Information for suppliers

Growing numbers of manufacturers and service providers of ICT products and services becoming interested in European cybersecurity certification under the Cybersecurity Act (CSA).

In some cases, certification may lead to a market advantage while in other cases certification provides an opportunity to demonstrate compliance with EU regulation.

Advantages of EU cybersecurity certification

CSA certificates are recognised throughout the EU, which reduces overall certification costs. National-level cybersecurity certification schemes will be replaced by CSA certification schemes provided they have a comparable scope.

CSA certificates give businesses and individual consumers accurate information regarding the security assurance applicable to their certified ICT products, services and processes. The availability of cyber-resilient products and services is becoming ever more important for business continuity. The increase in the demand for secure products will be promoted by upcoming EU regulation.

CSA assurance levels

In principle, CSA certification is possible at three assurance levels: Basic, Substantial and High. However, the certification schemes will define which assurance levels are in scope of the scheme.

Certification at the assurance level Basic is conducted by a Conformity Assessment Body (CAB) or with a conformity self-assessment if allowed by the scheme. Certification at the assurance level Substantial is conducted by a CAB. Certification on the assurance level High can be carried out by either CABs or the NCCA itself, depending on the implementation method chosen by the EU member state.

Efficient, flexible, high-quality certification in the Netherlands

The National Cybersecurity Certification Authority (NCCA) of the Netherlands makes the certification process as flexible and efficient as possible while maintaining high standards of quality.

The Netherlands has chosen the Prior approval model for the implementation of the NCCA tasks, which allows the CABs to conduct the assessment and certification process itself for the assurance level High. As a result, the Netherlands is able to process these certification requests rapidly, flexibly and responsively. For CSA assurance levels Basic and Substantial, the NCCA only monitors the certificates after issuing by means of random checks. Certified products and services must remain compliant until the expiration date of the certificate and during the whole product-service life cycle.

EU regulation and time to market

Under forthcoming EU regulation, the use of certified products and services may become mandatory for some vital and important sectors such as energy, transport and telecommunication. In other cases, certification may become mandatory in order to enter EU markets. Staying up to date with new EU regulation regarding cybersecurity will be a clear advantage.

How to certify an ICT product, service or process

The first step in certifying an ICT product, service or process under the CSA is to determine which certification scheme to use. For each scheme, a certification process will be developed in order to provide further guidance on how to get certified. The first scheme is the EUCC Common Criteria scheme for product certification. The second is the EUCS for certification of cloud services. Other schemes are expected in the upcoming years, such as schemes for 5G network components, the Internet of Things (IoT), artificial intelligence and Industrial Automated Control Systems (IACS). The CSA Union Rolling Work Programme of the European Commission sets the priorities for the development of these schemes.

Obligations under the CSA

Under the CSA, holders of CSA certificates and conformity self-assessments have certain obligations and are subject to supervision by the NCCA. We are currently creating an overview of these obligations and will add this overview here as soon as it is ready.