CUSTODES: The Future of Cybersecurity Certification
Author: Dr. Jasmin Cosic (DEKRA SE), Marga Martín Sánchez (DEKRA TC), Luis Sánchez Torralba (DEKRA TC)
Tackling Complexity Through Automation and Ontologies
In an increasingly inter-connected world, the security of digital products and services is no longer an afterthought - it is a prerequisite. The evolving regulatory landscape in Europe, spearheaded by instruments such as the Cybersecurity Act (CSA), the Cyber Resilience Act (CRA), and the NIS2 Directive, signals a new era where robust cybersecurity certification becomes central for demonstrating trust, resilience, and accountability.
The Challenge of Certifying Composite ICT Systems
Certifying ICT systems - particularly composite systems that integrate interoperable hardware, software, AI modules, and IoT components, presents significant challenges. While traditional evaluation models, such as those defined in Common Criteria (ISO/IEC 15408), provide a robust foundation for assessing the security of IT products these models struggle to scale and adapt to the intricacies of composite systems. Issues such as scalability, traceability, and system complexity become pronounced when multiple certified and non-certified components interact.
As digital infrastructures become more modular, adaptive, and data-driven, the current certification framework(s) must evolve. They need to address the challenges of component dependencies, secure interactions, and the reuse of prior certifications - all while supporting faster, more transparent, and automated assessments.
Certification in the Age of Composite Systems
Composite systems integrate various certified and/or non-certified components which can form or create new functional solutions (systems). For example, a smart building solution may contain AI-enabled sensors, edge gateways, cloud services, and i.e. pre-certified hardware boards. Each component might have its own security evaluation record, but the system as a whole, must still be assessed for emergent new possible vulnerabilities and secure integration.
The EU Cybersecurity Certification Scheme on Common Criteria (EUCC), launched in 2024, builds and extends on existing CC standards to enable consistent, cross-border certification of ICT products across the EU. However, to remain effective, the scheme must also support compositional certification, where prior evaluations can be reused under certain conditions, and where the interactions among components are subject to scrutiny.
The key challenge has shifted and it is no longer enough to verify the security of individual parts - but to ensure that the entire system is secure, coherent, and resilient against emerging threats. This requires new methodologies and digital tooling.
The Role of Automation and Ontologies in certification process
To address these challenges, scientist and researchers are exploring automated reasoning frameworks based on ontologies—formal, machine-readable models that represent components, requirements, relationships within a system and component properties.
In the context of the CUSTODES project ¹ , an ontology-based certification framework was developed to model composite systems under Common Criteria. This approach enables:
- Component creating and mapping: Clearly identifying and documenting each system component, its certification level, and its role within the larger system.
- Security requirement modelling: Linking system components to relevant Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs).
- Automated compliance checks: Using Semantic Web Rule Language (SWRL) rules to infer whether system configurations meet certification conditions.
- Reusable evidence: Supporting the reuse of previously certified components by embedding their evaluation status into a structured knowledge base.
In practice, this ontology-driven framework was applied to a smart home use-case, allowing automated reasoning tools (e.g., Protégé, HermiT) to simulate certification decisions. The results demonstrated enhanced transparency, consistency, and scalability, while significantly reducing the manual burden on evaluators.
1: CUSTODES Project: “A Certification approach for dynamic, agile and reUSable assessmenT fOr composite systems of ICT proDucts, servicEs, and processeS”, (GA No. 101120684)
Toward a Unified Certification Ecosystem
With the Cyber Resilience Act (CRA) introducing mandatory security requirements for a wide range of digital products, and NIS2 expanding obligations for critical and important entities, the demand for cybersecurity certification will rapidly grow. Certification bodies, evaluators, and vendors must prepare for this shift by adopting modular, tool-supported, and knowledge-driven approaches.
Key trends shaping the future of certification include:
- Conformance-by-design: Designing systems and components with (possible) certification in mind from the outset.
- Hybrid assurance models: Combining static certification with dynamic, in-field monitoring to ensure ongoing compliance.
- AI system certification: Establishing criteria and evaluation strategies for AI-based systems, particularly around transparency and trustworthiness.
- Semantic interoperability: Standardizing the way evaluation results, component metadata, and security claims are expressed to facilitate reuse and cross-recognition.
“Initiatives like CUSTODES project are laying the groundwork for such transformation. By bridging the gap between formal certification standards and real-world composite systems, and by demonstrating how automation can support evaluators and conformity assessment bodies, such projects directly contribute to the goals of the EU cybersecurity regulatory framework.”, added Fernando Hardasmal Barrera, EVP DEKRA SD Digital Products.
“As part of the CUSTODES initiative, we ensure audit readiness for DEKRA cybersecurity certification, aligning with our strategic commitment to risk-based governance and regulatory compliance.” added Dražen Morog, CISO DEKRA Group.
Cybersecurity certification stands at a pivotal crossroads. While traditional methods remain rigorous, they are no longer sufficient for the scale, complexity, and agility demanded by today’s digital ecosystems. As regulations become tighten and systems more interconnected, automation, reuse, and formal knowledge representation will become essential pillars of modern certification.
Whether for smart homes, critical infrastructure, or AI-powered services, the future of cybersecurity assurance will depend on the ability to certify systems holistically, evaluate interactions between components, and rely on tools that make certification more explainable, consistent, and efficient.
“Ontologies and rule-based frameworks are not just academic exercises—they are becoming strategic tools for ensuring secure digital transformation across Europe.”, added Dr. Jasmin Cosic, Cyber R&D and Standardization Lead, DEKRA SE.
“As digital systems become more complex and dynamic, our approach to cybersecurity assurance must evolve. Automation and intelligent knowledge frameworks are now essential for building trust”, added Marga Martín Sánchez, R&D&I Lead, DEKRA TC.