EU must continue to guarantee highest hardware resistance levels to cyberattacks

Europe must continue to guarantee the highest hardware resistance levels to cyberattacks, says Stéfane Mouille.

By Stéfane Mouille

04 Jun 2018

Europe’s leadership in digital security was established thanks to the unique expertise and knowledge developed in the Senior Officials Group - Information Security Systems Mutual Recognition Agreement (SOG-IS MRA) certification scheme which has now been operational for more than 25 years. 

EU policymakers - as they debate the details of the so-called Cybersecurity package - are currently looking at how Europe can combat cybersecurity attacks. Europe is the undisputed worldwide leader in guaranteeing the highest resistance levels to potential attacks, thanks to the unique expertise and knowledge developed under the SOG-IS MRA certification scheme.

The scheme has a long and proud history and its principles are based on several key factors, such as the ability of security evaluation laboratories to perform ethical hacking and penetration testing while evaluating products, services or solutions.


Security evaluation laboratories also share a uniform level of evaluation, thanks to peer-reviews performed by EU member states’ national security agencies. Mutual certification recognition among all SOG-IS MRA members is also key.

Originally created by Eurosmart, the JHAS ethical hacking group is renowned for its expertise, intelligence and strong savoir faire. It is now the worldwide reference for blue chip companies such as Qualcomm, Visa, MasterCard, Samsung… and of course all the Eurosmart members.

We also have a successful track record in developing this unique European expertise. Prestigious organisations such as Nato, DHS, SWIFT, Visa, MasterCard, Microsoft, high-end smartphone manufacturers, Audi, Mercedes, Barclays, Airbus and Google all use Eurosmart technologies certified in Europe through the SOG-IS MRA certification scheme.

As President of Eurosmart, I want to reiterate the need to protect Europe through cybersecurity and to restate our five outcome-based principles. 

First, clear legal definitions of essential terms referring to IT and security ecosystems. 

Second, fair and open European governance during the preparation phase of candidate European certification schemes. 

Third, a well-defined European certification objective that is appropriate for each level of certification. Above all, EU co-legislators should ensure that the ‘substantial’ and ‘high’ levels require mandatory Ethical Hacking testing (Penetration testing) by Conformity Assessment bodies (CABs) during evaluation. 

Fourth, European standards must be the basis for the preparation of a new candidate European certification scheme. 

Last, the EU Agency for Network and Information Security’s, (ENISA) ‘Intellectual Property Rights (IPR policy) should be spelled out in the cybersecurity act.

We urge the European Parliament, Commission, and Council to introduce the SOG-IS MRA certification schemes into the initial text - as an appendix to the Cybersecurity act regulation - to avoid any risk of disruption in European excellence and to make ethical hacking mandatory during substantial and high-level evaluations.

Download the new Eurosmart policy paper, 'Cybersecurity Act: Ethical hacking does matter!'