FAQ on generic certification process
This section displays Questions and answer on the generic certification Process
Yes, the manufacturer or provider of ICT products, services or processes can obtain a certificate from a CAB of his choice in the EU that is accredited pursuant to Article 60 of CSA under the concrete scheme. The same rationale applies for cases under Article 56(6) where a certificate has to be issued by the CB of an NCCA or by a delegated CB or by a CB under the prior approval model.
In a nutshell:
Accreditation is mandatory to perform evaluation and certification activities at assurance level ‘substantial’, and authorisation, in addition, is required to perform similar activities at assurance level ‘high’.
To go further:
Pursuant to Article 9(1) of the EUCC Implementing Regulation, the certification bodies shall issue an EUCC certificate under certain conditions listed there, one of which is that:
“the category of ICT product falls within the scope of the accreditation, and where applicable of the authorisation, of the certification body and the ITSEF involved in the certification” (point (a) of Article 9(1)).
In addition, Article 21(1) outlines additional or specific requirements for a certification body which read like that:
“1. A certification body shall be authorised by the national cybersecurity certification authority to issue EUCC certificates at assurance level ‘high’ where that body demonstrates that, in addition to meeting the requirements laid down in Article 60(1) and the Annex to Regulation (EU) 2019/881 regarding accreditation of conformity assessment bodies, the following:
- it has the expertise and competences required for the certification decision at assurance level ‘high’;
- it conducts its certification activities in cooperation with an ITSEF authorised in accordance with Article 22; and
- it has the requisite competences and put in place appropriate technical and operational measures to effectively protect confidential and sensitive information for assurance level ‘high’, in addition to the requirements set out in Article 43.”,
whereas Article 22(1) sets out additional or specific requirements for an ITSEF:
“1. An ITSEF shall be authorised by the national cybersecurity certification authority to carry out the evaluation of ICT products which are subject to certification under the assurance level ‘high’, where the ITSEF demonstrates that, in addition to meeting the requirements laid down in Article 60(1) and the Annex to Regulation (EU) 2019/881 regarding accreditation of conformity assessment bodies, it complies with all of the following conditions:
- it has the necessary expertise for performing the evaluation activities to determine the resistance to state-of-the-art cyberattacks carried out by actors with significant skills and resources;
- for the technical domains and protection profiles, which are part of the ICT process for those ICT products, it has:
- the expertise to perform the specific evaluation activities necessary to methodically determine a target of evaluation’s resistance against skilled attackers in its operational environment assuming an attack potential of ‘moderate’ or ‘high’ as set out in the standards referred to in Article 3;
- the technical competences as specified in the state-of-the-art documents listed in Annex I;
- it has the requisite competences and put in place appropriate technical and operational measures to effectively protect confidential and sensitive information for assurance level ’high’ in addition to the requirements set out in Article 43.
The list of accredited and authorised conformity assessment bodies (CABs), as notified by the NCCAs to the European Commission, is available in the NANDO platform:
Notification and NANDO allow everyone to know, in one single place, which CABs have reached the accreditation and, where relevant, authorisation requirements.