Certification of ICT products, services, processes, and organisations that meet certain cybersecurity requirements is an important aspect to increase cybersecurity. Certification can improve and ensure trust in the digital single market. 

The NCCA oversees and monitors compliance with the scheme of certificates issued by Conformity Assessment Bodies (CABs). It can also be called in regarding complaints about or misuse of the certification of products. The NCCA has the power to inform and, if necessary, act to ensure regulatory compliance. 

The NCCA is also mandated to issue guidance and certification schemes at national level.  

Who can benefit from the National Cybersecurity Certification Authority (NCCA)

Belgian companies needing guidance on the cybersecurity certification process can contact the NCCA.

National and international partnerships

The Centre for Cybersecurity Belgium represents Belgium in the European Cybersecurity certification scheme development. Currently the following schemes and activities are under development:

  • EU Common Criteria for ICT products, processes, and services
  • EU Cloud Scheme
  • EU 5G
  • Cryptographic evaluation (for all schemes)
More info on the Issuance of certificates
Visiting address:
rue de la Loi 18
1000 Brussels (Belgium)
Telephone:

+32 (0)2 501 05 60 (emergency number, only for urgent assistance in case of incidents) 

Email

Cyberfundamentals

The CyFun or Cyberfundamentals scheme and toolbox are available: 
 

  • Cyberfundamentals SMALL (only guidance) 
  • Cyberfundamentals ➝ level BASIC 
  • Cyberfundamentals ➝ level IMPORTANT
  • Cyberfundamentals ➝ level ESSENTIAL

See the FAQ

Legal basis:

The Centre for Cybersecurity Belgium has been designated as the National Cybersecurity Certification Authority (NCCA) by the Council of Ministers.

The Cybersecurity Act

The Act gives Member States a framework for the voluntary certification of ICT products, processes, and services in relation to cybersecurity. An EU cybersecurity certificate confirms that an IT product, process, or service is certified in accordance with the European cybersecurity certification regulation or scheme and that it satisfies specific cybersecurity rules and requirements.
 

In Belgium, this certification can be obtained following an audit, test, or certification process by an accredited Conformity Assessment Body (CAB). All certificates are published by the EU Agency for Cybersecurity (ENISA) and are valid within the European Union.

Image
handshake EU flag

Cybersecurity certification and the designation of a national cybersecurity certification authority

Belgian national law defines the rules on cybersecurity certification. It also stipulates the operation of the national cybersecurity certification authority on delegations, market surveillance, and sanctioning, plus allows delegation of the authority to a number of sectoral authorities in a limited number of specific cases.

Image
tablet with virtual world map

Designation of a national cybersecurity authority

The Royal decree appoints the Centre for Cybersecurity Belgium (CCB) as national certification authority and enlarges his missions  by modifying the Royal Decree of 10 October 2014 on the creation of the Centre.

Image
laptop with virtual screen "updating"

FAQ

Frequently Asked Questions

  • Is certification of ICT products, services and processes obligatory?

    Certification happens on a voluntary basis, unless otherwise stipulated by European Union or Member State law. Providers who want to get their ICT solution certified can apply to a Conformity Assessment Body (CAB), in accordance with the rules set out in the certification regulations.

    In the future, the Commission will regularly assess the efficiency and the use of the established European schemes to see whether, though a relevant EU law, a specific European scheme should be made obligatory to ensure a suitable level of cybersecurity of ICT products, services and processes in the EU and to improve the operation of the internal market.

  • What are the different assurance levels of the certificates, and what do these levels mean?
    Image removed.

    An assurance level provides a basis for trust that an ICT product, service or process satisfies the security conditions of a specific scheme. It states at which level the ICT product, service or process is evaluated. It is not a measure for the security of the ICT product, service or process.

  • From when can a manufacturer apply for certification of ICT products, services and processes?

    The timing is subject to European decision-making and can change:

    • EUCC (certification of ICT products): from end 2024
    • EUCS (cloud services): from the beginning of 2025
    • EU5G (5G): to be determined.
  • Are there already accredited conformity assessment bodies active in Belgium?

    There is no accreditation for the EU schemes yet because the final schemes have not been published. The expected timing for the start of the CAB accreditation process is as follows:

    • EUCC (certification of ICT products): from the middle of 2024
    • EUCS (cloud services): from the end of 2024
    • EU5G (5G): to be determined

    For certification of management systems in accordance with ISO 27001, there are various accredited Conformity Assessment Bodies (CABs) in Belgium. BELAC publishes the accredited CABs on its website.

  • How are EU cybersecurity certification schemes developed?

    The EU Agency for Cybersecurity (ENISA) develops draft certification schemes upon the request of the European Commission or the EU Member States. ENISA is supported by a group of experts and works closely with the European Commission, the EU Member States and relevant stakeholders.

    The CCB's Certification Service represents Belgium in the consultative body ECCG that advises the European Commission about schemes.

  • How can EU cybersecurity certification schemes be used in practice?

    Awarding certificates:

    Every Member State can choose to issue EU cybersecurity certificates. National Cybersecurity Certification Authorities (NCCAs) monitor and control the regulatory conformity of certificates that are issued by Conformity Assessment Bodies (CABs) in their respective Member State.

    To get certified:

    Providers who want to get their ICT solution certified can apply to a Conformity Assessment Body (CAB), in accordance with the rules set out in the certification regulations.

    Use of certificates:

    Users of ICT solutions can consider cybersecurity certificates as evidence that a specific solution satisfies certain security conditions.

  • What happens if a new EU scheme covers the same ICT domain as an existing national scheme?

    To achieve the objectives of the Cybersecurity Act and prevent the fragmentation of the internal market, the validity of national certification schemes needs to elapse by a date determined by the Commission. Every EU cybersecurity certification scheme has a transition period, after which the national schemes will no longer apply.

    In other words, certificates that are issued by these national schemes will no longer be valid. A transition for existing schemes to EU schemes has been provided for, with the necessary guidelines for Conformity Assessment Bodies (CABs) that work under national regulations.
    These CABs cannot stop their activities around existing schemes.

  • Will the EU cybersecurity certificates be recognised in all European countries?

    EU cybersecurity certificates that are issued by recognised Conformity Assessment Bodies (CABs) are valid in all EU countries.

  • When can you get help from the CCB Certification team?

    The CCB Certification team is operational and offers support and guidance to Belgian companies in relation to the EU cybersecurity certification process.

    If there are complaints about the misuse of product certification, the CCB Certification team can be called upon. This team has the power to acquire information in relation to the complaint and, where necessary, act to ensure that regulations are followed. They can enlist the help of another NCCA if the certificate was awarded in another European country.

  • Will the CCB be monitored as the NCCA?

    ENISA is responsible for the organisation of peer evaluation (evaluation by European colleagues) of the NCCAs. The NCCA from the CCB will participate in this in order to improve its operations.

  • How can the CCB Certification team be contacted?

    E-mail: certification@ccb.belgium.be

    Telephone : +32 (0)2 501 05 60

Vacancies

The Centre for Cybersecurity Belgium (CCB) is recruiting new profiles.

Don't wait, apply now

Other services