1. Without prejudice to Article 58(7) of Regulation (EU) 2019/881, the national cybersecurity certification authority shall monitor the compliance of:
(a)
the certification body and the ITSEF with their obligations pursuant to this Regulation and Regulation (EU) 2019/881;
(b)
the holders of an EUCC certificate with their obligations pursuant to this Regulation and Regulation (EU) 2019/881;
(c)
the certified ICT products with the requirements set out in the EUCC;
(d)
the assurance expressed in the EUCC certificate addressing the evolving threat landscape.
2. The national cybersecurity certification authority shall perform its monitoring activities in particular on the basis of:
(a)
information coming from certification bodies, national accreditation bodies and relevant market surveillance authorities;
(b)
information resulting from its own or another authority’s audits and investigations;
(c)
sampling, carried out in accordance with paragraph 3;
(d)
complaints received.
3. The national cybersecurity certification authority shall, in cooperation with other market surveillance authorities, sample annually at least 4% of the EUCC certificates as determined by a risk assessment. Upon request and acting on behalf of the competent national cybersecurity certification authority, certification bodies and, if necessary, ITSEF shall assist that authority in monitoring compliance.
4. The national cybersecurity certification authority shall select the sample of certified ICT products to be checked using objective criteria, including:
(a)
product category;
(b)
assurance levels of products;
(c)
holder of a certificate;
(d)
certification body and, where applicable, the subcontracted ITSEF;
(e)
any other information brought to the authority’s attention.
5. The national cybersecurity certification authority shall inform the holders of the EUCC certificate about the selected ICT products and the selection criteria.
6. The certification body that certified the sampled ICT product shall, upon request of the national cybersecurity certification authority, with the assistance of the respective ITSEF, conduct additional review in accordance with the procedure laid down in Section IV.2 of Annex IV and inform the national cybersecurity certification authority of the results.
7. Where the national cybersecurity certification authority has sufficient reason to believe that a certified ICT product is no longer in compliance with this Regulation or Regulation (EU) 2019/881, it may carry out investigations or make use of any other monitoring powers set out in Article 58(8) of Regulation (EU) 2019/881.
8. The national cybersecurity certification authority shall inform the certification body and ITSEF concerned about ongoing investigations regarding selected ICT products.
9. Where the national cybersecurity certification authority identifies that an ongoing investigation concerns ICT products that are certified by certification bodies established in other Member States, it shall inform thereof the national cybersecurity certification authorities of the relevant Member States in order to collaborate in the investigations, where relevant. Such national cybersecurity certification authority shall also notify the European Cybersecurity Certification Group of the cross-border investigations and the subsequent results.