NP001 - Licensing process v1.0

Scheme document | 06-02-2024

Process describing how to get licensed to perform evaluation/certification activities under the Dutch NCCA.

📄 Document information

Version history:
Version	Published on	Effective from	Comment
1.0	06-02-2024	06-02-2024	Final version for 1st publication and use

Supporting scheme documents:
Scheme document	Description of relation
NI001 - Information exchange	Provides instructions for submitting the licensing form and other required documents to the NCCA.
NT001 - Licensing form	Form used by the CAB for providing the relevant information for a licensing request to the NCCA.

Glossary of terms and abbreviations:
Abbreviation	Description
CAB	Conformity Assessment Body
CSA	Cybersecurity Act
ENISA	European Union Agency for Cybersecurity
IT	Information Technology
NAB	National Accreditation Body
NCCA	National Cybersecurity Certification Authority
RvA	Dutch accreditation council / Raad voor Accreditatie

1. Introduction

1.1 Background and purpose

To be allowed to participate in the evaluation and/or certification of products, services and processes a Conformity Assessment Body (CAB) needs to be licensed by the Dutch NCCA, which requires an accreditation and an authorisation if applicable. Conformity Assessment Body is a umbrella term under the Cybersecurity Act for bodies that perform certification activities (e.g. CBs) and bodies that perform evaluation activities (such as design and documentation review, sampling, testing, inspection and audit). It is allowed for an CAB to perform both evaluation and certification activities, as long as the separation of activities is ensured.

This document provides details of the steps and activities that the parties involved shall take in the licensing process. The overall goal is to ensure that the formal approval can be given efficiently based on a process that reduces risks for all stakeholders by having the following characteristics:

Quality: approval based on verification that a CAB meets the scheme requirements
Predictability: assurance that licensing approval stays on track
Timeliness: fast final approval based on intermediate results

Accreditation is to be performed by an European National Accreditation Body (NAB). In the Netherlands, this is the Dutch accreditation council/Raad voor Accreditatie (RvA).

The accreditation scope reflects, among others, the CSA certification scheme and the highest assurance level supported by the CAB.

Bodies that wish to perform certification activities must be accredited under the ISO/IEC 17065 standard, for the CSA certification scheme and the CSA Assurance Levels on which it wants to be active.
Bodies that wish to perform evaluation activities must be accredited for the applicable CSA certification scheme and the applicable ISO/IEC standard mentioned in the scheme implementing regulation and State-of-the-Art documents.

A scheme may include additional scheme requirements for the CABs, depending on the certification scheme and the assurance level on which the organisation wishes to perform activities. In the case of additional scheme requirements a formal authorisation decision by the NCCA is required in addition to the accreditation.

The Dutch NCCA works in close cooperation with the RvA during its accreditation process to proactively assess these additional scheme requirements. By covering these additional scheme requirements in the accreditation process and decision, all requirements will be assessed at the same time, which ensures efficiency and timeliness. In general this means that for the Dutch NCCA to reach an authorisation decision in the licensing process, no additional assessments will take place besides some administrative checks.

If accreditation is conducted by an European National Accreditation Body other than the RvA, the Dutch NCCA will perform an authorisation assessment to check the additional scheme requirements. For this assessment, the Dutch NCCA may base its conclusions on documentation provided by the CAB and if necessary perform specific audits.

Note that for new accreditation requests there is an additional requirement to conduct at least one certification/evaluation project.

After a positive decision on the licensing request, the Dutch NCCA will publish the licensing status on its website and inform ENISA of the licensing status including applicable scope.

1.2 Information products

Information products identified in the licensing process:
Information product	From	To	Description
Licensing request	CAB	NCCA	Official notification from a CAB to the NCCA that they wish to be licensed to operate under an EU scheme. It consists of a licensing form, accreditation evidence and, when applicable, authorisation evidence.
Licensing form	CAB	NCCA	Form that the CAB fills in for its licensing request at the Dutch NCCA.
Accreditation evidence	CAB	NCCA	Evidence showing that the CAB is accredited for the requested scope of licensing.
Authorisation evidence	CAB	NCCA	Evidence showing the fulfilment of the additional scheme requirements for the requested scope of licensing.
Licensing review report	NCCA	NCCA	NCCA internal report in which the NCCA keeps track of everything leading up to the rejection or acceptance of the licensing request.
Approval of licensing request	NCCA	CAB	Letter from the NCCA informing the CAB that the licensing request has been approved.
Rejection of licensing request	NCCA	CAB	Letter from the NCCA informing the CAB that the licensing request has been rejected.

All documents or other material exchanged with the NCCA shall be in electronic form and in the English language. If the material contains proprietary or sensitive information, it should be submitted in encrypted form with PGP encryption using the public NCCA keys, which can be downloaded from the NCCA website.

Please refer to the NCCA instruction NI001 - Information exchange for further guidelines on how documents or other material shall be exchanged with the NCCA.

1.3 Roles

Roles identified in the licensing process:
Role	Responsible entity	Description
CAB manager	CAB	Person at the CAB that is in charge of obtaining a licensing status under the Dutch NCCA.
Licensing auditor	NCCA	Person responsible for performing the necessary checks to verify that the CAB fulfils all applicable requirements for the requested licensing scope.
Audit supervisor	NCCA	Supervisor that checks the work of the licensing auditors and prepares the final approval or rejection decision on the licensing request.

2. Licensing process

The Licensing Process only consists of one phase: the Licensing Phase.

2.1 Phase 1: Licensing phase

2.1.1 Step 1.1 Prepare licensing request

Action 1.1.1: Draft licensing form:
Responsible: CAB \| Executed by: CAB manager
Draft the licensing form Download the NCCA Template NT001 - Licensing form from the NCCA website Determine the certification scheme and assurance level for which licensing will be requested. Fill in the required fields.

Action 1.1.2: Assess additional scheme requirements:
Responsible: CAB \| Executed by: CAB manager
Determine additional criteria Depending on requested scope of licensing, there may be an obligation to comply with additional scheme requirements. These requirements have to be fulfilled in addition to the standard accreditation requirements. Determine if there are additional scheme requirements for the certification scheme and assurance level for which licensing will be requested.
Assess additional criteria Assess if the organisation currently fulfils these requirements. If not, perform necessary actions needed to demonstrably fulfil the additional scheme requirements. Note: In the Netherlands the accreditation assessment by the RvA includes all scheme requirements, including the additional scheme requirements. This means that a RvA accreditation report should provide the necessary evidence that these additional scheme requirements are fulfilled.

Action 1.1.3: Collect evidence:
Responsible: CAB \| Executed by: CAB manager
Gather accreditation evidence Gather the accreditation report and evidence of the accreditation decision (e.g. reference to the website of the NAB), including accreditation scope.
Gather authorisation evidence If additional scheme requirements are applicable, gather evidence that the organisation meets these additional scheme requirements for the formal authorisation decision. Note: This evidence may be in the form of an accreditation report (if the additional scheme requirements were included in the accreditation assessment), a separate authorisation report issued by another NCCA or evidence compiled by the CAB itself. Note: In the Netherlands the accreditation assessment by the RvA includes all scheme requirements, including the additional scheme requirements. This means that a RvA accreditation report should provide the necessary evidence that these additional scheme requirements are fulfilled.

Action 1.1.4: Submit licensing request for approval:
Responsible: CAB \| Executed by: CAB manager
Submit the licensing request Update the licensing form if needed Sign the licensing form Submit the licensing request including the licensing form, accreditation evidence and, if necessary, authorisation evidence.

The reception of the licensing request is a milestone for the NCCA after which the request has to be processed within the legally defined terms.

2.1.2 Step 1.2: Assess licensing request

Action 1.2.1: Register licensing request:
Responsible: NCCA \| Executed by: Audit supervisor
Receive the licensing request Archive and register the licensing request in the NCCA document management system and create an audit file. Confirm the reception of the licensing request to the CAB.
Appoint licensing auditor Assign an auditor to process the licensing request and conduct the review of the provided evidence.

Action 1.2.2: Check licensing request for completeness and correctness:
Responsible: NCCA \| Executed by: Licensing auditor
Create licensing review report Create a licensing review report to document any discussions and comments related to the licensing request.
Check completeness and correctness of licensing form Check if all fields on the licensing form are filled in correctly.
Check completeness and correctness of evidence Based on the requested scope of licensing, check if the submitted accreditation- and possibly authorisation evidence is complete and covers the correct requirements.

Action 1.2.3: Review accreditation evidence:
Responsible: NCCA \| Executed by: Licensing auditor
Review evidence Check the accreditation decision is valid. (e.g. validity date, suspended or revoked status). Check that the accreditation scope is consistent with the licensing request. Review the accreditation report and evidence of the accreditation decision which states that the CAB has been accredited.

Action 1.2.4: Review authorisation evidence:
Responsible: NCCA \| Executed by: Licensing auditor
Review evidence If applicable for scope, review the evidence that the organisation meets the additional scheme requirements for the requested certification scheme(s) and assurance level(s). Note: If the Accreditation was performed by the RvA, these requirement should have been assessed in the RvA accreditation process in cooperation with the Dutch NCCA. This means that no additional assessment should be needed since the additional scheme requirements have already been assessed. Note: The NCCA might contact NAB and/or other NCCA to verify the additional scheme requirements are fulfilled for its authorisation decision. Note: The NCCA might conduct additional document research or physical audits to gather information needed to verify the additional scheme requirements are fulfilled for its authorisation decision.

Action 1.2.5: Issue formal decision on licensing request:
Responsible: NCCA \| Executed by: Audit supervisor
Validation of the licensing review report Check if the licensing review report is complete, correct and consistent. Sign off the licensing review report.
Draft a formal acceptance or rejection letter Depending on the outcome of the review, fill-in the approval of licensing request or the rejection of licensing request template. Have the letter signed.
Submit the formal decision letter (acceptance or rejection) to the CAB Send the letter to the CAB.
Notify of licensing decision In the case of an approved licensing request, the NCCA will inform the European Commission and ENISA about the CABs competency, based on the scope of licensing, and the NCCA will publish the licensing status of the CAB on the NCCA website.

The approval of the licensing request is a milestone for the CAB after which they are formally licensed to conduct evaluation/certification activities under the Dutch NCCA for the approved scope.

In case of rejection the licensing process stops and the CAB is not formally licensed to conduct evaluation/certification activities under the Dutch NCCA for the requested scope. A new submission of a licensing request is required to restart the process.

3. Maintenance of licensing status

To maintain a licensing status, the CAB needs to prove continued compliance with all accreditation- and, if applicable, additional scheme requirements. For maintaining an accreditation under the RvA, the standard RvA “Maintenance of existing accreditation” process will be followed. For accreditation under other National Accreditation Bodies, refer to their own guidance.

The process for maintaining a licensing status under the Dutch NCCA will be described in v2.0 of this document, which will be published once the first CABs become licensed and guidance about the maintenance of this licensing status becomes relevant.