Certification services

The European Union Cybersecurity Certification (EUCC) is a framework designed to enhance the security of digital products, services, and processes within the EU. It aims to establish a unified approach to cybersecurity certification, ensuring that certified products meet high security standards. Certification is possible at two assurance levels: Substantial and High.

EUCC is based on the international Common Criteria standard (ISO/IEC 15408). The EUCC provides a harmonised framework within the EU for assessing and certifying the security properties of IT products. An EUCC certificate is recognised throughout the EU, eliminating the need for certification per individual member state.

The Security Evaluation Standard for IoT Platforms (SESIP), published by GlobalPlatform and CEN CENELEC, provides an optimised version of the Common Criteria methodology applied to certification of IoT platforms and their components. Developers can trust that SESIP certified platforms and components will deliver the correct levels of security, enabling them to focus on their primary goal of delivering robust and secure products by design.

SESIP offers a scalable solution to reduce security fragmentation in IoT devices by allowing a single evaluation to provide evidence for multiple certification requirements. This simplifies the process and eliminates the need for multiple security evaluations. SESIP certification aligns with global standards such as IEC 62443-4-2, ISO 21434 and the Cyber Resilience Act.

Spain’s digital infrastructure is protected by a robust regulatory framework designed to safeguard information systems in the public sector, as well as private entities working alongside government bodies. At the heart of this landscape is the National Cryptologic Center (CCN), established by Royal Decree 421/2004 and operating under the National Centre of Intelligence (CNI).

The Spanish National Security Scheme (Esquema Nacional de Seguridad, or ENS) provides a framework of security requirements to safeguard information within electronic administration. Its goal is to ensure the protection of personal and confidential data exchanged through online channels, thereby strengthening trust in digital public services. Compliance with ENS standards demonstrates that your information systems are secure, reliable and meet both industry and governmental requirements.

The ENS divides system requirements into three security categories - High, Medium, and Basic - ensuring tailored security for each use case. The Basic category can be achieved by a self-declaration. The Medium and High categories require certification from an accredited Certification Body (CB).

To streamline compliance, the CPSTIC Product Catalogue - managed by the CCN - serves as an authoritative listing of security products and services for information and communication technology (ICT) systems under the ENS. It helps public and private entities find security products and services for information and communication technology (ICT) systems under the ENS.

As an ENAC-accredited Certification Body (see English or Spanish), Brightsight CB manages the entire certification lifecycle, including initial auditing, technical review, and certificate issuance.

ENS certification is valid for up to two years, and per Article 38 of the ENS, all systems must undergo a comprehensive audit at least biennially to remain compliant. Our certification process rigorously assesses your information systems against the principles and requirements set out in Annex II of Royal Decree 311/2022.

The ENS certificates are published on the National Cryptographic Center (CCN) website.