About the NCCA

The National Cybersecurity Certification Authority (NCCA) of the Netherlands is the Dutch government body established as part of the Cybersecurity Act.

The main responsibilities of the Dutch NCCA are to:    

  1. Oversee the issuing of CSA certificates at the CSA’s assurance level High;
  2. Authorise Certification Bodies and Testing Laboratories for the CSA certification system;
  3. Supervise certificates issued throughout the lifecycle of products and services certified;
  4. Contribute to the development and maintenance of CSA certification schemes.

The Dutch NCCA prioritises an efficient certification process and has put processes in place in close consultation with commercial Conformity Assessment Bodies (CABs). This reduces processing times and bureaucracy.

Formally, all Dutch NCCA activities are carried out by the Dutch Authority for Digital Infrastructure

Prior approval model

The Netherlands has implemented the ‘prior approval model’ for certification at the assurance level High. Under the prior approval model, the Conformity Assessment Bodies (CABs) and Certification Bodies (CBs) conduct the assessment and certification process themselves. The Dutch NCCA oversees this certification process in close communication with CABs. Information is collected so that the certificate can be issued more swiftly at the end of the process.

The Dutch NCCA has set up its processes in coordination with the CABs. These aligned processes will facilitate efficient certification at the assurance level High, according to the certification schemes from the CSA. As a result, the Netherlands is able to process certification requests rapidly and in an agile way. In addition, the use of certification knowledge and expertise in the market continues to be optimised while working with the prior approval model.

The Dutch implementation of the prior approval model ensures that the certification process is efficient and transparent.

Overview of the NCCA’s responsibilities

The NCCA is divided into two departments, both with different responsibilities; NCCA certification and NCCA supervision. This distinction is made to ensure independent supervision of certificates approved by the NCCA.

NCCA certification involves:    

  • Assessing whether a Conformity Assessment Body (CAB) can perform European CSA certifications assessments (authorisation);
  • Before the Certification Body issues certificates at the CSA’s assurance level High, the NCCA reviews the certification activities and certification report. In case of compliance, the NCCA will approve the issuing of certificates by the Certification Body;
  • Authorising accredited CAB/CBs and testing laboratories to perform activities under a specific CSA certification scheme. Those parties must comply with the general CSA requirements and the additional requirements for the scheme.

NCCA supervision involves:

  • Overseeing the compliance of certified products and services with the requirements of the scheme. This oversight is extended throughout the life cycle of the product or service and until the expiration date of the CSA certificate;
  • Overseeing the compliance of authorised certification bodies and testing laboratories with the general CSA requirements and additional scheme requirements for which they are accredited.