The Dutch NCCA usually organises a CSA-stakeholdermeeting every six months for all parties involved in EU cybersecurity certification. However, since there is little news to report following the ECCG-meeting of July 3rd, we are focusing our efforts on operationalising the Dutch EUCC ecosystem.
In the absence of a CSA-stakeholdermeeting, we’ve prepared this newsletter to briefly update you on the latest developments.
Licensing of first EUCC CB
The Dutch Authority for Digital Infrastructure (RDI) in their role as National Cybersecurity Certification Authority (NCCA) has licensed their first Certification Body (CB) under the European Cybersecurity Act (CSA). TrustCB has been authorised to certify IT-products at assurance level 'high' under the European Common Criteria certification scheme in the Netherlands.
Image: © TrustCB
The licensing status of TrustCB and the IT Security Evaluation Facilities (ITSEFs) they work with can be found on the overview of EUCC licensed bodies.
In their collaboration, an ITSEF evaluates whether a product meets established security standards and provides reporting on this to the CB. Based on this reporting, the CB may decide to issue a certificate for the evaluated product.
With the licensing of the first EUCC CB, and the ITSEFs they collaborate with, the Dutch EUCC ecosystem is now operational.
The EUCC is the European certification scheme for IT products based on the international Common Criteria standard (ISO/IEC 15408). The EUCC provides a harmonised framework within the EU for assessing and certifying the security properties of IT products. An EUCC certificate is recognised throughout the EU, eliminating the need for certification per individual member state.
More licensed CB(s) are expected to follow during the year.
Licensing of EUCC ITSEFs
Last week, the Dutch NCCA has licensed its fourth IT Security Evaluation Facility (ITSEF) under the European Cybersecurity Act (CSA). SERMA Safety and Security has been authorised to perform evaluations under the EUCC scheme for IT-products at assurance level ‘high’ through the Netherlands.
Image: © All logos are property of their respective owners.
With this status, SERMA Safety and Security joins SGS Brightsight, Applus+ Laboratories and CCLab as a licensed ITSEF on the overview of EUCC licensed bodies.
More licensed ITSEF(s) are expected to follow during the year.
Scheme updates
EUCS
We have reiterated the need for the Cybersecurity Certification Scheme for Cloud Services (EUCS) to the European Commission due to its links with other regulations such as the NIS2, the AI Act, and the CRA. The EUCS scheme sets the European standard for increasing the security level of cloud services, particularly the services of European providers.
EUCC
The next update to the EUCC Implementing Regulation is expected at the end of this year. In the meantime, it is recommended to start using the draft state-of-the-art documents on vulnerability management.
EUMSS
ENISA has accepted the committee's mandate to develop the managed security services framework and issued a call for experts to serve on the Ad Hoc Working Group. Actual development is expected to begin in October.
EU5G
Development is focused on the next element, which is important for the EU wallet, the eSIM, and the onboarding process. The rest of the development is on hold.
EUID Wallet
Development is ongoing.
EUIoT
ENISA will start a feasibility study.
Register for stakeholdermeetings
To be invited to future CSA-stakeholdermeetings, please send an email to info@dutchncca.nl with your name, organisation, and a statement of your interest in the CSA-stakeholdermeetings. After this, we will send you a confirmation e-mail with a link to join the session(s). You can also invite your colleagues or other interested parties to join by forwarding the invitation to them.
Kind regards,
NCCA the Netherlands