New EN 17640 'Fixed-time cybersecurity evaluation methodology for ICT products’ helps evaluate the cybersecurity of ICT products

On 21 October 2022, CEN and CENELEC published new standard on cybersecurity: EN 17640 ‘Fixed-time cybersecurity evaluation methodology for ICT products’ (FiT CEM).

The new standard describes how the cybersecurity of ICT products can be examined in a pre-defined time, which means within a time frame set out at the beginning of the examination. This evaluation is usually part of certification procedures for ICT products.


EN 17640 is the first standard that implements by design the requirements of the European Cybersecurity Act (CSA), which establishes the rules for future cybersecurity certification schemes in Europe. For this reason, it provides future CSA schemes with the necessary building blocks to conduct evaluations at the three assurance levels "basic", "substantial" and "high", together with further legal requirements. At the same time, the standard can be adapted to the requirements of specific markets requiring cybersecurity certification or in general security evaluation.


EN 17640 is compatible with already existing certification schemes at the national level that implement fixed time cybersecurity certifications: among them, the French CSPN, the Spanish Lince, the German BSZ and the Dutch BSPA. Experts from these schemes provided their input during the development work within CEN-CLC/JTC 13/WG 3 ‘Security evaluation and assessment’. Consequently, the resulting “evaluation methodology” benefits from over a decade of experience.


Now, thanks to this new standard, product developers and users of certified products will be able to inform themselves on how to perform cybersecurity product evaluations. At the same time, parties involved in developing cybersecurity certification schemes in Europe according to the CSA benefit from a flexible as well as proven toolbox to develop their schemes.


EN 17640 was developed by CEN-CLC/JTC 13 ‘Cybersecurity and Data Protection’, whose Secretariat is held by DIN


If you want to learn more about European cybersecurity certification, please visit the ENISA website on this topic.




Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on, your device to remember your preferences.

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

We'd like to set Google Analytics cookies to help us to improve our website by collecting and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.

I accept all cookies