BAKGRUNN (fra kommisjonsforordningen)

(1) Pursuant to Article 61(1) of Regulation (EU) 2019/881 (Cybersecurity Act), the national cybersecurity certification authorities (NCCAs) are responsible for notifying the Commission of conformity assessment bodies that have been accredited and, where applicable, authorised to issue European cybersecurity certificates at specified assurance levels, and should keep the notification up to date. Furthermore, according to Article 61(2) of Regulation (EU) 2019/881, the Commission is required to publish in the Official Journal of the European Union a list of the conformity assessment bodies notified under a European cybersecurity certification scheme one year after the scheme enters into force. To ensure a harmonised approach for notifications and ease the notification process for NCCAs, this Regulation should further specify the circumstances, formats and procedures for the notifications. Those aspects are important to be clarified with a view to the application of the first European Common Criteria-based cybersecurity certification scheme (EUCC) laid down by Commission Implementing Regulation (EU) 2024/482 (2).

(2) This Regulation acknowledges the synergies between Regulation (EU) 2019/881 and relevant Union harmonisation legislation, including Regulation (EU) 2024/2847 of the European Parliament and of the Council (Cyber Resilience Act) (3). It is therefore proposed that the NCCAs notify the Commission via the electronic notification tool, developed and managed by the Commission, referred to in Decision No 768/2008/EC of the European Parliament and of the Council (4). Without affecting the Commission’s obligation to publish the list of notified conformity assessment bodies in the Official Journal of the European Union, the list should also be made publicly available on the electronic notification tool developed and managed by the Commission.

(3) Notification of accredited and, where applicable, authorised conformity assessment bodies means that these bodies can be trusted in performing evaluation and certification activities in accordance with Regulation (EU) 2019/881, contributing to the overall reputation of European cybersecurity certification schemes. It is therefore essential to ensure that conformity assessment bodies that have been notified, meet their requirements and fulfil their obligations over time. The published list of notified conformity assessment bodies should be accurate and kept up to date, reflecting their compliance to the requirements laid down in Regulation (EU) 2019/881 and, where applicable, the specific or additional requirements under a European cybersecurity certification scheme. For that purpose, it is necessary that the NCCAs notify the Commission of any changes to the notification without undue delay, in accordance with Article 61(1) of Regulation (EU) 2019/881.

(4) NCCAs are responsible for ensuring that conformity assessment bodies comply with Regulation (EU) 2019/881 and European cybersecurity certification schemes and in this context ensure the accuracy of notifications. These activities are subject to peer review, the outcome of which should help determine any necessary changes to enhance their effectiveness. The NCCAs may ascertain that a conformity assessment body no longer complies with relevant requirements following concerns that have been brought to their attention in different circumstances. Where applicable, the findings of peer assessment mechanisms should support the NCCAs in monitoring the continued competence of the notified conformity assessment bodies. In addition, concerns regarding the continued competence of a notified conformity assessment bodies may be raised with the notifying NCCA by other NCCAs, the Commission or stakeholders.

(5) When deciding to suspend, restrict or withdraw the notification of a conformity assessment body, the notifying NCCA is to cooperate with the national accreditation body appointed pursuant to Regulation (EC) No 765/2008 of the European Parliament and of the Council (5). This is in accordance with Regulation (EU) 2019/881 that provides that the NCCAs should actively assist, support and cooperate with the national accreditation bodies in their monitoring and supervisory activities. The restriction of notification should refer to a case where the scope of accreditation or, where applicable, the scope of authorisation, and hence the scope of the notification, is reduced.

(6) Pursuant to Article 54(1), point (n) of Regulation (EU) 2019/881, each European cybersecurity certification scheme is to include, where applicable, rules concerning the retention of records by conformity assessment bodies. It is therefore necessary that in the event of restriction, suspension or withdrawal of notification, or where the notified conformity assessment body has ceased its activity, the notifying NCCA ensures that the records of that conformity assessment body are stored in a secure manner and kept for the necessary period, as prescribed under a European cybersecurity certification scheme.

(7) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 66 of Regulation (EU) 2019/881,