Skip main navigation
Home>The Association>UNE Information Room>News>The first UNE standard for cybersecurity evaluation of ICT products based on LINCE methodology has been published
LINCE cybersecurity of ICT products

The first UNE standard for cybersecurity evaluation of ICT products based on LINCE methodology has been published


The Spanish Association for Standardization (UNE), has published the standard UNE 320001 LINCE Cybersecurity Evaluation Methodology for ICT products, thereby making it the first Spanish standard for the evaluation of ICT product cybersecurity based on the LINCE methodology. UNE helps companies to achieve successful digital transformation through standards.

The UNE 320001 standard establishes the requirements and defines the reference framework in the field of the ICT product cybersecurity assessment. LINCE is the first and most recognised cybersecurity certification in Spain for medium and low security criticality, which demonstrates the maturity of the industry in Spain. It was developed three years ago by the CCN (National Cryptographic Centre) to be able to assess medium and low security ICT products at a price that is affordable by the developer. It has now become a UNE standard.

Having a certification according to the LINCE standard allows it, in addition to improving the cybersecurity of the product being assessed, to be carried out within a limited time and effort, which means that they are accessible to all types of developers. It also allows access to the CPSTIC Security Product catalogue, used as a Spanish reference point for cybersecurity for ICT products, recommended by the CCN. To obtain a certification under the LINCE methodology, an assessment of a laboratory accredited for this purpose is necessary.

Before LINCE existed, the cybersecurity certifications under which ICT products could be assessed were those developed internationally, for example, Common Criteria. These types of standards, aimed at high security levels, require an effort, time and cost that are unmanageable by many companies, especially SMEs. For this reason, LINCE has been created, a so-called "lightweight" methodology that allows the expansion of the concept of cybersecurity certification at national level.

This standard has been developed in the UNE Technical Committee for Standardisation CTN320, with the participation and consensus of all parties involved. Thanks to the creation of a working group that was responsible for drafting the different versions after the different comments that emerged, maintaining the common interest of the industry. 

For José Ruiz, editor of the standard and CTO of jtsec Beyond IT Security: "After checking its effectiveness on dozens of products, the next logical step was for the LINCE methodology to become part of a national standard. This is intended to achieve three fundamental objectives in Spanish industry: to raise awareness and support the use of cybersecurity certificates in ICT products at national level, to broaden the scope of the LINCE methodology and to be used in other fields and sectors and to give visibility to LINCE as a lightweight certification methodology at European level, represented by UNE in the European standardisation committee. "

Towards a European LINCE

LINCE is an idea that has arisen from other types of light certifications implemented in other European countries. The needs of the different governments throughout Europe have led to the creation of national cybersecurity certifications. This is the case of BSZ (Germany), CSPN (France), BSPA (Netherlands) and LINCE (Spain). All of these are agile and lightweight certifications, focused on vulnerability analysis and penetration tests and with limited effort and duration.

The development of all these methodologies and their certification correspond directly to each country. This is creating a small fragmentation in the market that requires a lightweight (or time-specific) scheme at European level to avoid having to certify products in each country.

In fact, in Europe a new standard is being created that seeks to mitigate market fragmentation: FITCEM (Fixed-Time Cybersecurity Evaluation Methodology for ICT products) developed by CEN/CENELEC JTC13 WG3, which is expected to be approved in the coming months. 

Having a product that has passed a European certification will mean competitive advantages in Europe without having to carry out the national certification in each country.

The approval of Standard UNE 32001 will promote the recognition of the LINCE methodology at European level and will allow national manufacturers to prepare for future European regulations.

Support for the Digital Transformation

UNE helps Spanish companies to achieve successful digital transformation, developing standards in areas such as cybersecurity, digital enabling technologies, talent or digital health, in support of Digital Spain 2025 Agenda.

Standards establish a common language and provide security and confidence in products and services, through robust and reliable frameworks. More information in the report Supporting Standardisation for Digital Transformation.