Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down r... (32024R0482)
INHALT
Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC)
- COMMISSION IMPLEMENTING REGULATION (EU) 2024/482
- of 31 January 2024
- laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC)
- (Text with EEA relevance)
- CHAPTER I
- GENERAL PROVISIONS
- Article 1
- Subject matter and scope
- Article 2
- Definitions
- Article 3
- Evaluation standards
- Article 4
- Assurance levels
- Article 5
- Methods for certifying ICT products
- Article 6
- Conformity self-assessment
- CHAPTER II
- CERTIFICATION OF ICT PRODUCTS
- SECTION I
- Specific standards and requirements for evaluation
- Article 7
- Evaluation criteria and methods for ICT products
- SECTION II
- Issuance, renewal and withdrawal of EUCC certificates
- Article 8
- Information necessary for certification
- Article 9
- Conditions for issuance of an EUCC certificate
- Article 10
- Content and format of an EUCC certificate
- Article 11
- Mark and label
- Article 12
- Period of validity of an EUCC certificate
- Article 13
- Review of an EUCC certificate
- Article 14
- Withdrawal of an EUCC certificate
- CHAPTER III
- CERTIFICATION OF PROTECTION PROFILES
- SECTION I
- Specific standards and requirements for evaluation
- Article 15
- Evaluation criteria and methods
- SECTION II
- Issuing, renewing and withdrawing EUCC certificates for protection profiles
- Article 16
- Information necessary for certification of protection profiles
- Article 17
- Issuance of EUCC certificates for protection profiles
- Article 18
- Period of validity of an EUCC certificate for protection profiles
- Article 19
- Review of an EUCC certificate for protection profiles
- Article 20
- Withdrawal of an EUCC certificate for a protection profile
- CHAPTER IV
- CONFORMITY ASSESSMENT BODIES
- Article 21
- Additional or specific requirements for a certification body
- Article 22
- Additional or specific requirements for an ITSEF
- Article 23
- Notification of certification bodies
- Article 24
- Notification of ITSEF
- CHAPTER V
- MONITORING, NON-CONFORMITY AND NON-COMPLIANCE
- SECTION I
- Compliance monitoring
- Article 25
- Monitoring activities by the national cybersecurity certification authority
- Article 26
- Monitoring activities by the certification body
- Article 27
- Monitoring activities by the holder of the certificate
- SECTION II
- Conformity and compliance
- Article 28
- Consequences of non-conformity of a certified ICT product or protection profile
- Article 29
- Consequences of non-compliance by the holder of the certificate
- Article 30
- Suspension of the EUCC certificate
- Article 31
- Consequences of non-compliance by the conformity assessment body
- CHAPTER VI
- VULNERABILITY MANAGEMENT AND DISCLOSURE
- Article 32
- Scope of vulnerability management
- SECTION I
- Vulnerability management
- Article 33
- Vulnerability management procedures
- Article 34
- Vulnerability impact analysis
- Article 35
- Vulnerability impact analysis report
- Article 36
- Vulnerability remediation
- SECTION II
- Vulnerability disclosure
- Article 37
- Information shared with the national cybersecurity certification authority
- Article 38
- Cooperation with other national cybersecurity certification authorities
- Article 39
- Publication of the vulnerability
- CHAPTER VII
- RETENTION, DISCLOSURE AND PROTECTION OF INFORMATION
- Article 40
- Retention of records by certification bodies and the ITSEF
- Article 41
- Information made available by the holder of a certificate
- Article 42
- Information to be made available by ENISA
- Article 43
- Protection of information
- CHAPTER VIII
- MUTUAL RECOGNITION AGREEMENTS WITH THIRD COUNTRIES
- Article 44
- Conditions
- CHAPTER IX
- PEER ASSESSMENT OF CERTIFICATION BODIES
- Article 45
- Peer assessment procedure
- Article 46
- Peer assessment phases
- Article 47
- Peer assessment report
- CHAPTER X
- MAINTENANCE OF THE SCHEME
- Article 48
- Maintenance of the EUCC
- CHAPTER XI
- FINAL PROVISIONS
- Article 49
- National schemes covered by the EUCC
- Article 50
- Entry into force
- ANNEX I
- Technical domains and state-of-the-art documents
- ANNEX II
- Protection profiles certified at AVA_VAN level 4 or 5
- ANNEX III
- Recommended protection profiles (illustrating technical domains from Annex I)
- ANNEX IV
- Assurance continuity and certificate review
- IV.1
- Assurance continuity: scope
- IV.2
- Re-assessment
- IV.3
- Changes to a certified ICT product
- IV.4
- Patch management
- ANNEX V
- CONTENT OF A CERTIFICATION REPORT
- V.1
- Certification report
- V.2
- Sanitization of a security target for publication
- ANNEX VI
- SCOPE AND TEAM COMPOSITION FOR PEER ASSESSMENTS
- VI.1
- Scope of the peer assessment
- VI.2
- Peer assessment team
- ANNEX VII
- Content of an EUCC Certificate
- ANNEX VIII
- Assurance package declaration
- ANNEX IX
- Mark and label
Feedback