Certification Service (CCB Certification)
The CCB Certification team offers support and guidance to Belgian companies in relation to the EU cybersecurity certification process.
The Centre for Cybersecurity Belgium (CCB) aims to make Belgium one of the least vulnerable countries in Europe in terms of cybersecurity by 2025. Certification of ICT products, services and processes that meet certain cybersecurity demands is an important lever for ensuring cybersecurity. Certification improves and safeguards trust in the digital single market.
The CCB is recognised as the National Cybersecurity Certification Authority (NCCA).
The Cybersecurity Act
The Cybersecurity Act (Regulation (EU) 2019/881)) allows the European Union to better tackle cross-border cyber attacks. Among other things, the Act gives Member States a framework for the voluntary certification of ICT products, processes and services in relation to cybersecurity. An EU cybersecurity certificate confirms that an IT product, process or service is certified in accordance with a European cybersecurity certification regulation or scheme and that it satisfies specific cybersecurity rules and requirements.
In Belgium, this certification can be obtained following an audit, test or certification process by an accredited Conformity Assessment Body (CAB). All certificates are published by the EU Agency for Cybersecurity (ENISA) and are valid within the European Union.
The risk connected with the use of the to-be-certified ICT solution determines the applicable cybersecurity level. Every EU scheme states whether certification is possible for a ‘basic’, ‘substantial’ or ‘high’ assurance level.
The following certification schemes are being prepared for the market:
Common Criteria (EUCC): certification of ICT products (‘substantial’ or ‘high’ assurance levels)
Cloud Services (EUCS): certification of Cloud Services (‘basic’, ‘substantial’ or ‘high’ assurance levels)
5G Networks (EU5G): certification for 5G networks (‘basic’, ‘substantial’ or ‘high’ assurance levels)
Implementation of the certification process
The figure above shows how the certification process works on the national level.
A certificate can be obtained from a Conformity Assessment Body (CAB) or, if the possibility is provided, via a conformity self-assessment.
- A scheme may allow conformity self-assessments (1). This means that a manufacturer or provider performs their own evaluation of whether their ICT product, service or process satisfies the security conditions of a specific scheme. If it does, the manufacturer or provider can get certification. Not every scheme will give this option. If it does, this is only for the ‘basic’ level. Currently only the EUCS provides self-assessment for the security level ‘basic’.
- BELAC, which is Belgium's national accreditation body (NAB) (2), accredits a Conformity Assessment Body (CAB) for a maximum of 5 years for a certain scheme.
An accredited CAB can certify a manufacturer or service provider for their ICT products, services or processes that satisfy the security conditions of the scheme for which certification is being requested. If the manufacturer or service provider does not satisfy the conditions, and the certificate is (temporarily) declined by a CAB, the manufacture can submit a claim to the CCB.
Through the Cybersecurity Act, it is possible that a non-Belgian CAB with an office in Belgium can request accreditation from BELAC. This then falls under Belgian control. Currently, Belgium favours a full or partial delegation to BELAC-accredited CABs for the European cybersecurity certificates with the “high” assurance level.