2 min. read
About the EU Tech Sovereignty Package
Passbolt welcomes the EU’s recognition of open source in the Tech Sovereignty Package, while calling for practical measures that support competition, openness, and interoperability.
Over the past months, we have been working with Quarkslab to prepare Passbolt for a CSPN evaluation. Today, we're happy to share that our CSPN application has been formally submitted to ANSSI.
For Passbolt, this is an important milestone, this certification represents one of the most thorough independent and well-recognized security assessment processes available in Europe.
What is the ANSSI CSPN?
CSPN stands for “Certification de Sécurité de Premier Niveau” (e.g. First Level Security Certification in French), is a security certification scheme operated by ANSSI, the French national cybersecurity agency.
The goal is to provide an independent assessment of a product's security. Evaluators review source code, cryptographic mechanisms, documentation, installation procedures, security assumptions, and the product's resistance to realistic attack scenarios.
The CSPN evaluates the overall security posture of a product: its architecture, threat model, cryptographic design, operational guidance, and development practices. It also requires vendors to clearly document what security guarantees are provided, under which assumptions, and against which threats.
For organizations deploying security-critical software, this provides a higher level of assurance than a standalone penetration test.
The preparation phase
Before a product can enter formal evaluation, a significant amount of preparation work is required.
Together with Quarkslab, we completed a pre-evaluation of Passbolt, reviewed the product against ANSSI requirements, and produced the core documents required for certification. The evaluation relies on a comprehensive set of supporting documents that allow evaluators to understand exactly how the product is designed, deployed, and secured:
- A security audit and gap analysis
- The Security Target, which defines precisely what is being evaluated
- Detailed documentation of Passbolt's cryptographic mechanisms
- Threat modelling and security assumptions
- Reviews of technical, installation, administration, and user documentation
This phase was designed to ensure that the product is ready before entering the formal certification process.
What happens next?
This preparation work is complete and our application has been submitted to ANSSI.
The next step is the review of our Security Target and supporting documentation by ANSSI. If the application is accepted, Passbolt will enter the formal CSPN evaluation phase. An ANSSI-accredited evaluation laboratory will then conduct a fixed-time assessment of the product, reviewing its security functions, documentation, installation procedures, cryptographic design, and resistance to moderate attack scenarios in conditions that closely reflect real-world use.
The evaluators' findings and recommendations will be compiled into an Evaluation Technical Report (ETR). ANSSI will review this report and use it as the basis for its final certification decision.
The outcome of a CSPN evaluation is never guaranteed. The purpose of the process is precisely to challenge assumptions and verify claims through independent analysis.
We will keep the community informed as the evaluation advances through the next stages of the certification process. We look forward to sharing the results and the improvements it helps drive across the Passbolt platform.
