NCCA - Frequently Asked Questions (FAQ)
-
Article 58 para. 4 CSA
"Member States shall ensure that the activities of the national cybersecurity certification authorities that relate to the issuance of European cybersecurity certificates referred to in point (a) of Article 56(5) and in Article 56(6) are strictly separated from their supervisory activities set out in this Article and that those activities are carried out independently from each other."
BSI fulfils this separation by locating the supervising NCCA and certifying NCCA in different branches of the department SZ- Standardization, Certification and Cybersecurity of Telecommunication Networks. Each branch is independent to each other.
-
Article 56 CSA
"5. By way of derogation from paragraph 4, in duly justified cases a European cybersecurity certification scheme may provide that European cybersecurity certificates resulting from that scheme are to be issued only by a public body. Such body shall be one of the following:
(a) a national cybersecurity certification authority as referred to in Article 58(1); or
[...]6. Where a European cybersecurity certification scheme adopted pursuant to Article 49 requires an assurance level 'high', the European cybersecurity certificate under that scheme is to be issued only by a national cybersecurity certification authority or, in the following cases, by a conformity assessment body:
(a) upon prior approval by the national cybersecurity certification authority for each individual European cybersecurity certificate issued by a conformity assessment body; or
(b) on the basis of a general delegation of the task of issuing such European cybersecurity certificates to a conformity assessment body by the national cybersecurity certification authority."
Based on the Cybersecurity Act BSI as NCCA issues certificates according to the assurance level 'high' as defined in article 52 (7) CSA and in each relevant European cybersecurity certification scheme (cf. article 54 CSA).
-
Article 58 para. 7 CSA
"National cybersecurity certification authorities shall:
(a) supervise and enforce rules included in European cybersecurity certification schemes pursuant to point (j) of Article 54(1) for the monitoring of the compliance of ICT products, ICT services and ICT processes with the requirements of the European cybersecurity certificates that have been issued in their respective territories, in cooperation with other relevant market surveillance authorities;
(b) monitor compliance with and enforce the obligations of the manufacturers or providers of ICT products, ICT services or ICT processes that are established in their respective territories and that carry out conformity self-assessment, and shall, in particular, monitor compliance with and enforce the obligations of such manufacturers or providers set out in Article 53(2) and (3) and in the corresponding European cybersecurity certification scheme;
(c) without prejudice to Article 60(3), actively assist and support the national accreditation bodies in the monitoring and supervision of the activities of conformity assessment bodies, for the purposes of this Regulation;
(d) monitor and supervise the activities of the public bodies referred to in Article 56(5)"
National Legislation:
§ 9a Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSIG)
(1) "Das Bundesamt ist die nationale Behörde für die Cybersicherheitszertifizierung im Sinne des Artikels 58 Abs. 1 der Verordnung (EU) 2019/881.
(2) Das Bundesamt kann auf Antrag Konformitätsbewertungsstellen, die im Anwendungsbereich der Verordnung (EU) 2019/881 sowie des § 9 dieses Gesetzes tätig werden, eine Befugnis erteilen, also solche tätig zu werden, wenn die Voraussetzungen des maßgeblichen europäischen Schemas für die Cybersicherheitszertifizierung nach Artikel 54 der Verordnung (EU) 2019/881 oder des § 9 dieses Gesetzes erfüllt sind. Ohne eine Befugniserteilung durch das Bundesamt dürfen Konformitätsbewertungsstellen im Anwendungsbereich der Verordnung (EU) 2019/881 nicht tätig werden."
The tasks of the supervising NCCA are defined in Article 58 CSA. They especially include the compliance with the rules of the European cybersecurity certification schemes. According to § 9a of the German BSIG BSI is designated as supervising NCCA. In this role BSI is empowered to authorise national conformity assessment bodies (CABs). Without an authorisation by BSI CABs are not allowed to operate within the European cybersecurity certification framework. Manufactures who use a European conformity self-assessment for the assurance level 'basic' are monitored by the NCCA's market surveillance at BSI.
-
Article 56 para. 4 CSA
"The conformity assessment bodies referred to in Article 60 shall issue European cybersecurity certificates pursuant to this Article referring to assurance level 'basic' or 'substantial' on the basis of criteria included in the European cybersecurity certification scheme adopted by the Commission pursuant to Article 49."
BSI as NCCA certification body does not issue European cybersecurity certificates referring to assurance level 'basic' and 'substantial'. Assurance level 'basic' will be addressed by the manufacturers or providers of ICT products, ICT services or ICT processes that present a low risk according to the EU statement of conformity as determined in Article 53 CSA.Assurance level 'substantial' will be addressed by conformity assessment bodies (CABs) according to Article 60 CSA. The CABs shall provide assurance that the ICT products, ICT services and ICT processes for which the certificate is issued meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources.
-
BSI as supervising NCCA has extensive powers to supervise and enforce compliance with the requirements of the European cybersecurity certificates according to article 58 para. 8 CSA and § 9a Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSIG). This includes:
- providing information (Art. 58 para. 8 a) CSA in conjunction with § 9a para. 3 BSIG),
- carrying out investigations in terms of audits (Art. 58 para. 8 b) CSAin conjunction with § 9a para. 4 BSIG),
- obtaining access to the premises of any conformity assessment body or holder of European cybersecurity certificates (Art. 58 para. 8 d) CSA in conjunction with § 9a para. 5 BSIG),
- possibility to withdraw European cybersecurity certificates (Art. 58 para. 8 e) CSA in conjunction with § 9a para. 6 BSIG),
- taking appropriate measures and if necessary penalties (Art. 58 para. 8 c), f) CSA in conjunction with § 14 para. 2, 3, 4, 5 BSIG).
-
Article 58 para. 7 CSA
"National cybersecurity certification authorities shall:
(f) handle complaints by natural or legal persons in relation to European cybersecurity certificates issued by national cybersecurity certification authorities or to European cybersecurity certificates issued by conformity assessment bodies in accordance with Article 56(6) or in relation to EU statements of conformity issued under Article 53, and shall investigate the subject matter of such complaints to the extent appropriate, and shall inform the complainant of the progress and the outcome of the investigation within a reasonable period."
As supervising NCCA BSI handles incoming complaints. Complaints can be directly addressed to BSI.
-
Article 63 para. 1 CSA
"Natural and legal persons shall have the right to lodge a complaint with the issuer of a European cybersecurity certificate or, where the complaint relates to a European cybersecurity certificate issued by a conformity assessment body when acting in accordance with Article 56(6), with the relevant national cybersecurity certification authority."
-
Article 63 para. 2 CSA
"The authority or body with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken, and shall inform the complainant of the right to an effective judicial remedy referred to in Article 64."
BSI as supervising NCCA has extensive powers according to article 58 para. 8 CSA and § 9a Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSIG) to supervise and enforce the rules included in European cybersecurity certification schemes. These comprise:
- providing information (Art. 58 para. 8 a) CSA in conjunction with § 9a para. 3 BSIG),
- carrying out investigations in terms of audits (Art. 58 para. 8 b) CSA in conjunction with § 9a para. 4 BSIG),
- obtaining access to the premises of any conformity assessment body or holder of European cybersecurity certificates (Art. 58 para. 8 d) CSA in conjunction with § 9a para. 5 BSIG),
- possibility to withdraw European cybersecurity certificates (Art. 58 para. 8 e) CSA in conjunction with § 9a para. 6 BSIG),
- taking appropriate measures and if necessary penalties (Art. 58 para. 8 c), f) CSA in conjunction with § 14 para. 2, 3, 4, 5 BSIG).
-
Yes. The following infringements are defined in § 14 (2) Nr. 10, (3), (4), (5) Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSIG):
- conformity assessment bodies who work without the authorisation of BSI according to § 9a para. 2 sentence 2 BSIG,
- manufacturers or providers who do not, provide wrong or not definite information about detected vulnerabilities or irregularities within one month after declaring self-conformity according to a European cybersecurity certification scheme according to article 55 para. 1 CSA,
- holders of an European cybersecurity certificate who did not inform, did not completely provide information or did not inform immediately after ascertaining the vulnerabilities or irregularities according to article 56 para. 8 CSA
In those cases a penalty up to 500.000 € can be imposed.
-
According to article 58 para. 7 a) CSA the national cybersecurity certification authorities are exclusively responsible for European cybersecurity certificates that have been issued in their respective territories.