CertifAI

Enabling Continuous AI-Empowered Certification for a Secure Digital Future

This EU‑funded research project brings together DNV and 11 partner organizations. The aim of the project is to investigate and develop AI‑empowered approaches to the certification of information and communication technology (ICT) systems, driven by emerging EU cybersecurity legislation.

Why CertifAI matters

Providers of digital products and cyber‑physical systems typically invest several years in design, development, and testing before bringing products to market. For many vendors, achieving compliance with cybersecurity legislation is time‑consuming and often treated as a final step before product launch. This can result in unexpected findings during conformity assessment, triggering additional development iterations and creating a need for new compliance evidence.

• The CertifAI project aims to help vendors throughout the entire product lifecycle by offering methods and AI‑empowered tool support that strengthen cybersecurity awareness and streamline compliance activities, evidence collection, and the preparation for formal conformity assessment.

Conventional cybersecurity certification tends to be static, lengthy, and misaligned with the fast-paced evolution and DevSecOps of today’s digital technologies.

• CertifAI bridges this gap by creating an open software framework that enables continuous, AI-empowered certification and recertification. This allows manufacturers and service providers to proactively monitor and mitigate cyber risks and certification requirements without waiting for periodic audits.

Digital and cyber‑physical systems are becoming increasingly intelligent, capable of performing automated tasks and operating within complex systems‑of‑systems. As the time from design and development to deployment continues to shrink, agile lifecycle approaches such as DevSecOps are rapidly becoming standard practice. Cybersecurity certification processes must adapt to iterative lifecycles – without compromising their purpose or the quality of the assurance they provide.

Providers of products and services with digital elements – whether or not they incorporate AI – must navigate an increasingly complex landscape of legislation, regulation, and standards. Compliance must be ensured both before products are placed on the market and throughout their operational life, including during maintenance and upgrades.

• CertifAI address these challenges, in developing an open software framework that enables cost‑effective, AI-empowered continuous assessment and (re‑)certification of ICT products and services, in line with emerging regulations such as the EU Cyber Resilience Act and the AI Act. New methodologies and tools for continuous cybersecurity risk management and continuous certification are being created to support this vision.

DNV’s role and strategic contribution

DNV contributes extensive and long‑standing expertise in risk management, assurance, AI, digital asset assurance, interoperability, digitalization, and certification to the CertifAI project. Our role includes the third‑party certification perspective and leveraging our experience in assuring digital assets such as data, machine‑learning models, sensor systems, AI systems, digital twins, and simulation models. We also provide methodologies for handling information quality, assumptions, and uncertainties throughout the certification process.

A key focus for DNV is to better understand the interaction between providers and auditors in a context where iterative development is the norm for providers and AI is integrated throughout the product lifecycle. When AI is used to support evidence generation and automate providers cybersecurity certification activities, DNV – as a notified body and auditor – must align its own digitalization efforts, assessment scope, conformity assessment criteria, and internal AI‑empowered processes with this new reality.

By embedding artificial intelligence into certification preparation and lifecycle management, CertifAI is laying the foundation for a more efficient, transparent, robust, and secure digital assurance ecosystem. Cybersecurity certification schemes are increasingly becoming standard regulatory mechanisms in the EU, whether through self‑assessment or third‑party evaluation. Under the EU Cyber Resilience Act and the EU AI Act, product type and intended use determine a product’s risk classification, which in turn defines applicable obligations and whether self‑assessment or third‑party assessment is required. Both these regulations place strong emphasis on risk management and are supported by portfolios of harmonized standards. These standards will underpin conformity assessments – whether performed through internal self‑assessment or by accredited notified bodies like DNV.

The ongoing advancement of cybersecurity technologies and the shift towards agile product lifecycles are fully aligned with DNV’s role and strategic ambition to lead globally in digital trust and cybersecurity assurance and certification.

For DNV, CertifAI is a natural extension of our mission to safeguard life, property, and the environment. It reinforces our position as a trusted third party in the digital domain and supports our ambition to shape the future of cybersecurity assurance.

DNV continues to improve and digitalize our advisory, conformity, and certification processes and offerings. This development must be closely aligned with how our clients prepare for and implement their digitalization and certification strategies.

CertifAI deliverables

Across five trials, the project tests and refines its technical deliverables and methodologies. A project effect goal is to reduce the time and cost providers spend on certification, while enabling a more efficient and seamless interaction between providers and auditors.

Project deliverables include:

• Certification framework for continuous certification
• Tool support for building and refining a SBOM describing the asset model
• Framework, tools, and AI support for context-aware, continuous, and semi-automated risk management, including identifying threats and detecting, mapping, and mitigating vulnerabilities
• AI-empowered tools and AI support for building security assurance case and validation  – based on claims, evidence, and rationale structures, and supplemented with test optimalization and explainable AI
• Testing and demonstration of continuous certification in practical scenarios, such as autonomous maritime drones, rail systems, wildfire sensing, and smart grids

The above-mentioned AI functions utilize ML, LLMs, or other advanced AI approaches.

Building trust in AI-empowered systems

CertifAI goes beyond regulatory compliance, aiming to cultivate trust in the digital technologies that underpin modern industry and society. The initiative supports emerging EU regulations such as the Cyber Resilience Act and the AI Act, both product- and risk-focused legislation. These products will contribute as components in critical infrastructure, value chains, and high-risk use cases. This links the individual product certification efforts to continuous operational risk management.

By integrating explainable AI, automated threat intelligence, ML, LLMs, and scalable certification mechanisms, CertifAI is redefining how cybersecurity assurance is delivered in an AI-empowered world.  When DNV, as an auditor, adds AI to the toolbox to perform conformity assessments and monitor continuous certification status, we end up with AI monitoring and assuring AI. This is an interesting situation we have started to investigate and that requires further research.

Project metadata:

Click on the links below to read about related projects and initiatives