topics in greater depth and to consolidate our network of experts and like minded throughout the year.

The event will be held in at the Lille Grand Palais and the opening hours will be:

  • Tuesday, January 23th 2018 – 09:00 to 19:00.
  • Wednesday, January 24th – 09:00 to 18:00.

 

Video Onboarding is fully operative in the Banking Sector in Spain

By | Sin categoría | No Comments

On January 4th 2018, the Spanish newspaper El Mundo published in its “Innovadores” section an interesting article about the recent adoption of the customers Video Onboarding system in the banking sector in Spain.

The non-presential videoconference identification system was authorized by the SEPBLAC (Executive Service of the Commission for the Prevention of Money Laundering and Monetary Infractions) last May 2017.

This fact marked a turning point in the banking sector in Spain, since previously the operation had to be confirmed with a telephone call or with the signature of different documentation, which caused that approximately 40% of the clients would not finish the registration process.

Spain has been slow in adopting a remote identification system that has already been working for some time in other European countries (such as Italy or France) and which technology is already fully developed.

Mostly, financial entities have made the effort to manage the approval of a regulation that would permit them adopt the video-identification, since it is a highly regulated sector that does not allow the adoption of new procedures without previous approval.

The future of the banking sector with video Onboarding

Certainly, the approval of SEPBLAC Regulation has meant a real revolution in the Spanish banking sector.

From now on, financial institutions will live an adaptation period to the new technology,which will mainly benefit customers in the financial institutions. These will no longer have to complete their bank accounts opening via telephone or sending by post the required documents to the bank.

The technology used in the remote identification process is divided in two procedures. On the one hand, banks have a facial recognition platform to compare our face with the ID in front of the camera. They must also have an OCR tool that reads all the data of the same ID.

 

Video Onboarding process

José Antonio Mañas receives the Prize for a Professional Career

By | Cybersecurity | No Comments

José Antonio Mañas, a member of TCAB Certification Committee, has received the Award for a Professional Career. The Vice-President of the Government, Soraya Sáenz de Santamaría, awarded this prize during the XI CCN-Cert Conference.

Our fellow worker has been a Systems Engineering Professor  at the Technical School of Telecommunications Engineers of Madrid (ETSIT) for over 35 years.

He has also worked as a consultant in different projects. Two fundamental milestones are the creation of the version 2 of the Magerit methodology for Risk Analysis and Management of Information System. He also collaborated in the development of the PILAR/EAR risk management tools in collaboration with the National Cryptological Center-CCN.

José Antonio also has a broad professional experience in the research field. He has written several books on the Telecommunications and Cybersecurity fields. Among others, he has written “Vademecum Java”, “Seguridad de las Tecnologías de la Información” and “Seguridad de las Tecnologías de la Información”.

 

 

About the XI STIC CCN-Cert Conference

XI STIC CCN-Cert Conference took place in Madrid in December 13th and 14th, 2017.  The National Cryptological Center organizes it and is is a major meeting point for experts in cybersecurity in the country, Public Administrations and strategic companies in the field.

Its main topic in this edition was “Cyber threats, the challenge of sharing“. The main figures have steadily grown in the last years. In this edition there were over 1,700 attendees and more than 700 companies from various fields. 55 professionals from the cybersecurity field presented their products and ideas, among 150 proposals.

The Conference also had 30 sponsors, among which, IBM, Minsait-Indra, Eulen Security, Nextway, Kaspersky, Telefónica and Isdefe; and also 13 collaborating entities, such as AMETIC, the Center for Industrial Cybersecurity (CCI), ISACA and ISMS Forum Spain.

First private sector eID scheme pre-notified by Italy under eIDAS

By | eID scheme | No Comments

On December 7th 2017, Italy took an important step by pre-notifying SPID (Sistema Pubblico per la gestione dell’Identità Digitale), its private sector led electronic identification (eID) scheme, to the European Commission. The pre-notification of SPID covers 8 eID service providers, including 3 providers that issue eID means up to level of assurance “high”.

This fact is a noteworthy event in a process that will enable Italian citizens and business to use their SPID credentials to access public services in other Member States.

Italy is the second Member State to pre-notify its national eID scheme, following Germany’s notification which was completed last September.

This notification is significant, because it is the first national eID scheme to be notified under the eIDAS regulation that is led by the private sector.

Next steps

Following the Italian pre-notification, the other Member States participating in the Cooperation Network will be able to peer-review SPID, if they wish so, and the actual notification of the eID scheme will then follow. After publication of the notification by the European Commission, other Member States have to recognise SPID eIDs at the latest 12 months after the publication.

eIDAS

eIDAS regulation aims to provide a predictable regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities along the EU. The regulation ensures that people and businesses can use their own eID to access public services in other EU countries where eIDs are available.

Please, click here to access the source.

EU improves the cross-border availability of e-Government services

By | e-Government | No Comments

The last eGovernment benchmark 2017 report shows a significant improvement in the cross-border availability of e-Government services and the accessibility of public websites from mobile devices in the EU Member States. This study also indicates a need for improvement in the transparency of the provision of public services and the use of support technology such as eID or eDocuments.

The countries that have obtained the highest scores in the availability of e-Government services have been Malta, Denmark, Sweden, Estonia and Norway. These countries lead the way towards the creation of a Digital Single Market.

 

Country performance: How do individual countries perform

Performance is measured as an average of scores for four top-level benchmarks:

  • User centricity (how fast and easy to use public information and services online),
  • Transparency (of government authorities’ operations, service delivery procedures and the level of control users have over their personal data),
  • Cross-border mobility (the extent to which people can use public services outside their country),
  • Key enablers (the availability of eID, eDocuments and Authentic Sources, etc).

Europe appears to be getting closer to the 100%-landmark with regard to user-centricity.  However, it scores less well on the other three benchmarks, especially in terms of exploiting the potential of Key Enablers  for public services.

User Centricity

This is the most advanced dimension of online public services in Europe in 2016, emphasising the focus of governments to bring more public information and services online. Europe records a 12 p.p. increase in online availability of services.  The gap between worst and best performing countries is also closing.

Transparency of government organizations

The transparency of government organizations’ service processes and citizens’ control of personal data averages at 59% for the EU in 2016. The study shows that the transparency of service delivery processes (e.g. informing users on how long the process will take, response times, etc.) is insufficient for 1 in 2 people.

Cross-border service delivery

This dimension is essential for the Digital Single Market and records solid improvements over the years (+25% since 2012). Information and even services are becoming increasingly available to EU citizens when starting up a business or studying in another country.

Key technological enablers

The study reveals that the deployment of key technological enablers  (i.e. eID, eDocuments and Authentic Sources) has the most room for improvement (at 52%; EU28+). The authentic sources indicator which facilitates pre-filling of online forms, progressed slower than other indicators, with only a 3% growth since 2012.

Click here to access the source.

Degree of EIDAS implementation within the European Union

By | #eIdAS | No Comments

Regulation (EU) No. 910/2014 of the European Parliament and of the Council of July 23, 2014, on electronic identification and trust services in electronic transactions in the internal market (eIDAS), which entered into force on the 1st of July 2016, has experienced an uneven implementation in the different countries of the European Union.

We analyze below the degree of implementation of the eIDAS Regulation in the main countries of the EU:

 

  • France:

There is not a national law yet but there are different procedures and requirements based on ETSI regulations.

Supervisory Body: ANSSI (Agence nationale de la sécurité des systèmes d’information).

Link: www.ssi.gouv.fr

 

  • Germany:

There is not a national law yet either, but there are different procedures and requirements based on ETSI regulations.

Supervisory Body: BSI (Federal Office for Information Security).

Link: www.bsi.bund.de

 

  • Belgium:

The current national law is applied, without connection with the ETSI or CEN regulations.

The Conformity Assessment Bodies are accredited according to ISO / IEC 17065 + ETSI EN 319 403.

Supervisory Body: Service Publique fédéral Economie, PME, Moyennes Classes and Energie.

Link: economie.fgov.be/fr

 

  • Spain:

Current National Law 39/2015 applies. There are no specific procedures for Trust Service Providers.

Supervisory Body: Ministry of Energy, Tourism and Digital Agenda (MINETUR).

Link: https://sede.minetur.gob.es/

 

  • Italy:

There is no national law yet, but this country has a national accreditation system, based on EN 319 403, administered by ACCREDIA (2 CAB accredited – VERITAS and CSQA).

Supervisory Body: Agenzia per l’Italia Digitale.

Link: www.agid.gov.it/

 

  • Netherlands

There is no national law yet, but they have national procedures for notifications of non-compliance and accreditation of the CAB.

Supervisory Body: Authority for Consumers and Markets and Agentschap Telecom.

Links: https://www.acm.nl/en and https://www.agentschaptelecom.nl/

 

  • United Kingdom:

The national law for the eIDAS application defines the applicable procedures for each type of trust service in the UK.

Supervisory body: The Information Commissioner.

Link: https://ico.org.uk/

 

Please, click here to view the full chart.