The Netherlands has implemented a market-oriented approach for the Cybersecurity Act (CSA), leveraging the expertise of commercial Conformity Assessment Bodies (CABs) for the certification of ICT products and services.
The Netherlands prioritises efficiency and has put processes in place in close consultation with commercial CABs in an effort to reduce processing times and bureaucracy.
EU cybersecurity certification is possible at three distinct assurance-levels: basic, substantial and high.
For assurance levels basic and substantial, certification is conducted exclusively by commercial CABs, with oversight by the Dutch National Cybersecurity Certification Authority (NCCA) following certificate issuance.
For assurance level high, the Netherlands has implemented the prior approval model. Under this model certification is also conducted by commercial CABs, but a formal approval by the NCCA is required before a certificate can be issued. This approval is in addition to the oversight by the NCCA following certificate issuance.
To efficiently reach a decision on certificate issuance, the NCCA actively gathers information throughout the certification process. Early monitoring during the process leads to shorter review times at the end, making the process as efficient as possible.
The Dutch implementation of the prior approval model ensures that the certification process as a whole is efficient and transparent for all involved parties.
All certification schemes will apply the prior approval model for certification at assurance level High. The first certification schemes created under the Cybersecurity Act are the Common Criteria-based European Cybersecurity Certification Scheme (EUCC) and the European Cybersecurity Certification Scheme for Cloud Services (EUCS).