Cybersecurity certification

With the adoption of the Cybersecurity Act (CSA), a new system for cybersecurity certification is introduced within the EU. This system provides an EU-wide approach towards cybersecurity certification where issued certificates are applicable across the EU and valid in all member states.

CSA certificates give businesses and individual consumers accurate information regarding the security assurance of their certified ICT-products, services and processes. Although certification does not mean that a product is cyber-secure (as explicitly stated in the CSA), a certificate does demonstrate compliance with the criteria of a cybersecurity scheme.

European cybersecurity certification is in principle voluntary. However, it can and most likely will be made mandatory by other EU law or by member state law adopted in accordance with EU law. This could be the case for general cybersecurity requirements in specific EU and/or member state law which are presumed to be met if a valid certificate can be provided.

Currently no CSA certificates have been issued yet. Once the first certificate has been issued, a list with all certificates issued within the Netherlands under the Cybersecurity Act (CSA) will be maintained here. The European cybersecurity agency ENISA will also maintain a certification website with all issued certificates.

On each CSA certificate you can find information about the validity of the certificate and under which certification scheme the certificate has been issued. If you want to check the validity of a certificate, please follow these steps.

The Dutch NCCA has developed a unique and efficient certification process which enables certification projects to conclude in a predictable timeframe and timely manner.

CSA certification schemes

In order to certify a wide range of products, services and processes in the field of Cybersecurity, multiple certification schemes are being developed under the Cybersecurity Act (CSA). Each scheme has its own scope and its own specific application and their own set of certification requirements.

Below you will find a brief introduction to the schemes that are currently active or will come into effect in the near future. An overview of all certification scheme development plans and timelines is provided here.

Common Criteria certification

Based on Common Criteria, a specific certification scheme is being developed within Europe to enable Europe-wide certification on Common Criteria (EUCC). Common Criteria is a set of specifications and guidelines designed to evaluate and certify software, hardware and firmware in the area of cybersecurity.

Cloud certification

EUCS, short for ‘European Union Cybersecurity Certification Scheme on Cloud Services’,  is one of the first schemes to be developed under the CSA. This scheme boosts trust in cloud services by defining a reference set of security requirements. It is applicable for all kinds of cloud services – IaaS, PaaS, SaaS, and other Cloud Services including subservices.