The Federal Office for Information Security (BSI) authorises conformity assessment bodies (CABs) who are aiming to be operating under Regulation (EU) 2019/881 (Cybersecurity Act, abrv. [CSA]) as well as § 9 [BSIG]. The request for authorization can be granted if obligations arising from the relevant European Cybersecurity Certification scheme according to Article 54 [CSA] as well as § 9 [BSIG] are fulfilled. The [CSA] defines CABs according to Article 2 (18) and Regulation (EC) No. 765/2008.

According to Article 60.2 and Annex No. 19 [CSA], CAB must be accredited by the national accreditation body (Deutsche Akkreditierungsstelle, abrv. DAkkS) in accordance with Regulation (EC) No. 765/2008. Additionally, a CAB must be authorised by an authorising authority (abrv. BeB). BSI is the BeB for [CSA] as well as § 9 [BSIG] and in particular § 9a (2) [BSIG] in their current versions as well as all areas for which the relevant federal ministries have designated BSI as BeB. Moreover, § 2 (3) and § 4 Gesetz über die Akkreditierungsstelle [AkkStelleG] is regulating the cooperation between DAkkS and the authorities which are entitled in accordance with the law to authorise CABs to act as such. BSI grants authorisation according to § 9 (1) [BSIG] as National Cybersecurity Certification Authority (NCCA) and pursuant to Article 58.1 [CSA].

Once a CAB has been authorised BSI is notyfying the European Commission (COM) in accordance with Article 61.1 [CSA]. Further notification details may be regulated by COM through an implementing act pursuant to Article 61.5 [CSA].

The process is described in document "VB Befugnis" and is supplemented by the following requirement documents:

• The programme authorisation EUCC includes the requirements from the implementing acts of the respective European cybersecurity certification schemes.
• Document "Verzeichnisse" includes a central breakdown of all references (register of current documents) and a glossary
• The document "Zeichenordnung" includes the terms of use for all users of the respective mark of certification  and  and Anerkennug(eng: recognition)
  

In order to be authorised for activities within the context of CSA the following application has to be filed:

Application form follows.

Please send the completed and signed applications to the following address:

Federal Office for Information Security
Division SZ 14
P.O. Box 20 03 63
53133 Bonn

For encrypted communication please use the S/MIME-Certificate (Valid: 23.06.2022 till 24.06.2025, certificate finger print: ‎5A 9D 59 27 7D 6B 1C 62 EA 49 57 51 5C 67 69 99 56 7E 60 24).

Or use the

public key for ncca@bsi.bund.de

Key-ID: 3526 612C 65B1 BEA9
Fingerprint: 0A3B 5520 6368 9071 3999 049B 3526 612C 65B1 BEA9