Information for certifiers and assessors

The Cybersecurity Act (CSA) came into force in 2019 and introduces a European cybersecurity certification system for ICT products, services, and processes.

Conformity Assessment Bodies (CABs) and testing laboratories now have the opportunity to enter this newly created European market for cybersecurity certification. This market will be stimulated by forthcoming EU regulation that, in specific cases, will make certification mandatory for ICT-products and services. Over the years, the number of certification schemes will grow to cover a wide variety of certification scopes.

In the Netherlands, we place high value on efficient certification processes. To ensure this, the Dutch National Cybersecurity Certification Authority (NCCA) has set up its processes in close collaboration with commercial Conformity Assessment Bodies. With these aligned processes the Dutch NCCA facilitates certification optimally, decreasing processing time and bureaucracy.

CSA accreditation & authorisation

Every CAB and testing organisation must be compliant with the CSA criteria in order to work under the CSA certification system. The basic criteria are:

  1. Accreditation for an EU certification scheme by the National Accreditation Body (NAB, in Dutch: Raad voor Accreditatie, RvA) and;
  2. Authorisation by the National Cybersecurity Certification Authority (NCCA).

The CAB will be subject to ISO 17065, while the testing laboratories will be subject to ISO 17025 and possibly ISO 17020.

An EU certification scheme may provide additional criteria. If these additional criteria are defined, the fulfilment of these additional criteria will be verified as part of the authorisation.

In the Netherlands, the NCCA and the NAB work together closely to make the process of accreditation and authorisation as efficient as possible.

Any accredited (and authorised) certification body and testing organisation will be registered on the European ENISA Certification website, and the certificates issued will also be registered on that website.

Approval prior to issuing a certificate

CSA certification is available at three assurance levels: Basic, Substantial and High. Each scheme defines which levels are applicable within that scheme. Certification at the assurance levels Basic or Substantial is always conducted by a CAB. Certification at the assurance level High can be carried out by either a CAB or the NCCA itself, depending on the implementation method chosen by the EU member state.

The Netherlands has chosen the ‘prior approval model’ for NCCA tasks, which allows the CABs to conduct the assessment and certification process themselves for the assurance level High. As a result, the Netherlands is able to process these certification requests rapidly and in an agile manner.

To issue a certificate at the assurance level High, the certification body needs an approval from the NCCA prior to issuing the certificate. The NCCA will therefore review the certification before it is issued. The Dutch NCCA will strive to make the review process as efficient as possible for the CABs. Early monitoring of the certification process by the Dutch NCCA will lead to shorter review times at the end of the process. The prior approval process will be attuned to the needs of the individual certification schemes. An interaction model of this process is coming soon.

Obligations under the CSA

The CSA schemes involve certain obligations and supervision by the NCCA. We are currently creating an overview of these obligations and will add it to this page when it is ready.