(fra kommisjonsforordningen)

(1) Pursuant to Article 59(4) of Regulation (EU) 2019/881, peer reviews of national cybersecurity certification authorities (NCCAs) are to be carried out by two NCCAs from other Member States and the Commission. With a view to achieving equivalent standards in respect of European cybersecurity certificates and EU statements of conformity, the Commission should monitor aspects related to compliance with this Regulation and ensure that peer reviews are carried out in a consistent manner throughout the Union. In order to help identify good practices, challenges and lessons learned from the implementation of European cybersecurity certification schemes, the European Union Agency for Cybersecurity (ENISA) should have the opportunity to participate in the peer reviews as an observer. To support the harmonised implementation of the provisions of this Regulation, ENISA, in cooperation with the Commission and the European Cybersecurity Certification Group (ECCG), should also be allowed to develop templates.

(2) In order to ensure predictable planning and the efficient allocation of resources, the peer reviews of each NCCA should be carried out in accordance with an established schedule. It should be possible for an NCCA to request to delay its peer review in exceptional circumstances, such as unexpected staff shortages or instances of force majeure. To that effect, it is necessary to set out the arrangements for assessing that request, ensuring that the overarching schedule is maintained, and the objectives of the peer review mechanism are not compromised.

(3) In order to ensure that all Member States contribute to the implementation of the peer-review mechanism, as well as to enable them to benefit from peer-learning, the NCCAs of each Member State should carry out two peer reviews over a five-year period. A rotation system to enable the NCCAs of all Member States to organise their participation should therefore be set up. It is also necessary to set out criteria that NCCAs should take into account when selecting representatives to perform peer reviews, with the objective of ensuring adequate expertise and competence. NCCAs should also be allowed to participate in peer reviews as observers, for the purposes of monitoring and learning from the process. In such cases, it should not be required for their representative to have the same expertise and competence that is expected of representatives of NCCAs performing the peer reviews.

(4) In order to ensure that an NCCA is peer-reviewed by at least one NCCA employing the same approach on the issuance of certificates at level ‘high’, ENISA should indicate, when inviting NCCAs to express their interest in being peer-reviewers, whether the peer-reviewed NCCA directly issues certificates at level ‘high’, makes use of the prior approval model referred to in Article 56(6), point (a), of Regulation (EU) 2019/881, grants a general delegation in accordance with point (b) of that paragraph, or has a combination of these characteristics.

(5) In order to ensure common evaluation criteria and procedures for the operation of peer reviews across the Union, each peer review should always include a self-assessment questionnaire, a documentation review and an on-site visit, accompanied by interviews. After the on-site visit, the peer-review team should discuss the findings with the peer-reviewed NCCA, prepare a draft report and submit it to the peer-reviewed NCCA for comments, with a view to ensuring consensus, where possible. The peer-review team should submit the final report, which may include guidelines or recommendations to enable improvement for the peer-reviewed NCCA, to the ECCG. The ECCG, upon proposal of the peer-review team, should also endorse a summary report to be made publicly available.

(6) In order to ensure that the information obtained through the peer-review process is handled in a secure manner, the peer-review team should ensure the use of secure channels of communication such as a secure platform for document storage and sharing, and the use of the appropriate safeguards for confidential data shared between members of the peer-review team. ENISA, taking into account the existing best practices of the NCCAs, should also be able to develop guidelines on how to ensure secure communication, in particular with a view to ensuring that the level of security applied by the peer-review team when collecting, sharing and processing information is aligned with the security needs of the peer-reviewed NCCA.

(7) In order to facilitate cooperation and effective exchange of information between NCCAs, the ECCG, in particular its subgroup on peer review, should contribute to the development of templates as well as assist the Commission with the implementation of this Regulation.

(8) The peer review mechanism constitutes a trans-European digital public service in the meaning of Regulation (EU) 2024/903 of the European Parliament and of the Council (2). This Regulation introduces new binding requirements affecting that service, and, as such, is subject to the interoperability assessment obligation under Article 3 of Regulation (EU) 2024/903. Accordingly, an interoperability assessment has been carried out, and the resulting report is to be published on the Interoperable Europe Portal.

(9) In the development of this Regulation, the Commission has taken into account the views of the ECCG, including its subgroup on peer review.

(10) The measures provided for in this Regulation are in accordance with the opinion of the Committee established by Article 66 of Regulation (EU) 2019/881,