FITCEM (EN 17640), the first cybersecurity methodology created to meet the European Cybersecurity Act (CSA).


- Jan
Posted by: José Ruiz
FITCEM (EN 17640), the first cybersecurity methodology created to meet the European Cybersecurity Act (CSA).

Europe has been leading the legislative field in the area of cybersecurity for several years, one of the main reasons for this prevailing position was the creation of the EU Cybersecurity Act (CSA). One of the main goals of the CSA is to provide a European cybersecurity certification framework for ICT products, services and processes in order to benefit companies that want to market their solutions in Europe by certifying their products just once and being recognized across the European Union. The CSA is quite an aspiring project, but it had the problem of a lack of evaluation methodologies, a challenge that is being solved with the efforts of the different stakeholders: ENISA, CEN/CENELEC, ETSI, ITSEFs, CABs, vendors, etc.

Why FITCEM was developed and what it is based on

Some of the European countries have developed its own Fixed-time cybersecurity assessment methodologies, albeit all on a similar basis. Fixed-time certifications arise to solve the issue related to duration and cost of the existing certifications, such as Common Criteria, that are not suitable for low assurance products.

Countries like France (CSPN), Germany (BSZ), the Netherlands (BSPA) or Spain (LINCE), have developer their own national schemes, you can check the comparative done by jtsec between these methodologies “Analysis and comparison of lightweight evaluation methodologies”.

The main problem was that a vendor that wanted to sell their products, for example, in France and Spain, had to pass two different certifications (CSPN and LINCE in this case), quite similar between them, which means a significant increase in costs and time spent by the vendor.

FITCEM, an open door to a promising future in cybersecurity in Europe

FITCEM is the first brick in a more united Europe in terms of horizontal cybersecurity schemes. FITCEM (EN 17640), opens the door for CSA schemes to use a European horizontal methodology that is flexible and can be customized to meet the needs of the different schemes.

Moreover, FITCEM could potentially replace national methodologies, such as those referenced above.

Vendors are the main commercial beneficiaries of such initiatives developed at European level, as the entry of their products throughout Europe could be much quicker and more efficient.

Other European schemes such as EUCC (Common Criteria based European candidate cybersecurity certification) are about to be published, reinforcing the idea of strengthening horizontal and cross-sectoral schemes across Europe.

Our contribution in the development of FITCEM.

José Ruiz, CTO at jtsec Beyond IT Security, has been co-editor of the EN 17640 ‘Fixed-time cybersecurity evaluation methodology for ICT products’ (FITCEM).

This standard has been developed within CEN-CLC/JTC 13 ‘Cybersecurity and Data Protection’ WG3. This group is the CEN and CENELEC horizontal technical committee that addresses relevant international standards (especially from ISO/IEC JTC 1 SC 27) as European Standards (ENs) in the Information Technology (IT) domain.

If you are thinking of evaluating your ICT product under the FITCEM or any other scheme, do not hesitate to contact us so we can help you. We can assist you in getting your product certified in the shortest possible time, smoothing the process thanks to our technical expertise.

José Ruiz/CTO

Jose is an expert consultant on the Common Criteria standard with more than 10 years of experience. Jose has a wide background in other security assurance standards in the field of the information technology as Common Criteria, FIPS 140-2, FIPS 140-3, GP TEE, PCI-PTS, LINCE. Jose has served as an evaluator, Technical Leader and CC Consultant for Epoche&Espri and as CC lab manager and Cyber Security Service Manager for Applus+. His experience has led him to participate as a speaker in various editions of the ICCC (International Common Criteria Conference) and ICMC (International Cryptographic Module Conference). He has been the “Chairman” of a subgroup within the ISCI WG1 Eurosmart Initiative to develop the CC Methodology. He is also member of different working groups as ISO SC27 or Global Platform TEE and an active member of the group ERNCIP “IACS Cybersecurity certification“.

In 2017 he founded with Javier what is now known as jtsec. He is currently in charge of promoting the commercial expansion of the company from its headquarters in Madrid as CTO. In addition, he represents jtsec in various national and international forums and is responsible for quality.


Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.