NP001 - Licensing process v1.0
Process describing how to get licensed to perform evaluation/certification activities under the Dutch NCCA.
📄 Document information
1. Introduction
1.1 Background and purpose
To be allowed to participate in the evaluation and/or certification of products, services and processes a Conformity Assessment Body (CAB) needs to be licensed by the Dutch NCCA, which requires an accreditation and an authorisation if applicable. Conformity Assessment Body is a umbrella term under the Cybersecurity Act for bodies that perform certification activities (e.g. CBs) and bodies that perform evaluation activities (such as design and documentation review, sampling, testing, inspection and audit). It is allowed for an CAB to perform both evaluation and certification activities, as long as the separation of activities is ensured.
This document provides details of the steps and activities that the parties involved shall take in the licensing process. The overall goal is to ensure that the formal approval can be given efficiently based on a process that reduces risks for all stakeholders by having the following characteristics:
- Quality: approval based on verification that a CAB meets the scheme requirements
- Predictability: assurance that licensing approval stays on track
- Timeliness: fast final approval based on intermediate results
Accreditation is to be performed by an European National Accreditation Body (NAB). In the Netherlands, this is the Dutch accreditation council/Raad voor Accreditatie (RvA).
The accreditation scope reflects, among others, the CSA certification scheme and the highest assurance level supported by the CAB.
- Bodies that wish to perform certification activities must be accredited under the ISO/IEC 17065 standard, for the CSA certification scheme and the CSA Assurance Levels on which it wants to be active.
- Bodies that wish to perform evaluation activities must be accredited for the applicable CSA certification scheme and the applicable ISO/IEC standard mentioned in the scheme implementing regulation and State-of-the-Art documents.
A scheme may include additional scheme requirements for the CABs, depending on the certification scheme and the assurance level on which the organisation wishes to perform activities. In the case of additional scheme requirements a formal authorisation decision by the NCCA is required in addition to the accreditation.
The Dutch NCCA works in close cooperation with the RvA during its accreditation process to proactively assess these additional scheme requirements. By covering these additional scheme requirements in the accreditation process and decision, all requirements will be assessed at the same time, which ensures efficiency and timeliness. In general this means that for the Dutch NCCA to reach an authorisation decision in the licensing process, no additional assessments will take place besides some administrative checks.
If accreditation is conducted by an European National Accreditation Body other than the RvA, the Dutch NCCA will perform an authorisation assessment to check the additional scheme requirements. For this assessment, the Dutch NCCA may base its conclusions on documentation provided by the CAB and if necessary perform specific audits.
Note that for new accreditation requests there is an additional requirement to conduct at least one certification/evaluation project.
After a positive decision on the licensing request, the Dutch NCCA will publish the licensing status on its website and inform ENISA of the licensing status including applicable scope.
1.2 Information products
Information product | From | To | Description |
---|---|---|---|
Licensing request | CAB | NCCA | Official notification from a CAB to the NCCA that they wish to be licensed to operate under an EU scheme. It consists of a licensing form, accreditation evidence and, when applicable, authorisation evidence. |
Licensing form | CAB | NCCA | Form that the CAB fills in for its licensing request at the Dutch NCCA. |
Accreditation evidence | CAB | NCCA | Evidence showing that the CAB is accredited for the requested scope of licensing. |
Authorisation evidence | CAB | NCCA | Evidence showing the fulfilment of the additional scheme requirements for the requested scope of licensing. |
Licensing review report | NCCA | NCCA | NCCA internal report in which the NCCA keeps track of everything leading up to the rejection or acceptance of the licensing request. |
Approval of licensing request | NCCA | CAB | Letter from the NCCA informing the CAB that the licensing request has been approved. |
Rejection of licensing request | NCCA | CAB | Letter from the NCCA informing the CAB that the licensing request has been rejected. |
All documents or other material exchanged with the NCCA shall be in electronic form and in the English language. If the material contains proprietary or sensitive information, it should be submitted in encrypted form with PGP encryption using the public NCCA keys, which can be downloaded from the NCCA website.
Please refer to the NCCA instruction NI001 - Information exchange for further guidelines on how documents or other material shall be exchanged with the NCCA.
1.3 Roles
Role | Responsible entity | Description |
---|---|---|
CAB manager | CAB | Person at the CAB that is in charge of obtaining a licensing status under the Dutch NCCA. |
Licensing auditor | NCCA | Person responsible for performing the necessary checks to verify that the CAB fulfils all applicable requirements for the requested licensing scope. |
Audit supervisor | NCCA | Supervisor that checks the work of the licensing auditors and prepares the final approval or rejection decision on the licensing request. |
2. Licensing process
The Licensing Process only consists of one phase: the Licensing Phase.
2.1 Phase 1: Licensing phase
2.1.1 Step 1.1 Prepare licensing request
Responsible: CAB | Executed by: CAB manager |
---|
|
Responsible: CAB | Executed by: CAB manager |
---|
|
Note: In the Netherlands the accreditation assessment by the RvA includes all scheme requirements, including the additional scheme requirements. This means that a RvA accreditation report should provide the necessary evidence that these additional scheme requirements are fulfilled. |
Responsible: CAB | Executed by: CAB manager |
---|
|
Note: This evidence may be in the form of an accreditation report (if the additional scheme requirements were included in the accreditation assessment), a separate authorisation report issued by another NCCA or evidence compiled by the CAB itself. Note: In the Netherlands the accreditation assessment by the RvA includes all scheme requirements, including the additional scheme requirements. This means that a RvA accreditation report should provide the necessary evidence that these additional scheme requirements are fulfilled. |
Responsible: CAB | Executed by: CAB manager |
---|
|
The reception of the licensing request is a milestone for the NCCA after which the request has to be processed within the legally defined terms.
2.1.2 Step 1.2: Assess licensing request
Responsible: NCCA | Executed by: Audit supervisor |
---|
|
|
Responsible: NCCA | Executed by: Licensing auditor |
---|
|
|
|
Responsible: NCCA | Executed by: Licensing auditor |
---|
|
Responsible: NCCA | Executed by: Licensing auditor |
---|
Note: If the Accreditation was performed by the RvA, these requirement should have been assessed in the RvA accreditation process in cooperation with the Dutch NCCA. This means that no additional assessment should be needed since the additional scheme requirements have already been assessed. Note: The NCCA might contact NAB and/or other NCCA to verify the additional scheme requirements are fulfilled for its authorisation decision. Note: The NCCA might conduct additional document research or physical audits to gather information needed to verify the additional scheme requirements are fulfilled for its authorisation decision. |
Responsible: NCCA | Executed by: Audit supervisor |
---|
|
|
|
|
The approval of the licensing request is a milestone for the CAB after which they are formally licensed to conduct evaluation/certification activities under the Dutch NCCA for the approved scope.
In case of rejection the licensing process stops and the CAB is not formally licensed to conduct evaluation/certification activities under the Dutch NCCA for the requested scope. A new submission of a licensing request is required to restart the process.
3. Maintenance of licensing status
To maintain a licensing status, the CAB needs to prove continued compliance with all accreditation- and, if applicable, additional scheme requirements. For maintaining an accreditation under the RvA, the standard RvA “Maintenance of existing accreditation” process will be followed. For accreditation under other National Accreditation Bodies, refer to their own guidance.
The process for maintaining a licensing status under the Dutch NCCA will be described in v2.0 of this document, which will be published once the first CABs become licensed and guidance about the maintenance of this licensing status becomes relevant.