My favourites

TITLE III – Cybersecurity certification network (Art. 46-65)

Art. 46 CSA - European cybersecurity certification framework arrow_right_alt

Art. 47 CSA - The Union rolling work programme for European cybersecurity certification arrow_right_alt

Art. 48 CSA - Request for a European cybersecurity certification scheme arrow_right_alt

Art. 49 CSA - Preparation, adoption and review of a European cybersecurity certification scheme arrow_right_alt

Art. 50 CSA - Website on European cybersecurity certification schemes arrow_right_alt

Art. 51 CSA - Security objectives of European cybersecurity certification schemes arrow_right_alt

Art. 52 CSA - Assurance levels of European cybersecurity certification schemes arrow_right_alt

Art. 53 CSA - Conformity self-assessment arrow_right_alt

  1. A European cybersecurity certification scheme may allow for the conformity self-assessment under the sole responsibility of the manufacturer or provider of ICT products, ICT services or ICT processes. Conformity self-assessment shall be permitted only in relation to ICT products, ICT services and ICT processes that present a low risk corresponding to assurance level ‘basic’.
  2. The manufacturer or provider of ICT products, ICT services or ICT processes may issue an EU statement of conformity stating that the fulfilment of the requirements set out in the scheme has been demonstrated. By issuing such a statement, the manufacturer or provider of ICT products, ICT services or ICT processes shall assume responsibility for the compliance of the ICT product, ICT service or ICT process with the requirements set out in that scheme.
  3. The manufacturer or provider of ICT products, ICT services or ICT processes shall make the EU statement of conformity, technical documentation, and all other relevant information relating to the conformity of the ICT products or ICT services with the scheme available to the national cybersecurity certification authority referred to in Article 58 for the period provided for in the corresponding European cybersecurity certification scheme. A copy of the EU statement of conformity shall be submitted to the national cybersecurity certification authority and to ENISA.
  4. The issuing of an EU statement of conformity is voluntary, unless otherwise specified in Union law or Member State law.
  5. EU statements of conformity shall be recognised in all Member States.
Related
Close tabsclose
  • 69
  • 79
  • 80
  • 81
  • 82
  • 91
  • 97

Recital 69

Therefore, it is necessary to adopt a common approach and to establish a European cybersecurity certification framework that lays down the main horizontal requirements for European cybersecurity certification schemes to be developed and allows European cybersecurity certificates and EU statements of conformity for ICT products, ICT services or ICT processes to be recognised and used in all Member States. In doing so, it is essential to build on existing national and international schemes, as well as on mutual recognition systems, in particular SOG-IS, and to make possible a smooth transition from the existing schemes under such systems to schemes under the new European cybersecurity certification framework. The European cybersecurity certification framework should have a twofold purpose. First, it should help increase trust in ICT products, ICT services and ICT processes that have been certified under European cybersecurity certification schemes. Second, it should help avoid the multiplication of conflicting or overlapping national cybersecurity certification schemes and thus reduce costs for undertakings operating in the digital single market. The European cybersecurity certification schemes should be non-discriminatory and based on European or international standards, unless those standards are ineffective or inappropriate to fulfil the Union’s legitimate objectives in that regard.

Recital 79

European cybersecurity certification schemes could provide for a conformity assessment to be carried out under the sole responsibility of the manufacturer or provider of ICT products, ICT services or ICT processes (‘conformity self-assessment’). In such cases, it should be sufficient that the manufacturer or provider of ICT products, ICT services or ICT processes itself carry out all of the checks to ensure that the ICT products, ICT services or ICT processes conform with the European cybersecurity certification scheme. Conformity self-assessment should be considered to be appropriate for low complexity ICT products, ICT services or ICT processes that present a low risk to the public, such as simple design and production mechanisms. Moreover, conformity self-assessment should be permitted for ICT products, ICT services or ICT processes only where they correspond to assurance level ‘basic’.

Recital 80

European cybersecurity certification schemes could allow for both conformity self-assessments and certifications of ICT products, ICT services or ICT processes. In such a case, the scheme should provide for clear and understandable means for consumers or other users to differentiate between ICT products, ICT services or ICT processes with regard to which the manufacturer or provider of ICT products, ICT services or ICT processes is responsible for the assessment, and ICT products, ICT services or ICT processes that are certified by a third party.

Recital 81

The manufacturer or provider of ICT products, ICT services or ICT processes who carry out a conformity self-assessment should be able to issue and sign the EU statement of conformity as part of the conformity assessment procedure. An EU statement of conformity is a document that states that a specific ICT product, ICT service or ICT process complies with the requirements of the European cybersecurity certification scheme. By issuing and signing the EU statement of conformity, the manufacturer or provider of ICT products, ICT services or ICT processes assumes responsibility for the compliance of the ICT product, ICT service or ICT process with the legal requirements of the European cybersecurity certification scheme. A copy of the EU statement of conformity should be submitted to the national cybersecurity certification authority and to ENISA.

Recital 82

Manufacturers or providers of ICT products, ICT services or ICT processes should make the EU statement of conformity, technical documentation, and all other relevant information relating to the conformity of the ICT products, ICT services or ICT processes with a European cybersecurity certification scheme available to the competent national cybersecurity certification authority for a period provided for in the relevant European cybersecurity certification scheme. The technical documentation should specify the requirements applicable under the scheme and should cover the design, manufacture and operation of the ICT product, ICT service or ICT process to the extent relevant to the conformity self-assessment. The technical documentation should be so compiled as to enable the assessment of whether an ICT product or ICT service complies with the requirements applicable under that scheme.

Recital 91

Recourse to European cybersecurity certification and to EU statements of conformity should remain voluntary, unless otherwise provided for in Union law, or in Member State law adopted in accordance with Union law. In the absence of harmonised Union law, Member States are able to adopt national technical regulations providing for mandatory certification under a European cybersecurity certification scheme in accordance with Directive (EU) 2015/1535 of the European Parliament and of the Council (1). Member States also have recourse to European cybersecurity certification in the context of public procurement and of Directive 2014/24/EU of the European Parliament and of the Council (2).


(1) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).
(2) Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65).

Recital 97

Once a European cybersecurity certification scheme is adopted, manufacturers or providers of ICT products, ICT services or ICT processes should be able to submit applications for certification of their ICT products or ICT services to the conformity assessment body of their choice anywhere in the Union. Conformity assessment bodies should be accredited by a national accreditation body if they comply with certain specified requirements set out in this Regulation. Accreditation should be issued for a maximum of five years and should be renewable on the same conditions provided that the conformity assessment body still meets the requirements. National accreditation bodies should restrict, suspend or revoke the accreditation of a conformity assessment body where the conditions for the accreditation have not been met or are no longer met, or where the conformity assessment body infringes this Regulation.

Art. 54 CSA - Elements of European cybersecurity certification schemes arrow_right_alt

Art. 55 CSA - Supplementary cybersecurity information for certified ICT products, ICT services and ICT processes arrow_right_alt

Art. 56 CSA - Cybersecurity certification arrow_right_alt

Art. 57 CSA - National cybersecurity certification schemes and certificates arrow_right_alt

Art. 58 CSA - National cybersecurity certification authorities arrow_right_alt

Art. 59 CSA - Peer review arrow_right_alt

Art. 60 CSA - Conformity assessment bodies arrow_right_alt

Art. 61 CSA - Notification arrow_right_alt

Art. 62 CSA - European Cybersecurity Certification Group arrow_right_alt

Art. 63 CSA - Right to lodge a complaint arrow_right_alt

Art. 64 CSA - Right to an effective judicial remedy arrow_right_alt

Art. 65 CSA - Penalties arrow_right_alt