ANNEX II
Methodology of the peer review
II.1 Separation between certification and supervisory activities
In assessing the separation between the certification activities and the supervisory activities of the peer-reviewed NCCA referred to in Article 59(3), point (a), of Regulation (EU) 2019/881, the peer review shall assess at least the following aspects:
(a)
a detailed description of the functioning of the peer-reviewed NCCA, clearly identifying the different entities and/or departments involved in the implementation of Regulation (EU) 2019/881;
(b)
a mapping of the activities of the peer-reviewed NCCA against the activities listed in Article 58(7) of Regulation (EU) 2019/881;
(c)
where the peer-reviewed NCCA issues certificates, an explanation demonstrating that there is no interference between its certification activities and the supervisory activities as identified in point (b).
II.2 Supervising and enforcing the rules for monitoring compliance with the certificates
In assessing the procedures of the peer-reviewed NCCA for supervising and enforcing the rules for monitoring the compliance of ICT products, ICT services and ICT processes and managed security services with European cybersecurity certificates referred to in Article 59(3), point (b), of Regulation (EU) 2019/881, the peer review shall assess at least the following aspects:
(a)
the quality and level of detailed description of such processes and procedures and the extent to which they are documented;
(b)
whether and to what extent such processes and procedures cover the relevant European cybersecurity certification schemes;
(c)
whether the peer-reviewed NCCA is effectively empowered to inspect conformity assessment bodies that issue certificates and, where necessary, to enforce the withdrawal of certificates;
(d)
the extent of the cooperation of the peer-reviewed NCCA with the relevant market surveillance authorities;
(e)
whether the peer-reviewed NCCA has a mechanism to handle complaints by natural or legal persons, required pursuant to Article 58(7), point (f), of Regulation (EU) 2019/881, including evidence as to whether natural and legal persons have the right to lodge a complaint and to obtain an effective judicial remedy in accordance with Articles 63 and 64 of that Regulation, respectively.
II.3 Monitoring and enforcing the obligations of manufacturers or providers
In assessing the procedures of the peer-reviewed NCCA for monitoring and enforcing the obligations of manufacturers or providers that carry out conformity self-assessment, as referred to in Article 59(3), point (c), of Regulation (EU) 2019/881, the peer review shall assess at least the following aspects:
(a)
whether the peer-reviewed NCCA has established such procedures and the extent to which they are documented, in particular whether it has established a mechanism to receive and process information from external sources;
(b)
whether and to what extent such procedures cover the relevant European cybersecurity certification schemes;
(c)
whether and to what extent the peer-reviewed NCCA carries out its own investigations and whether the scope of the investigations covers the obligations of manufacturers set out in Article 53(2) and (3) of Regulation (EU) 2019/881 and in the corresponding European cybersecurity certification schemes;
(d)
whether there is a procedure to exchange information between the certification activities and the supervisory activities of the peer-reviewed NCCA that are relevant to monitoring and enforcing the obligations of manufacturers or providers.
II.4 Monitoring, authorising and supervising conformity assessment bodies
In assessing the procedures of the peer-reviewed NCCA for monitoring, authorising and supervising the activities of the conformity assessment bodies, as referred to in Article 59(3), point (d), of Regulation (EU) 2019/881, the peer review shall assess at least the following aspects:
(a)
the quality and level of detailed description of such procedures and the extent to which they are documented, including for cooperation with the national accreditation body;
(b)
the key statistics on the number of authorisations granted, suspended or withdrawn, the total number of conformity assessment bodies in activity, the number of certificates issued, and the number of corrective actions taken by the peer-reviewed NCCA;
(c)
where the peer-reviewed NCCA allows the issuing of European cybersecurity certificates at level ‘high’ upon prior approval or on the basis of a general delegation of the task as set out in Article 56(6) of Regulation (EU) 2019/881, the expertise of the staff, and the procedures via which the peer-reviewed NCCA monitors and supervises the activities of the conformity assessment bodies.