In 2019, the Cybersecurity Act (CSA) came into force, introducing a European cybersecurity certification framework for ICT products and services.
Certifiers and evaluators now have the opportunity to enter this newly created European market for cybersecurity certification. This market will be stimulated by forthcoming EU regulation that, in specific cases, will make certification mandatory for ICT products and services.
The first certification schemes created under the Cybersecurity Act are the Common Criteria-based European Cybersecurity Certification Scheme (EUCC) and the European Cybersecurity Certification Scheme for Cloud Services (EUCS). Over the years, the number of certification schemes will grow to cover a wide variety of certification scopes.
In the Netherlands, we place high value on efficient certification processes. To ensure this, the Dutch National Cybersecurity Certification Authority (NCCA) has set up its processes in close collaboration with commercial stakeholders. With these aligned processes the Dutch NCCA facilitates certification optimally, decreasing processing time and bureaucracy.
Have you heard about the EU cyber security certification schemes? If you are a Conformity Assessment Body now is the time to know more about them. The European Union is preparing cybersecurity schemes to harmonize both the security requirements for ICT solutions and the way to assess them. These schemes allow mutual recognition of certificates across the European Union. So what's in for Conformity Assessment Bodies? These schemes create a European market for new and experienced Conformity Assessment Bodies also known as cabs. They will be able to offer cyber security certificates that are recognized across the European Union and related assessment tools and services. Currently three cyber security certification schemes are under development. The first in the pipeline is the EU Common Criteria scheme covering ICT products. It is based on the existing Common Criteria for information security evaluation and compared to previous rules it allows CABs to also certify at the substantial level of assurance. Certification schemes on Cloud services and on 5G networks are also upcoming. But how can CABs get ready? If you are a cab you can contact your relevant National Authority to become an accredited and notified body. Also you can keep encouraging vendors and developers to obtain existing certifications. In fact EU cyber security certification schemes will be aligned as much as possible with existing ones. ENISA will provide guidance to facilitate the transition. You can also join our efforts and participate in the development and implementation of current and future schemes. Stay updated via ENISA's website.
© ENISA - Creative Commons 4.0
Become a Conformity Assessment Body under the CSA
To be allowed to participate in the certification and/or evaluation of products, services and processes a Conformity Assessment Body (CAB) needs to follow the Dutch NCCA licensing process. Conformity Assessment Body is an umbrella term for bodies that perform certification activities (i.e. CBs) and bodies that perform evaluation activities (i.e. ITSEFs, penetration testing organisations). It is allowed for a CAB to perform both certification and evaluation activities, as long as the separation of activities is ensured.
Any licensed CAB will be registered on the European ENISA Certification website. Note that although EU cybersecurity certificates are recognized throughout the EU, the oversight on these certificates and the CABs is organised nationally. Therefore any certificates issued in the Netherlands will be subject to supervision by the Dutch NCCA. The CSA holds the bodies that perform certification activities accountable for all certification activities including the evaluation activities.
To become a licensed CAB under the NCCA, the CAB will need to get accredited by a National Accreditation Body (NAB) and succesfully conclude the Dutch NCCA licensing process.
Accreditation
Accreditation is to be performed by a National Accreditation Body (NAB). In the Netherlands, this is the Dutch accreditation council/Raad voor Accreditatie (RvA).
The accreditation scope reflects, among others, the CSA certification scheme and the highest assurance level supported by the CAB.
- Bodies that wish to perform certification activities must be accredited under the ISO/IEC 17065 standard, for the CSA certification scheme and the CSA Assurance Levels on which it wants to be active.
- Bodies that wish to perform evaluation activities must be accredited for the applicable CSA certification scheme and the applicable ISO/IEC standard mentioned in the scheme implementing regulation and State-of-the-Art documents.
Authorisation
A scheme can include additional scheme requirements for the CABs, depending on the certification scheme and the assurance level on which the organisation wishes to perform activities. In the case of additional scheme requirements a formal authorisation decision by the NCCA is required to succesfully conclude the Dutch NCCA licensing process.
The Dutch NCCA works together with the RvA during its accreditation process to proactively assess these additional scheme requirements. By covering these additional scheme requirements during the accreditation, all requirements can be assessed at the same time, which ensures efficiency and timeliness. In practice, this means that to reach an authorisation decision no additional assessments will take place in the Dutch NCCA licensing process.
If accreditation was not conducted by the RvA, the Dutch NCCA will perform an authorisation assessment in its licensing process to check the additional scheme requirements. For this assessment, the Dutch NCCA may base its conclusions on documentation provided by the CAB and if necessary perform specific audits.
Note that for new accreditation requests there is a requirement to conduct at least one certification/evaluation project. However, there may be additional scheme requirements to conduct more than one certification/evaluation projects before licensing can be granted.
CSA assurance levels
EU cybersecurity certification is possible at three assurance levels: Basic, Substantial and High. Each scheme defines which levels are applicable within that scheme. Certification at the assurance levels Basic or Substantial is always conducted by a CAB. Certification at the assurance level High can be carried out by either a CAB or the NCCA itself, depending on the implementation method chosen by the EU Member State.
The Netherlands has chosen to implement the CSA prior approval model, which allows the CABs to conduct the assessment and certification process themselves for the assurance level High, with oversight by the NCCA. As a result, the Netherlands is able to process these certification requests rapidly and in an agile manner.
Obligations under the CSA
The CSA schemes involve certain obligations and supervision by the NCCA. We are currently creating an overview of these obligations and will add it to this page when it is ready.