The EUCC scheme introduced a very important requirement which is derived from the EU Cybsersecurity Act and comes as an add-on to the CC scheme. It now requires monitoring compliance of ICT products with the requirements related to provisions of the delivered certificate. This means that manufacturers shall demonstrate their continued compliance with the specified cybersecurity requirements. The NCCAs on their respective territories and in cooperation with other relevant market surveillance authorities, shall sample annually a minimum of 5% of the products and at least one product per annum which received certificates in the previous year.
Let's take a quick look at these rules concerning the consequences for ICT products that have been certified, or for which an EU statement of conformity has been issued but does not comply with the requirements of the scheme.
Two Most Important Rules Related to Non-Compliance That You Should Know About
- For confirmed deviations or irregularities related to a non-compliance in the application by a manufacturer or provider of the requirements related to a certificate issued on their ICT product, the following consequences will be:
- The Conformity Assessment Body (CAB) issuing the certificate will request the manufacturer or provider for assertions and amendments for certificates at the assurance level ‘high’ or ‘substantial’ of the CyberSecurity Act (CSA), to restore compliance
- The CAB will review the provided assertions and amendments and accept or refuse them, and the decision will be sent to the manufacturer or provider
- Continued infringements of such obligations will trigger certificate suspension of the certificate for the ICT product and temporal suspension of certificate applications to the CAB by the manufacturer or provider
- If the handling is refused, or the suspension reaches 90 days, the certificate will be withdrawn.
In the case of a confirmed deviation from the requirements on the certificate holder’s obligations towards maintaining the certificate validity, or towards informing the appropriate authorities of any subsequently detected vulnerabilities, the following situations can happen:
- An immediate certificate suspension starting at the notification of the owner of the certificate by the issuer, with a maximum suspension period of 14-30 days for the certificates at the ‘high’ or ‘substantial’ level. During this period:
- The non-compliance will be verified or disproved with the necessary support of the manufacturer or provider
- When the non-compliance is verified to impact a certificate, this will be treated as non-conformity of the certified ICT product
- The manufacturer or provider of the ICT product will accept or refuse the handling of the verified product-related non-conformity and the necessary maintenance activities
- When the defined period is not sufficient, the issuer of the certificate may extend the suspension period, no more than three times.
- When handling is refused, the certificate will be withdrawn.
- When the handling is accepted, the manufacturer or provider will continue with the necessary changes to the ICT product and CB to related modifications of the certificate’s status.
- Where necessary, the CB can decide to further extend the suspension period for no more than one year.
Once the suspension period begins, the owner of the certificate has to be informed about the length of the period, the reason for suspension, and possible consequences.
Rule no. 2.
For a confirmed non-compliance in the conditions under which the certification takes place and that are not related to an individual ICT product, the CB will proceed, under the control of its National Cybersecurity Certification Authority (NCCA), to the following:
- The identification of potentially impacted certified ICT products
- Request a series of evaluation tasks to be performed on one or more products by the Testing Laboratory/Evaluation Facility (ITSEF) which performed the evaluation, or any other that is in a better technical position to support that identification
- The analysis by the CB of evaluation reports, and/or the re-emission of certificates
If during this time non-compliance is corrected, the certificate will be either continued, renewed, or re-issued. But, if the problem can’t be handled, the certificate will be withdrawn.