FAQ (CCB-Certification)
- Is certification of ICT products, services and processes obligatory?
- What are the different assurance levels of the certificates, and what do these levels mean?
- From when can a manufacturer apply for certification of ICT products, services and processes?
- Are there already accredited conformity assessment bodies active in Belgium?
- How are EU cybersecurity certification schemes developed?
- Will the EU cybersecurity certificates be recognised in all European countries?
- When can you get help from the CCB Certification team?
- Will the CCB be monitored as the NCCA?
- How can the CCB Certification team be contacted?
▷ Is certification of ICT products, services and processes obligatory?
Certification happens on a voluntary basis, unless otherwise stipulated by European Union or Member State law. Providers who want to get their ICT solution certified can apply to a Conformity Assessment Body (CAB), in accordance with the rules set out in the certification regulations.
In the future, the Commission will regularly assess the efficiency and the use of the established European schemes to see whether, though a relevant EU law, a specific European scheme should be made obligatory to ensure a suitable level of cybersecurity of ICT products, services and processes in the EU and to improve the operation of the internal market.
▷ What are the different assurance levels of the certificates, and what do these levels mean?
An assurance level provides a basis for trust that an ICT product, service or process satisfies the security conditions of a specific scheme. It states at which level the ICT product, service or process is evaluated. It is not a measure for the security of the ICT product, service or process.
▷ From when can a manufacturer apply for certification of ICT products, services and processes?
The timing is subject to European decision-making and can change:
- EUCC (certification of ICT products): from end 2024
- EUCS (cloud services): from the beginning of 2025
- EU5G (5G): to be determined.
▷ Are there already accredited conformity assessment bodies active in Belgium?
There is no accreditation for the EU schemes yet because the final schemes have not been published. The expected timing for the start of the CAB accreditation process is as follows:
- EUCC (certification of ICT products): from the middle of 2024
- EUCS (cloud services): from the end of 2024
- EU5G (5G): to be determined
For certification of management systems in accordance with ISO 27001, there are various accredited Conformity Assessment Bodies (CABs) in Belgium. BELAC publishes the accredited CABs on its website.
▷ How are EU cybersecurity certification schemes developed?
The EU Agency for Cybersecurity (ENISA) develops draft certification schemes upon the request of the European Commission or the EU Member States. ENISA is supported by a group of experts and works closely with the European Commission, the EU Member States and relevant stakeholders.
The CCB's Certification Service represents Belgium in the consultative body ECCG that advises the European Commission about schemes.
▷ How can EU cybersecurity certification schemes be used in practice?
Awarding certificates:
Every Member State can choose to issue EU cybersecurity certificates. National Cybersecurity Certification Authorities (NCCAs) monitor and control the regulatory conformity of certificates that are issued by Conformity Assessment Bodies (CABs) in their respective Member State.
To get certified:
Providers who want to get their ICT solution certified can apply to a Conformity Assessment Body (CAB), in accordance with the rules set out in the certification regulations.
Use of certificates:
Users of ICT solutions can consider cybersecurity certificates as evidence that a specific solution satisfies certain security conditions.
▷ What happens if a new EU scheme covers the same ICT domain as an existing national scheme?
To achieve the objectives of the Cybersecurity Act and prevent the fragmentation of the internal market, the validity of national certification schemes needs to elapse by a date determined by the Commission. Every EU cybersecurity certification scheme has a transition period, after which the national schemes will no longer apply.
In other words, certificates that are issued by these national schemes will no longer be valid. A transition for existing schemes to EU schemes has been provided for, with the necessary guidelines for Conformity Assessment Bodies (CABs) that work under national regulations.
These CABs cannot stop their activities around existing schemes.
▷ Will the EU cybersecurity certificates be recognised in all European countries?
EU cybersecurity certificates that are issued by recognised Conformity Assessment Bodies (CABs) are valid in all EU countries.
▷ When can you get help from the CCB Certification team?
The CCB Certification team is operational and offers support and guidance to Belgian companies in relation to the EU cybersecurity certification process.
If there are complaints about the misuse of product certification, the CCB Certification team can be called upon. This team has the power to acquire information in relation to the complaint and, where necessary, act to ensure that regulations are followed. They can enlist the help of another NCCA if the certificate was awarded in another European country.
▷ Will the CCB be monitored as the NCCA?
ENISA is responsible for the organisation of peer evaluation (evaluation by European colleagues) of the NCCAs. The NCCA from the CCB will participate in this in order to improve its operations.