In this article, you can find how Servitly is compliant with the requirements of the certification schemes defined by the Cybersecurity Act (Regulation (EU) 2019/881).

• EUCC: European Cybersecurity Certification Scheme on Common Criteria [already adopted].

• EUCS: European Cybersecurity Certification Scheme for Cloud Services [incoming adoption].

• EUIoT: European Cybersecurity Certification Scheme for ICT Products with Digital Elements – IoT [draft].

Below you will find all the requirements of the Cybersecurity Act, and for each of them, where the arrow “→” is present, you can see how Servitly complies.

Some points are also included in the ISO 27001 standard, so you will find the related points that address the specific requirement. For more details, you can refer to the ISO 27001 Compliance article.

EUCC

The EUCC (European Cybersecurity Certification Scheme on Common Criteria) is the first scheme adopted under the Cybersecurity Act on February 27, 2025.
ICT products, such as hardware, software, and components, are affected by this schema.
It is based on the internationally recognized Common Criteria (ISO/IEC 15408) framework, and the certification schema is voluntary.

Security by Design

We follow a well-defined set of processes addressing any security aspect during the design and development phases.
For more details about what we do, you can see the article Security Framework.  

Independent Evaluation

Servitly is subject to periodic checks and assessments by independent entities with regard to privacy (GDPR), and platform security (VA/PT).

Mandatory Documentation

The Console and the DPS are fully documented, and all security countermeasures and settings are described in the article Security Framework.    

Testing and Assurance

• Automatic tests are performed periodically and with each release, including test cases for specific security issues.

• We periodically perform a vulnerability assessment (VA) and penetration test (PT) on the deployed platform.

• We periodically check the CVE (Common Vulnerabilities and Exposures) and security guidance from the vendors of the third-party software/libraries included.

For more details, you can see the Secure Development Practices described in the article Security Framework.  

Vulnerability and Patch Management

• A structured process to identify, disclose, and remediate vulnerabilities is fully put in place.
  For more details, see the Secure Development Practices.

• A risk assessment is performed on the security issues discovered, and, after giving the assigned priority, the issue is fixed according to the SLA (Service Level Agreement).

Audit & Certification

• Auditability →  ISO 27001 (9.2).

• At this stage, there is no automatic obligation to obtain EUCC certification for any product category.

EUCS

The EUCS (European Cybersecurity Certification Scheme for Cloud Services) has not yet been adopted.
Although the EUCS has not yet been adopted, cloud service providers and organizations should monitor its progress and take steps to prepare for possible future compliance obligations.

Governance & Organization

• Clear security policies and ISMS → ISO 27001 (4–10, A.5).

• Defined roles and responsibilities → ISO 27001 (A.5.1, A.5.2).

• Risk management process → ISO 27001 (6.1, A.5.7, A.5.25).

Identity & Access Management

• Role-based access control → ISO 27001 (A.5.15, A.5.18, A.5.19).

• Secure admin access with monitoring → ISO 27001 (A.5.17, A.5.23, A.8.15).

• Strong authentication (MFA) → All enterprise cloud software requires MFA authentication, so in the DPS, Two-Factor Authentication can be enabled for users.  

Data Protection

• Encryption in transit/at rest → ISO 27001 (A.8.24, A.8.25).

• Key management → ISO 27001 (A.8.24).

• Tenant isolation → Data Isolation

• EU data residency → Data Storage

Resilience & Continuity

• BC/DR plans → ISO 27001 (A.5.29, A.5.30).

• Redundancy, geo-distribution → Availability

• Availability monitoring, DDoS protection →  Availability Architectural Security

Vulnerability & Patch Management

• Vulnerability scanning, pen testing → Secure Development Practices

• Patch management → ISO 27001 (A.8.8).

• Vulnerability disclosure policy → As stated in the Servitly - Security Plan, discovered vulnerabilities are notified to customers and partners according to the severity and impact of the issue.

Incident Management

• Defined incident response → ISO 27001 (A.5.24, A.5.28).

• Monitoring logs/events → ISO 27001 (A.8.15, A.8.16).

• Timely notification to customers/authorities → Data Processor Agreement

Supply Chain Security

• Security requirements for suppliers → ISO 27001 (A.5.19, A.5.20, A.5.21).

• Assessment/monitoring of suppliers → ISO 27001  (A.5.22).

• Contracts with clear security obligations → ISO 27001  (A.5.19).

Transparency & Documentation

• Security documentation available → ISO 27001 (A.5.1, A.5.14).

• SLAs including security/availability → ISO 27001 (A.5.19).

• Declaration of conformity/auditability → ISO 27001 (9.2).

Audit & Supervision

• Certification by CAB → not yet required.

• Periodic reassessments/surveillance → ISO 27001 (10, A.5.35).

• Maintain compliance lifecycle → ISO 27001 (10, A.5.25).

EUIoT

The EUIoT (European Cybersecurity Certification Scheme for ICT Products with Digital Elements – IoT) is the upcoming EU scheme for IoT (Internet of Things) devices.
While the EUIoT scheme is still in development, according to the draft template published by ENISA that outlines the proposed structure and requirements for IoT device certification, Servitly can be assumed to be compliant with this scheme.

Even though the device firmware is the responsibility of the manufacturer, below you will find the main key points outlined in the draft template, and how they are managed from a cloud perspective.

Security Profiles

• Security functionalities (e.g. secure boot, encrypted communications) that are required for a class of IoT devices (e.g. smart thermostat, sensor) → Firmware security is the responsibility of the manufacturer. With regard to the cloud, you can refer to ISO 27001 (A.8).

• Profiles are tailored to device context, risk sensitivity, and deployment environment, helping to scale security expectations appropriately → Firmware security is the responsibility of the manufacturer. With regard to the cloud, you can refer to ISO 27001 (A.8).

Risk-Based Approach

• Reviewing that no known public vulnerabilities exist → Secure Development Practices

• Performing relevant tests to confirm that a device implements the required security features → Secure Development Practices

• Balancing evaluation depth with device constraints (e.g., limited processing power, cost sensitivity) → Up to the manufacturer.

Assurance Levels

• Basic: Suitable for low-risk, consumer-type devices.

• Substantial: For devices handling more sensitive data or risk (e.g. privacy concerns).

• High: Reserved for safety-critical or security-critical IoT systems.