Verify any claim · lenz.io
Claim analyzed
Tech“France's Agence nationale de la sécurité des systèmes d'information (ANSSI) and Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI) have a mutual recognition agreement between France's Certification de sécurité de premier niveau (CSPN) and Germany's Beschleunigte Sicherheitszertifizierung (BSZ) frameworks, under which CSPN certificates are recognized in Germany with defined exceptions.”
Submitted by Quick Leopard 8eb6
The conclusion
The central statement is supported: ANSSI and BSI have a formal CSPN-BSZ mutual recognition arrangement, and ANSSI certificates can be recognized by BSI in Germany under it. The overstatement is the suggestion that the exceptions are clearly defined in public documentation. Available sources show carve-outs exist, but not a fully explicit public list of them.
Caveats
- Public sources support exceptions in principle, but do not clearly publish a complete, enumerated list of all exception categories.
- Recognition is framework-specific and not necessarily automatic for every product or regulatory use case; national rules or application notes may still limit acceptance.
- This bilateral arrangement is separate from broader EU cybersecurity certification frameworks and should not be treated as universal EU-wide recognition.
Get notified if new evidence updates this analysis
Create a free account to track this claim.
Sources
Sources used in the analysis
On 15 May 2024, Vincent Strubel, Director General of ANSSI, and his German counterpart at the Federal Office for Information Security (BSI), Claudia Plattner, approved and personally signed the new version of the mutual recognition agreement for security certificates for the CSPN (Certification de Sécurité de Premier Niveau) and BSZ (Beschleunigte Sicherheitszertifizierung) schemes. Initially signed in June 2022, the CSPN-BSZ mutual recognition agreement allows the reciprocal recognition of this type of security certificate between France and Germany, thus avoiding duplication of evaluations. Under this agreement, BSI and ANSSI are also publishing a new logo which will be affixed from 1 August 2024 to all new CSPN certificates, their certification reports and on the websites of the two certification bodies.
In the context of the BSZ_CSPN mutual recognition agreement, this certificate is recognised by the BSI (Bundesamt für Sicherheit in der Informationstechnik). This certificate is issued in accordance with decree 2002‑535 of 18 April 2002 as amended, relating to the evaluation and certification of the security provided by information technology products and systems.
Regulation (EU) 2019/881 establishes a European cybersecurity certification framework for ICT products, services and processes. It provides for the possibility of European certification schemes but does not itself mandate bilateral mutual recognition agreements such as the one between ANSSI and BSI for CSPN and BSZ; those remain national or bilateral initiatives built on top of the EU framework.
On May 15, 2024, the Director General of ANSSI and the Director of Germany's Federal Office for Information Security (BSI) signed a new version of the mutual recognition agreement for the CSPN (First Level Security Certification) and BSZ (Accelerated Security Certification) schemes. This agreement, initially established in June 2022, allows for the reciprocal recognition of safety certificates between France and Germany, streamlining assessments and enhancing cooperation. From August 1, 2024, all new CSPN certificates will feature a newly introduced logo, aiding in the quick identification of certified products.
Das Certification de Sécurité de Premier Niveau ist ein französisches Sicherheitszertifikat für Produkte der Informationstechnologie. In Deutschland gibt es mit dem BSZ (Beschleunigte Sicherheitszertifizierung) des BSI eine vergleichbare Zertifizierung. Das BSZ-Schema ist mit dem CSPN-Schema kompatibel. Deutschland und Frankreich streben zukünftig eine gegenseitige Anerkennung der Zertifizierungen an.
The Agence nationale de la sécurité des systèmes d’information and its German counterpart, the BSI, have signed a mutual recognition agreement for security certificates for the CSPN (Certification de Sécurité de Premier Niveau) and BSZ (Beschleunigte Sicherheitszertifizierung) schemes. Valid and public certificates previously issued "will be recognised in France as in Germany" as soon as the agreement enters into force, ANSSI indicates. The agreement is intended to cover all certificates issued by the two schemes, "but may exclude those that are, for example, subject to special national regulation", ANSSI specifies.
There is a corresponding agreement between the BSI and the French ANSSI (Agence nationale de la sécurité des systèmes d'information) for the international recognition of IT security certificates. In principle, all CSPN certificates (Certification de sécurité de premier niveau) in Germany are accepted by the BSI and all BSZ certificates in France by the ANSSI.
Zur internationalen Anerkennung von IT-Sicherheitszertifikaten besteht zwischen dem BSI und der französischen ANSSI (Agence nationale de la sécurité des systèmes d'information) eine entsprechende Vereinbarung. Im Prinzip werden alle CSPN-Zertifikate (Certification de sécurité de premier niveau) in Deutschland vom BSI und alle BSZ-Zertifikate in Frankreich von der ANSSI anerkannt.
This technical article explains the French CSPN certification run by ANSSI, focusing on how products are evaluated and how certificates are issued. It notes that CSPN is currently a national scheme and, at the time of writing, its applicability is primarily in France, though it mentions that mutual recognition and alignment with other European schemes is an evolving topic. The article does not go into detail about the specific bilateral agreement between ANSSI and Germany’s BSI or enumerate the exceptions on the German side.
TÜViT explains the BSZ scheme and notes that BSZ is a certification procedure of the Federal Office for Information Security (BSI) based on a combination of conformity checks and penetration tests. It further explains that BSZ is a fixed-time evaluation scheme compatible with approaches such as the French CSPN, and that the BSI has established an international recognition framework, in particular with ANSSI, so that products certified under CSPN can be accepted under BSZ conditions.
Germany’s BSI and France’s ANSSI mutually recognize CSPN and BSZ certificates with possible exemptions. Alignment with the EN 17640 Fixed Time approach supports progress toward a harmonized EU-wide certification scheme under the Cybersecurity Act.
Am 14. Juni 2022 haben das deutsche Bundesamt für Sicherheit in der Informationstechnik (BSI) und die französische Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) beschlossen, ihre IT-Sicherheitszertifikate gegenseitig anzuerkennen. Somit wird die CSPN-Zertifizierung des TixeoServers, die von der ANSSI am 15. Juni 2021 ausgestellt wurde, ab sofort als gleichwertig mit dem BSZ-Zertifikat (Beschleunigte Sicherheitszertifizierung) des BSI betrachtet.
France and Germany have signed a mutual recognition agreement for security certificates for the CSPN and BSZ schemes via ANSSI and BSI. The aim is to achieve harmonisation in the field of cybersecurity. The certificates will therefore be recognised in France as in Germany.
After having adamantly resisted the creation of a European certification system, French and German cyber security agencies, ANSSI and BSI, are now pressing for mutual recognition of their respective schemes. Due to come into application in October, it is equivalent to ANSSI's CSPN and will thus facilitate mutual recognition. Franco-German cooperation on this issue is aimed at paving the way for a broader European cyber certification framework.
A bilateral agreement between the BSI (German Federal Office for Information Security) and ANSSI (Agence nationale de la sécurité des systèmes d'information) allows mutual recognition of IT security certifications. In principle, all CSPN (First Level Security Certification) certificates are recognised by the BSI in Germany, and all BSZ certificates are accepted by ANSSI in France.
In the framework of cooperation between France and Germany in cybersecurity, ANSSI and BSI have set up a mutual recognition agreement for their national certifications (CSPN for France and BSZ for Germany). This agreement guarantees that a certification issued by one of the two authorities is recognised by the other, without the need for a new evaluation.
The CSPN set up by ANSSI in 2008 consists of "black box" tests carried out within constrained time and deadlines. CSPN is an alternative to Common Criteria certification and aims to provide a first level of security assurance for ICT products. This page describes the objectives and methodology of CSPN but does not by itself create any international or mutual recognition.
The CSPN–BSZ mutual recognition agreement between ANSSI and BSI is framed around the respective CSPN and BSZ product security certification schemes, not every possible French or German cybersecurity evaluation. While it establishes that, in principle, all CSPN certificates are recognised in Germany and all BSZ certificates in France, it also explicitly allows each authority to exclude certain product types through application notes (for example, where specific national regulations apply), meaning recognition is not completely unconditional or universal across all products.
What do you think of the claim?
Your challenge will appear immediately.
Challenge submitted!
Continue your research
Verify a related claim next.
Expert review
3 specialized AI experts evaluated the evidence and arguments.
Expert 1 — The Logic Examiner
Sources 1 and 2 directly support the core of the claim that ANSSI and BSI have (and renewed in May 2024) a CSPN–BSZ mutual recognition agreement and that CSPN certificates can be recognized by BSI in Germany under that agreement, while sources 6 and 11 indicate recognition is not absolute because exemptions/exclusions can apply (e.g., special national regulation), which is logically consistent with “with exceptions” even if not exhaustively listed here. However, the dataset does not actually demonstrate that the exceptions are “defined” in the sense of clearly specified categories or an enumerated, accessible exception list; inferring “defined exceptions” from vague “may exclude”/“possible exemptions” language is a scope/precision overreach, so the claim as worded is somewhat stronger than what the evidence strictly establishes.
Expert 2 — The Context Analyst
The claim is broadly accurate about the existence and renewal of a CSPN–BSZ mutual recognition agreement and that CSPN certificates can be recognized by BSI, but it omits that the publicly available materials in this record mostly describe recognition as a general principle with only high-level, non-enumerated carve-outs (e.g., “special national regulation” and unspecified “application notes”), so the phrase “defined exceptions” risks overstating how concretely specified those exceptions are in public-facing documentation (Sources 1, 2, 6, 11, 18). With full context, the overall impression that there is a formal mutual-recognition framework and that recognition is not unconditional is correct, but the framing that exceptions are clearly “defined” is stronger than what the cited public evidence substantiates, making the claim misleading rather than outright false (Sources 1, 2, 6, 7, 15).
Expert 3 — The Source Auditor
The highest-authority sources are ANSSI's own official publications (Sources 1 and 2, cyber.gouv.fr, authority scores near the top of the pool), which unambiguously confirm the existence of a formal, signed CSPN-BSZ mutual recognition agreement between ANSSI and BSI, renewed in May 2024, and that individual CSPN certificates explicitly state BSI recognition 'in the context of the BSZ_CSPN mutual recognition agreement.' Source 6 (Solutions Numériques, moderate authority) and Source 18 (LLM Background Knowledge) both note that the agreement allows exclusions for certificates subject to special national regulation or application notes, and Source 11 (Brightsight) references 'possible exemptions' — these collectively substantiate the claim's 'defined exceptions' qualifier as a governance mechanism built into the agreement, even if no exhaustive public enumeration of every exception exists. The opponent's argument that 'defined' requires a publicly enumerated list is a higher evidentiary bar than the claim actually sets; the most authoritative sources (ANSSI official communications) confirm a structured agreement with acknowledged carve-outs, which is precisely what the claim describes, making the claim well-supported by the most reliable, independent, and current evidence available.
Expert summary
The arguments
Two AI advocates debated this claim using the research gathered.
Argument for
ANSSI itself reports that ANSSI and Germany's BSI signed (and in May 2024 renewed) a formal CSPN–BSZ mutual recognition agreement enabling reciprocal recognition of CSPN and BSZ security certificates to avoid duplicate evaluations (Source 1, ANSSI / cyber.gouv.fr), and ANSSI-issued CSPN certificates explicitly state they are recognized by the BSI “in the context of the BSZ_CSPN mutual recognition agreement” (Source 2, ANSSI). The agreement's recognition is not unconditional but operates “in principle” with carve-outs—ANSSI notes it may exclude certificates subject to special national regulation and other sources likewise describe “possible exemptions,” which directly matches the motion's “defined exceptions” qualifier for CSPN recognition in Germany (Source 6, Solutions Numériques; Source 11, Brightsight; Source 7, LANCOM Systems).
The Proponent conflates the mere existence of carve-outs with the claim's specific assertion of 'defined exceptions,' yet Source 6 only offers a vague illustrative example ('for example, subject to special national regulation') and Source 11 references only 'possible exemptions' — neither source enumerates, delimits, or formally defines any exception category, meaning the qualifier 'defined' in the motion remains unsubstantiated by the evidence presented. Furthermore, the Proponent's reliance on Source 7 and Source 15, which both qualify recognition as operating only 'in principle,' actually reinforces the Opponent's position that the exception framework is indeterminate and informal rather than 'defined,' exposing a logical leap in treating vague hedging language as evidence of a structured, publicly documented exception regime.
Argument against
The claim asserts CSPN certificates are recognized in Germany 'with defined exceptions,' but the research brief reveals these exceptions are vague and undefined — Source 6 only states certificates 'may exclude those that are, for example, subject to special national regulation,' and Source 18 merely references unspecified 'application notes,' meaning no concrete, enumerated exceptions have been publicly documented to substantiate the claim of 'defined' exceptions. Furthermore, Source 7 and Source 15 explicitly state that 'in principle, all CSPN certificates in Germany are accepted by the BSI,' directly contradicting the notion that recognition is meaningfully limited by defined carve-outs, undermining the claim's characterization of a structured exception framework.
The Opponent equivocates on “defined exceptions” by demanding a publicly enumerated list, even though the brief documents a formal mutual-recognition agreement (Source 1, ANSSI / cyber.gouv.fr) whose scope is explicitly conditioned—ANSSI's own contemporaneous reporting notes exclusions for certificates subject to special national regulation (Source 6, Solutions Numériques) and other briefed materials describe exemptions implemented via application notes (Source 11, Brightsight; Source 18, LLM Background Knowledge), which is precisely what makes the exceptions “defined” as a governance mechanism rather than “vague.” The Opponent's reliance on “in principle, all CSPN certificates…are accepted” (Source 7, LANCOM Systems; Source 15, LANCOM Systems) is not a contradiction but a general-rule statement that coexists with carve-outs, and ANSSI-issued CSPN certificates themselves confirm recognition by BSI “in the context of the BSZ_CSPN mutual recognition agreement” (Source 2, ANSSI), reinforcing that recognition is structured and conditional rather than unconditional.