With the "EU Cybersecurity Certification Scheme on Common Criteria (EUCC)" now in effect and the "Netherlands scheme for Certification in the Area of IT Security (NSCIB)" becoming inactive, the Dutch NCCA has prepared this update to provide insights into the current developments within the EUCC ecosystem in the Netherlands.
Authorisation of first Dutch EUCC ITSEF
RDI, as the National Cybersecurity Certification Authority (NCCA) in the Netherlands, has authorised its first Dutch IT Security Evaluation Facility (ITSEF) under the European Cybersecurity Act (CSA). SGS Brightsight is the first Dutch test laboratory authorised to perform evaluations under the European Common Criteria certification scheme (EUCC) for IT products at assurance level ‘high’.
Image: © SGS Brightsight
SGS Brightsight BV, based in Delft, is authorised to conduct security evaluations of IT products as an independent test laboratory. The authorisation is for the highest level of assurance under the Cybersecurity Act (CSA). The RDI determined that SGS Brightsight possesses the expertise to conduct product evaluations and has implemented appropriate security requirements to protect confidential and sensitive information.
Authorisation of first Dutch EUCC Certification Body
For a Certification Body (CB) to issue EUCC certificates at assurance level ‘high’ through the Netherlands, both the CB and the ITSEF that performed the evaluation must be authorised by the Dutch NCCA.
In the Netherlands, the authorisation requirements are assessed during the accreditation process, with support from technical assessors provided by the Dutch NCCA. This enables the Dutch NCCA to base its authorisation decision on the assessments conducted during the accreditation process.
Given the foundational role commercial CBs play in the Dutch ecosystem, the Dutch NCCA will proactively prepare its own reporting on the authorisation requirements assessed during the accreditation process. This approach will allow the NCCA to reach an authorisation decision more quickly once accreditation has been granted.
EUCC certification projects
CBs and ITSEFs that have achieved the following milestones are permitted by the Dutch NCCA to initiate EUCC projects through the Netherlands:
- The CB/ITSEF must have successfully completed the preliminary assessment phase of their accreditation process.
- The CB/ITSEF must have submitted a licensing request to the Dutch NCCA.
In line with these conditions, we have received and started approving the first EUCC assessment plans.
After the approval of the assessment plan, a similar approach to evaluator reporting will be followed as under NSCIB (see NI002, previously known under NSCIB as NSP6). This approach ensures predictability of project timelines and responsiveness due to intermediate results that are faster to review.
Please note that certificates can only be issued once both the involved CB and ITSEF have been licensed by the Dutch NCCA.