Data, Information and Cyber ​​Security

hand-3044387_1280.jpg

In the areas of data, information and cyber security, the assessment of 2nd and 3rd parties is increasingly in demand. Therefore, schemes and testing methods are continuously developed in the field. It happens internationally and nationally; managed by authorities, organizations and interested parties. ISO and ETSI have published documents on requirements for products/systems as well as requirements for the assesment of their implementation in this field.

DANAK offers accreditation to certification, inspection and testing in the field.

 

ISMS, information security

Certification of a management system, based on ISO standards within the 27000 series. The standards set the framework for the work of companies and certification bodies. The Danish Agency for Digitalisation has prepared guidelines for public authorities on the implementation of ISO/IEC 27001. The guidelines are available on the Agency's website. DANAK offers accreditation for certification of management systems according to ISO 17021-1 with the addition of information security ISO/IEC 27006. Read about accreditation for management systems on DANAK's website, where there is also an application form.

 

Medical devices (software), management system

Certification of a management system, covering medical devices, is based on ISO 13485. The term “Medical devices” includes software. DANAK offers accreditation for certification of management systems according to ISO 17021-1. Read about accreditation for management systems on DANAK's website, where there is also an application form.

 

GDPR, EU Regulation 2016/679

Handling of personal data. Stakeholders can develop certification schemes within the framework of the Regulation. The schemes must be based on the requirements for product certification ISO/IEC 17065 and the additional requirements set by the Danish Data Protection Agency. The schemes must be recognized by the Danish Data Protection Agency and assessed by DANAK, after which they must be published on the EU's list of schemes in the area. Only then, can accreditation for certification to the scheme be granted. Read more in DANAK's AMC 31 and the Danish Data Protection Agency's guidelines in this area.

 

eIDAS, EU Regulation 910/2014

Requirements for electronic identification and trust services. The area covers: electronic signature, timestamps and authentication of web pages. Companies can be certified on the basis of the requirements for product certification ISO/IEC 17065 plus EU recognized technical standards in the individual areas. The EU requires the use of accredited certification for certain services and security levels. DANAK offers accreditation in the area. With an accreditation, the certification body can apply to the Danish Agency for Digitisation to be notified within the accredited area (included on the EU list).

 

Cyber ​​Security, EU Regulation 2019/881

Common EU rules set requirements for information and communication technology (ICT). ICT can cover products, services and processes in the field, and either testing according to ISO/IEC 17025 or product certification according to ISO/IEC 17065 is required. The common rules are laid down in cybersecurity schemes, where each scheme is based on technical standards and the requirements of the regulation. The schemes aim to ensure that European cyber security certificates and EU declarations of conformity are issued and can be recognized in all EU countries. The EU Commission publishes a list of recognized schemes. Further information can be found on ENISA's website under the menu item "Cybersecurity Standards and Certification". DANAK offers accreditation to testing and product certification in the field.

 

Cyber Resilience Act (CRA), EU regulation (upcoming)

CRA is in progress and close to implementation. CRA sets requirements for hardware and software, particularly when part of critical infra structure.

 

EU directives are updated to include cyber security

New requirements/clarifications are coming up, introduced in current directives e.g. the Machine Directive and the Radio Equipment Directive.

Radio Equipment Directive 2014/53/EU: As from 1 August 2025, specific notification is required for 3 requirements in the directive. Technical standards are on the way, and they may become harmonized standards. Other EU countries have already introduced notification (either via accreditation or by direct approval by authorities) – depending on the chosen implementation in each country. DANAK too, accepts applications in this field.

Machine Directive 2006/42/EF will be replaced by regulation EU 2023/1230. This regulation is obligatory as from 20 January 2027, when the Machine Directive is withdrawn. Cyber security must be taken into consideration for machinery covered by this regulation. However, depending on the type of product, other cyber security requirements may also apply e.g. the Radio Equipment Directive.

 

Cyber Security for Consumer Internet of Things, IOT

The scheme is based on ETSI documents. Here, product requirements are set, as well as requirements for their assesment. DANAK offers accreditation to inspection, based on this scheme.

 

 

Other schemes

There are a number of other schemes whitin this area that are not currently covered by accreditation. This applies, for example, to the Danish D-mark and the Danish Agency for Digitisation´s  NSIS requirements. Read more about these on the respective web pages.