NI001 - Information exchange v2.0
Instruction describing how to communicate with the Dutch NCCA using email and ‘mijn RDI’, the encryption of this communication and the allowed document formats.
📄 Document information
1. Introduction
1.1 Purpose
The goal of this document is to provide information on how to exchange information with the Dutch Authority for Digital Infrastructure (RDI) in its role as the Dutch NCCA.
The target audience for this instruction is personnel from the Conformity Assessment Bodies (CAB), namely CAB managers, Certifiers, Certificate Issuers and Certifications Managers. This document also gives substance to communication means as specified in the AMvB.
1.2 Scope
This document addresses communication using email and ‘mijn RDI’, the encryption of this communication and the allowed document formats.
1.3 Roles
| Role | Responsible entity | Description |
|---|---|---|
| CAB Manager | CAB | Person at the CAB that is in charge of obtaining a licensing status under the Dutch NCCA. |
| Certificate Issuer | CAB | Person at the CAB with the authority to issue certificates. |
| Certifications Manager | CAB | Person at the CAB responsible for requesting the approval for an assessment plan. |
| Certifier | CAB | Person from the CAB responsible for the review of the evaluation activities and generation of the certification report. |
| Auditor | NCCA | Person at the Dutch NCCA responsible for processing and reviewing the received requests. |
1.4 Tools
The tools relevant for this information exhange instruction are:
- The 'Mijn RDI' portal
- A email client
- PGP / GPG software
- A document editor (e.g. Microsoft Office or OpenOffice)
2. Communication via 'Mijn RDI'
To submit formal requests (licensing, certification notification, certification approval) to the Dutch NCCA, a CAB has to use the official communication portal used by the Dutch NCCA called ‘Mijn RDI’. For each formal request, the CAB attaches the required documents and necessary evidence. If additional or updated information is requested, this may be provided through email. An overview of the documents that should be delivered through ‘Mijn RDI’ for the formal requests can be found in the annex to this document.
The CAB can use (and if not yet done, apply for) eHerkenning or EU eID to login to ‘Mijn RDI’. More information on eHerkenning and a full list of eHerkenning suppliers can be found on https://www.eHerkenning.nl/en.
After submitting a formal request using ‘Mijn RDI’ the Dutch NCCA shall reach a decision within a timeframe of 8 weeks. This time period originates from the UITVW. In rare occasions, it is possible that the NCCA requires more time and in those circumstances the time to reach a decision can be extended by another 6 weeks.
The CAB will be notified when the decision is reached, which can be accessed through the ‘Mijn RDI’ portal.
2.1 Project ID
Each request through ‘Mijn RDI’, will get a unique identification. This unique identification is used for all NCCA activities, amongst others communication and the identification of certification projects.
The project ID will have the following format: CSC-#:
- The acronym 'CSC' stands for CyberSecurity Certification and is automatically applied to all NCCA requests.
- # is a unique numeric value.
3. Communication via email
All information that is not required to be exchanged through the ‘mijn RDI’ portal, can be sent to the NCCA by email. Each scheme has its own email address and is intended for certification activities for that scheme. Additionally there is a licensing email address for licensing activities. General questions or messages related to NCCA activities should be send info@dutchncca.nl. Other questions can be directed to info@rdi.nl.
| Subject | Email address |
|---|---|
| Licensing | Licensing@dutchncca.nl |
| EUCC | EUCC@dutchncca.nl |
| EUCS | EUCS@dutchncca.nl |
| General NCCA | Info@dutchncca.nl |
| Other questions | Info@rdi.nl |
Project related email communication to the Dutch NCCA regarding licencing and certification shall be clearly identified in the mail-subject by the project ID as assigned by ‘Mijn RDI’ upon creating a request. The project ID is put in round brackets in the subject line.
If the information is intended for a specific auditor, please make sure to use the name of the auditor in the email. This allows the front-office to direct the email to the right person.
Please note that emails, including attachments, should not exceed a total size of 10MB due to mail server limitations. No s/mime or encrypted mail bodies shall be used. If the size of the attachment necessitates it, the CAB is also allowed to exchange information using a (s)ftp server or cloud service operated by the CAB itself.
An overview of the documents that should be delivered through e-mail can be found in the annex to this document.
4. Exchanging documents
The Dutch NCCA exclusively accepts authorized documents. All documents uploaded in 'mijn RDI' are automatically considered authorized, as access to the portal is restricted to authorized entities. For e-mail communication, the designated individual(s) who can authorise documents shall be clearly specified in the assessment plan.
4.1 Formatting
All project related communication and documents shall be in (UK) English. The documents shall be delivered in pdf format that allows to copy text from the document and to add notes. If available, a odf, odt, odp, docx, doc, xlsx, ppt, pptx version of the pdf document can be requested for practical purposes. When specified in other scheme documents, the NCCA may prescribe the use of an xml document for the structured exchange of information.
All documents shall be labelled with an unambiguous document number, a version number, and a date. When the documents belong to a certification project, the documents shall also be labelled with the project ID as assigned in ‘Mijn RDI’.
All sensitive or proprietary information shall be labelled as such. It is not required to use this labelling on every page.
A version numbering method shall be used that uniquely identifies a document. Any changes in a document shall result in a new version number and a new date. When a new version of a document is delivered to the NCCA, a clear method for marking changes between two formally delivered versions shall be applied to ease the determination of these changes.
If the project requires the exchange of a different type of document to be shared with the NCCA, this will be discussed with and approved by the auditor assigned to project.
For juridical reasons, NCCA formal decisions are formulated in the Dutch language and will contain a courtesy translation in English.
4.2 Encryption
The commercial encryption program PGP (or open source equivalent GPG) should be used to assure the confidentiality and integrity of information of a sensitive or proprietary nature that is exchanged by electronic means. Submitting encrypted documents to the Dutch NCCA shall be done using ‘Mijn RDI’ or as an attachment to an unencrypted email body.
NCCA public keys can be found on the Dutch NCCA website and will be renewed yearly. At the start of a certification or licensing project, the PGP public keys for encrypted communication are validated and if necessary exchanged between the CAB and the NCCA.
To allow a user to verify that he/she is working with the correct/genuine key, it is possible to verify the fingerprint by contacting the Dutch NCCA.
4.3 Filling xml files
Xml templates provided by the NCCA on the Dutch NCCA website comprise of fillable fields and comments:
- Fillable fields are marked as <identifier>Placeholder text</identifier>
- Comments are marked as <!--Comment-->
Comments give information on how to fill the specific xml file. In principle, all fields are mandatory to fill, unless pointed out as optional by a comment. Comments also specify if a (set of) fields can be iterated. For fillable fields the placeholder text should be replaced with the actual information or emptied if not applicable.
Most operating systems have a native application through which xml files can be edited (e.g. Windows notepad), since any text editor can edit xml. However, editing a xml file this way might prove impractical since the file structure and elements may not be presented in a visually organized way.
A xml-editing tool can be used to show the fields in a more organised manner, which makes the process of filling the xml file easier. There are many free (e.g. the open source 'XML notepad' by Microsoft) and commercial xml-editors available.
Annex A. Overview of documents and what tool to use
The overview presented in this annex provides an overview but is not necessarily complete. The process documents are leading in describing the documents that have to be delivered.
| Document | Tool | Encryption? |
|---|---|---|
| Accreditation evidence | ‘Mijn RDI’ portal | Yes |
| Licensing form | ‘Mijn RDI’ portal | No |
| Authorisation evidence | ‘Mijn RDI’ portal | Yes |
| Document | Tool | Encryption? |
|---|---|---|
| Monthly forecast | Yes |
| Document | Tool | Encryption? |
|---|---|---|
| EUCC notification form | ‘Mijn RDI’ portal | Yes |
| Assessment plan | ‘Mijn RDI’ portal | Yes |
| (draft) ST/PP | ‘Mijn RDI’ portal | Yes |
| Impact Assessment Report | ‘Mijn RDI’ portal | Yes |
| Document | Tool | Encryption? |
|---|---|---|
| Meeting deliverables | Yes | |
| Meeting Minutes | Yes | |
| Action list | Yes |
| Document | Tool | Encryption? |
|---|---|---|
| Evaluator evidence | ‘Mijn RDI’ portal | Yes |
| Certifier review report | ‘Mijn RDI’ portal | Yes |
| Final ST | ‘Mijn RDI’ portal | Yes |
| ETR | ‘Mijn RDI’ portal | Yes |
| ETR for composite evaluation | ‘Mijn RDI’ portal | Yes |
| ST-Lite | ‘Mijn RDI’ portal | Yes |
| STAR | ‘Mijn RDI’ portal | Yes |
| (draft) Certificate | ‘Mijn RDI’ portal | Yes |
| Certification report | ‘Mijn RDI’ portal | Yes |
| Request for approval form | ‘Mijn RDI’ portal | Yes |
| Document | Tool | Encryption? |
|---|---|---|
| Final ST/ST-Lite | No | |
| Final PP | No | |
| Certificate | No | |
| Certification report | No |
| Document | Tool | Encryption? |
|---|---|---|
| Change request | Email/‘Mijn RDI’ portal | Yes |
Annex B. 'Mijn RDI' instruction
A next version of this document will contain an instruction on how to submit requests using ‘mijn RDI’.