The Dutch NCCA is the designated National Cybersecurity Certification Authority of the Netherlands, established under the Cybersecurity Act (CSA).

The main responsibilities of the National Cybersecurity Certification Authority (NCCA) are to:    

  1. Oversee the issuing of EU cybersecurity certificates at the CSA’s assurance level High;
  2. Authorise Conformity Assessment Bodies (CABs) for the CSA certification schemes;
  3. Supervise certificates issued throughout the lifecycle of certified ICT products and services;
  4. Contribute on European level to the development and maintenance of CSA certification schemes.

The Dutch NCCA prioritises efficiency, and has put processes in place in close consultation with commercial CABs. This reduces processing times and bureaucracy.

Formally, all Dutch NCCA activities are carried out by the Dutch Authority for Digital Infrastructure. This website was developed by the Dutch Authority for Digital Infrastructure to provide comprehensive information about cybersecurity certitifation to its stakeholders.

Overview of the NCCA’s responsibilities

The Dutch NCCA is divided into two departments, both with different responsibilities. This distinction is made to ensure independent supervision of certificates approved by the NCCA.

NCCA ex ante supervision involves:    

  • Assessing whether a Conformity Assessment Body (CAB) can perform European EU cybersecurity certification assessments;
  • Before a body performing certification activities can issue a certificate at the CSA’s assurance level High, the NCCA reviews the certification activities and certification report. In case of compliance, the NCCA will approve the issuing of the certificate;
  • Authorising CABs to perform activities under a specific CSA certification scheme. Those parties must comply with the general CSA requirements and the additional requirements for the scheme.

NCCA ex post supervision involves:

  • Overseeing the compliance of certified products and services with the requirements of the scheme. This oversight is extended throughout the life cycle of the product or service and until the expiration date of the EU cybersecurity certificate;
  • Overseeing the compliance of authorised certification bodies and testing laboratories with the general CSA requirements and additional scheme requirements for which they are accredited.