Navigation and service

BSI - Federal Office for Information Security (Link to homepage)

National Cybersecurity Certification Authority (NCCA)

Based on the IT-Security Act 2.0 which came into force on 28th May 2021, BSI has been officially designated as the German National Cybersecurity Certification Authority (NCCA). According to article 58 of the Cybersecurity Act (CSA), BSI has to accomplish new tasks in this role.

BSI as NCCA

As German NCCA BSI fulfills two important tasks: certification as national certification body for assurance level high and supvervision. According to article 58 para. 4 CSA both tasks have to be independend and seperated. Article 58 para. 7 CSA defines for a NCCA as supervision authority the following tasks:

  • supervise and enforce rules included in European cybersecurity certification schemes
  • monitor compliance with and enforce the obligations of the manufacturers or providers of ICT products, ICT services or ICT processes that are established in their respective territories and that carry out conformity self-assessment
  • assist and support the national accreditation bodies (NAB) in the monitoring and supervision of the activities of conformity assessment bodies
  • monitor and supervise the activities of the NCCA certification authority based on the respective certification scheme
  • monitor relevant developments in the field of cybersecurity certification.

Powers of the NCCA

In order to ensure that all conformity assessment bodies, holders of a European cybersecurity certificate and issuers of EU statements of conformity follow the rules of the European cybersecurity certification schemes in the respective NCCA territory, various powers pursuant to article 58, para. 8 CSA have been assigned to the NCCA:

  • to request necessary information
  • to carry out investigations, in the form of audits
  • to obtain access to the premises of any conformity assessment bodies or holders of European cybersecurity certificates
  • to withdraw European cybersecurity certificates
  • to impose penalties in accordance with national law, as provided for in Article 65 CSA

The NCCA as (national) hub in the European certification landscape

Another field of activity of the NCCA supervision is the cooperation with the European Commission and other European NCCAs. This includes the active participation in the European Cybersecurity Certification Group (ECCG) and the peer review of other NCCAs according to article 59 CSA.

Every NCCA has to ensure an information exchange on the European level by for instance providing an annual summary report on the activities which will be send to the European Union Agency for Cybersecurity (ENISA) and the ECCG. In addition, the NCCA will notify the accredited CABs for each European cybersecurity certification scheme to the Commission. One year after the entry into force of a European cybersecurity certification scheme those CABs will be listed and published in the Official Journal of the European Union.

Contact

Bundesamt für Sicherheit in der Informationstechnik
Referat S 14
Postfach 20 03 63
53133 Bonn
E-Mail: ncca@bsi.bund.de

For encrypted communication please use our S/MIME-Certification (valid from 23.06.2022 to 24.06.2025,
Fingerprint: ‎5A 9D 59 27 7D 6B 1C 62 EA 49 57 51 5C 67 69 99 56 7E 60 24).

Or use the

public key for ncca@bsi.bund.de

Key-ID: 3526 612C 65B1 BEA9
Fingerprint: 0A3B 5520 6368 9071 3999 049B 3526 612C 65B1 BEA9

More Information

Back to Certification and approval