This project has received funding from the European
Union’s Horizon 2020 research and innovation
programme under grant agreement No 952633
MEDINA: Security framework to achieve a
continuous audit-based certification in compliance
with the EU-wide cloud security certification scheme
Leire Orue-Echevarria, PhD, PMP (TECNALIA)

MEDINA At a Glance
1st November 2020 – 30th
October 2023
EU Budget 4,480,308.75€
30/09/2021
MEDINA General Presentation

Context
Low adoption of cloud services in Europe
Why? According to Eurostat (2018)
30/09/2021
MEDINA General Presentation
Risk of a
security
breach
Legal jurisdiction
Data storage
localization
Insufficient skills Lack of interoperability

Context
Can certification be a solution? There are many certification
schemes…
30/09/2021
MEDINA General Presentation
Compliance with Member States’ initiatives by the Top
50 CSPs (XaaS) – Source: SMART 2016/0029. Data from
2018
Accredited certifications by the Top 50 CSPs (XaaS) –
Source: SMART 2016/0029. Data from 2018

Context
And with different
coverage in the
controls, as well as
Different
assessment
methods
30/09/2021
MEDINA General Presentation
% in each scheme (source: SMART 2016/0029)

Context
Several regulations and initiatives have been launched by the
European Commission to promote the adoption of cloud
computing and avoid fragmentation in certification
approaches
30/09/2021
MEDINA General Presentation
2012
European
Cloud
Strategy
Sept. 2017
Data economy package
(09.2017)
FFD & Cybersecurity
package (09.2017)
Dec. 2017
Creation of
two WGs
(SWIPO and
CSPCERT)
June 2018
22.06.2018
Political agreement on FFD
between Council and
Parliament
Oct. 2018
Trialogues on the
Cybersecurity Act
March 2019
12.03.2019
Cybersecurity Act is
adopted
June 2019
Cybersecurity Act is published
CSPCERT delivers the
recommendations to ENISA
and EC
Nov. 2019
European Commission
sends letter to ENISA to
start working on the
scheme for cloud services
March 2020
ENISA AHWG for
cloud services is
launched
Beginning 2021
EU CSCS will be
published and enter
into force
ECCG and SCCG dialogues
Feb. 2019
EU Data strategy is
published

MEDINA Project Objective
30/09/2021
MEDINA General Presentation
Provide a holistic framework that enhances cloud customers’ control and
trust in consumed cloud services, by supporting CSPs (IaaS, PaaS and SaaS
providers) towards the successful achievement of a continuous
certification aligned to the EU Cybersecurity Act (EU CSA). […] The
proposed framework will be comprised of tools, techniques, and
processes supporting the continuous auditing and certification of cloud
services where security and accountability are measurable by design. As
the MEDINA framework is leveraged into a cloud supply chain, it will
support continuously assessing the efficiency and efficacy of security
measures to ultimately achieve and maintain a certification.

Overview
30/09/2021
MEDINA General Presentation

MEDINA Approach
30/09/2021
MEDINA General Presentation

Benefits
Guidance on the implementation of the controls, measures
to be applied and evidences to be collected, reducing the
time
Support for an automatic compliance of the controls of
existing certification schemes, reducing the effort, cost and
risk of achieving and maintaining a certification
Ease the effort in the collection and evaluation of evidences
Ensure the Audit Trail of the evidences, and that no one has
tampered with them
30/09/2021
MEDINA General Presentation

Target users
CSPs: IaaS, SaaS, PaaS, XaaS
Auditors
CABs
30/09/2021
MEDINA General Presentation

Thank you!
www.medina-project.eu // Leire.orue-echevarria@tecnalia.com