2024/3143

19.12.2024

COMMISSION IMPLEMENTING REGULATION (EU) 2024/3143

of 18 December 2024

establishing the circumstances, formats and procedures for notifications pursuant to Article 61(5) of Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (1), and in particular Article 61(5) thereof,

Whereas:

(1) Pursuant to Article 61(1) of Regulation (EU) 2019/881 (Cybersecurity Act), the national cybersecurity certification authorities (NCCAs) are responsible for notifying the Commission of conformity assessment bodies that have been accredited and, where applicable, authorised to issue European cybersecurity certificates at specified assurance levels, and should keep the notification up to date. Furthermore, according to Article 61(2) of Regulation (EU) 2019/881, the Commission is required to publish in the

Official Journal of the European Union

a list of the conformity assessment bodies notified under a European cybersecurity certification scheme one year after the scheme enters into force. To ensure a harmonised approach for notifications and ease the notification process for NCCAs, this Regulation should further specify the circumstances, formats and procedures for the notifications. Those aspects are important to be clarified with a view to the application of the first European Common Criteria-based cybersecurity certification scheme (EUCC) laid down by Commission Implementing Regulation (EU) 2024/482 (2).

(2) This Regulation acknowledges the synergies between Regulation (EU) 2019/881 and relevant Union harmonisation legislation, including Regulation (EU) 2024/2847 of the European Parliament and of the Council (Cyber Resilience Act) (3). It is therefore proposed that the NCCAs notify the Commission via the electronic notification tool, developed and managed by the Commission, referred to in Decision No 768/2008/EC of the European Parliament and of the Council (4). Without affecting the Commission’s obligation to publish the list of notified conformity assessment bodies in the

Official Journal of the European Union

, the list should also be made publicly available on the electronic notification tool developed and managed by the Commission.

(3) Notification of accredited and, where applicable, authorised conformity assessment bodies means that these bodies can be trusted in performing evaluation and certification activities in accordance with Regulation (EU) 2019/881, contributing to the overall reputation of European cybersecurity certification schemes. It is therefore essential to ensure that conformity assessment bodies that have been notified, meet their requirements and fulfil their obligations over time. The published list of notified conformity assessment bodies should be accurate and kept up to date, reflecting their compliance to the requirements laid down in Regulation (EU) 2019/881 and, where applicable, the specific or additional requirements under a European cybersecurity certification scheme. For that purpose, it is necessary that the NCCAs notify the Commission of any changes to the notification without undue delay, in accordance with Article 61(1) of Regulation (EU) 2019/881.

(4) NCCAs are responsible for ensuring that conformity assessment bodies comply with Regulation (EU) 2019/881 and European cybersecurity certification schemes and in this context ensure the accuracy of notifications. These activities are subject to peer review, the outcome of which should help determine any necessary changes to enhance their effectiveness. The NCCAs may ascertain that a conformity assessment body no longer complies with relevant requirements following concerns that have been brought to their attention in different circumstances. Where applicable, the findings of peer assessment mechanisms should support the NCCAs in monitoring the continued competence of the notified conformity assessment bodies. In addition, concerns regarding the continued competence of a notified conformity assessment bodies may be raised with the notifying NCCA by other NCCAs, the Commission or stakeholders.

(5) When deciding to suspend, restrict or withdraw the notification of a conformity assessment body, the notifying NCCA is to cooperate with the national accreditation body appointed pursuant to Regulation (EC) No 765/2008 of the European Parliament and of the Council (5). This is in accordance with Regulation (EU) 2019/881 that provides that the NCCAs should actively assist, support and cooperate with the national accreditation bodies in their monitoring and supervisory activities. The restriction of notification should refer to a case where the scope of accreditation or, where applicable, the scope of authorisation, and hence the scope of the notification, is reduced.

(6) Pursuant to Article 54(1), point (n) of Regulation (EU) 2019/881, each European cybersecurity certification scheme is to include, where applicable, rules concerning the retention of records by conformity assessment bodies. It is therefore necessary that in the event of restriction, suspension or withdrawal of notification, or where the notified conformity assessment body has ceased its activity, the notifying NCCA ensures that the records of that conformity assessment body are stored in a secure manner and kept for the necessary period, as prescribed under a European cybersecurity certification scheme.

(7) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 66 of Regulation (EU) 2019/881,

HAS ADOPTED THIS REGULATION:

Article 1

Subject matter

This Regulation establishes the circumstances, formats and procedures for notifications of conformity assessment bodies by national cybersecurity certification authorities (NCCAs) pursuant to Article 61(1) of Regulation (EU) 2019/881.

Article 2

Procedure for notification

1. In accordance with Article 61(1) of Regulation (EU) 2019/881, the NCCAs shall notify the Commission of the conformity assessment bodies which have satisfied the requirements laid down in Regulation (EU) 2019/881 and, where applicable, the specific or additional requirements under a European cybersecurity certification scheme.

2. The NCCA shall notify the Commission using the electronic notification tool developed and managed by the Commission, as referred to in Decision No 768/2008/EC.

3. The notification shall include the information set out in the Annex.

Article 3

Identification numbers and list of conformity assessment bodies

1. The Commission shall assign an identification number to a notified conformity assessment body. It shall assign a single identification number even where the body is notified under several European cybersecurity certification schemes or Union acts.

2. When making the list of the notified conformity assessment bodies available on the electronic notification tool developed and managed by the Commission, the Commission shall include the identification numbers that have been allocated to the notified conformity assessment bodies and the activities for which they have been notified.

3. ENISA shall make the information regarding the notified conformity assessment bodies available on its dedicated website on European cybersecurity certification schemes referred to in Article 50(1) of Regulation (EU) 2019/881.

Article 4

Changes to notifications

1. The NCCAs shall notify the Commission of any subsequent changes to the notification referred to Article 2 via the electronic notification tool developed and managed by the Commission without undue delay, in accordance with Article 61(1) of Regulation (EU) 2019/881.

2. Where a NCCA has ascertained, in cooperation with the national accreditation body, as provided for in Regulation (EU) 2019/881, that a notified conformity assessment body no longer meets the requirements or obligations to which it is subject, the NCCA shall restrict, suspend or withdraw the notification as appropriate, depending on the seriousness of the failure to meet those requirements or fulfil those obligations. It shall inform the Commission accordingly via the electronic notification tool developed and managed by the Commission without undue delay.

3. In the event of restriction, suspension or withdrawal of notification, or where the notified conformity assessment body has ceased its activity, the notifying NCCA shall take appropriate steps to ensure that the records of that conformity assessment body are stored in a secure manner and kept for the necessary period, as prescribed under a European cybersecurity certification scheme.

Article 5

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the

Official Journal of the European Union

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 18 December 2024.

For the Commission

The President

Ursula VON DER LEYEN

(1)

OJ L 151, 7.6.2019, p. 15

, ELI:

http://data.europa.eu/eli/reg/2019/881/oj

(2) Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (

OJ L, 2024/482, 7.2.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/482/oj

(3) Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (

OJ L, 2024/2847, 20.11.2024, ELI: http://data.europa.eu/eli/reg/2024/2847/oj

(4) Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (

OJ L 218, 13.8.2008, p. 82

, ELI:

http://data.europa.eu/eli/dec/2008/768(1)/oj

(5) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (

OJ L 218, 13.8.2008, p. 30

, ELI:

http://data.europa.eu/eli/reg/2008/765/oj

ANNEX

Information to be included in the notification of a conformity assessment body under a European cybersecurity certification scheme pursuant to Article 61(1) of Regulation (EU) 2019/881, as referred to in Article 2(3) of this Regulation

General information:

(1) Title of the cybersecurity certification scheme

(2) Assurance level(s), where applicable, and related conformity assessment procedures (e.g. basic, substantial, high)

(3) Scope (e.g. accreditation scope, categories or types of products, services, processes)

Information on the notifying national cybersecurity certification authority:

(1) Name

(2) Country

(3) Postal address

(4) Email address(es)

(5) Phone number(s)

(6) Website

Information on the conformity assessment body being notified:

(1) Name

(2) Country

(3) Postal address

(4) Email address(es)

(5) Phone number(s)

(6) Website

Information on the accreditation:

(1) Accreditation:

(a) Date of the accreditation

(b) Reference number of the accreditation

(d) Duration of validity of the accreditation

(2) National accreditation body:

(a) Name

(b) Country

(d) Email address(es)

(e) Phone number(s)

(f) Website

Information on the authorisation (if applicable):

(1) Authorisation:

(a) Date of the authorisation

(b) Reference number of the authorisation

(d) Duration of validity of the authorisation

(2) Authorising national cybersecurity authority (if different from the notifying national cybersecurity certification authority):

(a) Name

(b) Country

(d) Email address(es)

(e) Phone number(s)

(f) Website

Additional information:

(1) Any additional information required in a specific European cybersecurity certification scheme

(2) Any supporting documents

ELI: http://data.europa.eu/eli/reg_impl/2024/3143/oj

ISSN 1977-0677 (electronic edition)