My favourites

TITLE III – Cybersecurity certification network (Art. 46-65)

Art. 46 CSA - European cybersecurity certification framework arrow_right_alt

Art. 47 CSA - The Union rolling work programme for European cybersecurity certification arrow_right_alt

Art. 48 CSA - Request for a European cybersecurity certification scheme arrow_right_alt

Art. 49 CSA - Preparation, adoption and review of a European cybersecurity certification scheme arrow_right_alt

Art. 50 CSA - Website on European cybersecurity certification schemes arrow_right_alt

Art. 51 CSA - Security objectives of European cybersecurity certification schemes arrow_right_alt

Art. 52 CSA - Assurance levels of European cybersecurity certification schemes arrow_right_alt

Art. 53 CSA - Conformity self-assessment arrow_right_alt

Art. 54 CSA - Elements of European cybersecurity certification schemes arrow_right_alt

Art. 55 CSA - Supplementary cybersecurity information for certified ICT products, ICT services and ICT processes arrow_right_alt

Art. 56 CSA - Cybersecurity certification arrow_right_alt

Art. 57 CSA - National cybersecurity certification schemes and certificates arrow_right_alt

Art. 58 CSA - National cybersecurity certification authorities arrow_right_alt

Art. 59 CSA - Peer review arrow_right_alt

Art. 60 CSA - Conformity assessment bodies arrow_right_alt

Art. 61 CSA - Notification arrow_right_alt

Art. 62 CSA - European Cybersecurity Certification Group arrow_right_alt

  1. The European Cybersecurity Certification Group (the ‘ECCG’) shall be established.
  2. The ECCG shall be composed of representatives of national cybersecurity certification authorities or representatives of other relevant national authorities. A member of the ECCG shall not represent more than two Member States.
  3. Stakeholders and relevant third parties may be invited to attend meetings of the ECCG and to participate in its work.
  4. The ECCG shall have the following tasks:
    1. to advise and assist the Commission in its work to ensure the consistent implementation and application of this Title, in particular regarding the Union rolling work programme, cybersecurity certification policy issues, the coordination of policy approaches, and the preparation of European cybersecurity certification schemes;
    2. to assist, advise and cooperate with ENISA in relation to the preparation of a candidate scheme pursuant to Article 49;
    3. to adopt an opinion on candidate schemes prepared by ENISA pursuant to Article 49;
    4. to request ENISA to prepare candidate schemes pursuant to Article 48(2);
    5. to adopt opinions addressed to the Commission relating to the maintenance and review of existing European cybersecurity certifications schemes;
    6. to examine relevant developments in the field of cybersecurity certification and to exchange information and good practices on cybersecurity certification schemes;
    7. to facilitate the cooperation between national cybersecurity certification authorities under this Title through capacity-building and the exchange of information, in particular by establishing methods for the efficient exchange of information relating to issues concerning cybersecurity certification;
    8. to support the implementation of peer assessment mechanisms in accordance with the rules established in a European cybersecurity certification scheme pursuant to point (u) of Article 54(1);
    9. to facilitate the alignment of European cybersecurity certification schemes with internationally recognised standards, including by reviewing existing European cybersecurity certification schemes and, where appropriate, making recommendations to ENISA to engage with relevant international standardisation organisations to address insufficiencies or gaps in available internationally recognised standards.
  5. With the assistance of ENISA, the Commission shall chair the ECCG, and the Commission shall provide the ECCG with a secretariat in accordance with point (e) of Article 8(1).
Related
Close tabsclose
  • 84
  • 94
  • 100
  • 103
  • 105

Recital 84

The Commission should prepare, with the support of the European Cybersecurity Certification Group (the ‘ECCG’) and the Stakeholder Cybersecurity Certification Group and after an open and wide consultation, a Union rolling work programme for European cybersecurity certification schemes and should publish it in the form of a non-binding instrument. The Union rolling work programme should be a strategic document that allows industry, national authorities and standardisation bodies, in particular, to prepare in advance for future European cybersecurity certification schemes. The Union rolling work programme should include a multiannual overview of the requests for candidate schemes which the Commission intends to submit to ENISA for preparation on the basis of specific grounds. The Commission should take into account the Union rolling work programme while preparing its Rolling Plan for ICT Standardisation and standardisation requests to European standardisation organisations. In light of the rapid introduction and uptake of new technologies, the emergence of previously unknown cybersecurity risks, and legislative and market developments, the Commission or the ECCG should be entitled to request ENISA to prepare candidate schemes which have not been included in the Union rolling work programme. In such cases, the Commission and the ECCG should also assess the necessity of such a request, taking into account the overall aims and objectives of this Regulation and the need to ensure continuity as regards ENISA’s planning and use of resources.

Following such a request, ENISA should prepare the candidate schemes for specific ICT products, ICT services and ICT processes without undue delay. The Commission should evaluate the positive and negative impact of its request on the specific market in question, especially its impact on SMEs, on innovation, on barriers to entry to that market and on costs to end users. The Commission, on the basis of the candidate scheme prepared by ENISA, should be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives laid down in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject matter, scope and functioning of the individual scheme. Those elements should include, among other things, the scope and object of the cybersecurity certification, including the categories of ICT products, ICT services and ICT processes covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended assurance level (‘basic’, ‘substantial’ or ‘high’) and the evaluation levels where applicable. ENISA should be able to refuse a request by the ECCG. Such decisions should be taken by the Management Board and should be duly reasoned.

Recital 94

With a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for ICT products, ICT services or ICT processes covered by a European cybersecurity certification scheme should cease to be effective from a date established by the Commission by means of implementing acts. Moreover, Member States should not introduce new national cybersecurity certification schemes for ICT products, ICT services or ICT processes already covered by an existing European cybersecurity certification scheme. However, Member States should not be prevented from adopting or maintaining national cybersecurity certification schemes for national security purposes. Member States should inform the Commission and the ECCG of any intention to draw up new national cybersecurity certification schemes. The Commission and the ECCG should evaluate the impact of the new national cybersecurity certification schemes on the proper functioning of the internal market and in light of any strategic interest in requesting a European cybersecurity certification scheme instead.

Recital 100

Without prejudice to the general peer review system to be put in place across all national cybersecurity certification authorities within the European cybersecurity certification framework, certain European cybersecurity certification schemes may include a peer-assessment mechanism for the bodies that issue European cybersecurity certificates for ICT products, ICT services and ICT processes with an assurance level ‘high’ under such schemes. The ECCG should support the implementation of such peer-assessment mechanisms. The peer assessments should assess in particular whether the bodies concerned carry out their tasks in a harmonised way, and may include appeal mechanisms. The results of the peer assessments should be made publicly available. The bodies concerned may adopt appropriate measures to adapt their practices and expertise accordingly.

Recital 103

With a view to ensuring the consistent application of the European cybersecurity certification framework, an ECCG that consists of representatives of national cybersecurity certification authorities or other relevant national authorities should be established. The main tasks of the ECCG should be to advise and assist the Commission in its work towards ensuring the consistent implementation and application of the European cybersecurity certification framework, to assist and closely cooperate with ENISA in the preparation of candidate cybersecurity certification schemes, in duly justified cases to request ENISA to prepare a candidate scheme, to adopt opinions addressed to ENISA on candidate schemes and to adopt opinions addressed to the Commission on the maintenance and review of existing European cybersecurity certifications schemes. The ECCG should facilitate the exchange of good practices and expertise between the various national cybersecurity certification authorities that are responsible for the authorisation of conformity assessment bodies and the issuance of European cybersecurity certificates.

Recital 105

In order to further facilitate trade, and recognising that ICT supply chains are global, mutual recognition agreements concerning European cybersecurity certificates may be concluded by the Union in accordance with Article 218 of the Treaty on the Functioning of the European Union (TFEU). The Commission, taking into account the advice from ENISA and the European Cybersecurity Certification Group, may recommend the opening of relevant negotiations. Each European cybersecurity certification scheme should provide specific conditions for such mutual recognition agreements with third countries.

Art. 63 CSA - Right to lodge a complaint arrow_right_alt

Art. 64 CSA - Right to an effective judicial remedy arrow_right_alt

Art. 65 CSA - Penalties arrow_right_alt