法律人 LawPlayer logo

資料由法律人 LawPlayer整理提供·EU law / curated by LawPlayer from EUR-Lex

Regulation

Commission Implementing Regulation (EU) 2025/2540 of 9 December 2025 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the establishment of the plan for peer review

CELEX
Implementing Regulation (EU) 2025/2540
Date of document
Articles
10
Source
EUR-Lex
Article 1Schedule, frequency and cost of the peer reviews

1.   The peer reviews of the national cybersecurity certification authorities (NCCAs) shall be carried out in accordance with the schedule set out in Annex I. Each peer review shall be completed by the date indicated in that schedule and it shall thereafter be carried out once every five years.

2.   In exceptional circumstances, a peer-reviewed NCCA may submit a duly justified request to the Commission to postpone its peer review beyond the date indicated in the schedule set out in Annex I. The Commission shall, in cooperation with the European Cybersecurity Certification Group (ECCG) established by Article 62 of Regulation (EU) 2019/881, assess the request and inform all relevant parties of the outcome in a timely manner.

3.   Where a Member State, in accordance with Article 58(1) of Regulation (EU) 2019/881, has designated:

(a)

more than one NCCA in its territory, all the NCCAs of that Member State shall be peer reviewed in parallel;

(b)

the NCCA or NCCAs of another Member State, that NCCA or those NCCAs may be peer reviewed in accordance with the schedule laid down either for the designating Member State or for the Member State of the designated NCCA or NCCAs, with regard to the supervisory tasks carried out in the designating Member State.

4.   The European Union Agency for Cybersecurity (ENISA) shall make the following information publicly available on the website on European cybersecurity certification schemes created pursuant to Article 50 of Regulation (EU) 2019/881:

(a)

the information on the schedule set out in Annex I;

(b)

the list of peer-reviewer NCCAs maintained pursuant to Article 2(5).

5.   Each NCCA involved in the peer-review process shall bear its own participation costs.

Article 2Rotation system for peer-reviewer NCCAs

1.   In accordance with Article 59(4) of Regulation (EU) 2019/881, each peer review shall be carried out by two peer-reviewer NCCAs of other Member States and the Commission. The NCCAs of each Member State shall participate in the peer review of at least two NCCAs during each period set out in Annex I.

2.   The NCCAs of other Member States may participate in the peer review as observers with one or more representatives, with the agreement of the peer-reviewed NCCA, the peer-reviewer NCCAs and the Commission.

3.   One representative from ENISA may participate in the peer review as an observer. Additional representatives may also participate, with the agreement of the peer-reviewed NCCA, the peer-reviewer NCCAs and the Commission.

4.   Observers shall have access to the same information as the other members of the peer-review team, but shall not carry out tasks related to the execution of the peer review.

5.   ENISA, in cooperation with the Commission and the ECCG, shall propose and maintain the list of peer-reviewer NCCAs that are to carry out the schedule set out in Annex I. During a given year, ENISA, in cooperation with the Commission, shall ask NCCAs to express their interest in carrying out or participating as observers to the peer reviews of the NCCAs scheduled in Annex I for the following year.

6.   Where more than two NCCAs express their interest in carrying out the peer review of the same NCCA, the Commission and ENISA shall consult the interested NCCAs and decide on the peer-review participants.

7.   Where, in a given year, there are not enough peer-reviewer NCCAs expressing their interest in carrying out the peer reviews, the Commission shall, after consulting the ECCG, select NCCAs to carry out the peer reviews. In its selection, the Commission shall take into account the obligation of the NCCAs of each Member State to participate in the peer review of at least two NCCAs, referred to in paragraph 1.

Article 3Criteria on the composition of the peer review team

1.   In due time before the start of the peer review, each peer-reviewer NCCA shall designate one representative to carry out the peer review. Peer-reviewer NCCAs may designate more than one representative where that is required to ensure that the peer-review team has the necessary competences to carry out the peer review.

2.   The representative of peer-reviewer NCCAs, with the exception of representatives of NCCAs participating as observers, shall satisfy the following criteria:

(a)

have at least two years of experience working for the peer-reviewer NCCA or have participated in at least two peer reviews as observers;

(b)

possess sufficient knowledge of the cybersecurity certification framework set out by Regulation (EU) 2019/881;

(c)

have a good working knowledge of English and, where possible, of one or more of the languages spoken in the Member State of the peer-reviewed NCCAs;

(d)

operate independently from the peer-reviewed NCCA.

3.   Peer-reviewer NCCAs shall ensure that any risk of conflict of interest concerning the designated representatives is disclosed to the other NCCAs, the Commission and ENISA, before the start of the peer-review process. The peer-reviewed NCCA may object to the designation of particular representatives in accordance with paragraph 5.

4.   The peer-reviewer NCCAs shall choose one representative (‘the team leader’) from among themselves to coordinate the peer review.

5.   The Commission shall provide the peer-reviewed NCCA with the names and contact details of the representatives of the peer-reviewer NCCAs before the start of the peer review process. Where the peer-reviewed NCCA wishes to object to the nomination of one or more representatives, it shall, within two weeks, provide a clear justification to the Commission, inform ENISA and the ECCG, and request that the peer-reviewer NCCA nominate a different representative.

6.   Where the procedure set out in paragraph 5 causes undue delays in launching the peer review due to exceptional circumstances, the Commission, in consultation with ENISA and the ECCG, shall decide on the composition of the peer-review team.

Article 4Methodology for the peer review

1.   The peer review shall assess the aspects listed in Annex II, in accordance with Article 59(3) of Regulation (EU) 2019/881.

2.   ENISA, in cooperation with the ECCG and the Commission, may develop templates for the assessment of the processes established by the peer-reviewed NCCA.

3.   The peer review shall include the following:

(a)

a self-assessment questionnaire;

(b)

an assessment of relevant documentation;

(c)

online or physical interviews, or both;

(d)

an on-site visit.

4.   The length of the peer review may be agreed beforehand between the peer-review team and the peer-reviewed NCCA, depending on the size and complexity of the activities of the peer-reviewed NCCA. The on-site visit shall not last longer than three working days.

5.   Unless otherwise agreed by the peer-review team, the peer-reviewed NCCA and the Commission, the language of cooperation shall be English. The peer-review report referred to in Article 5 shall be drawn up at least in English.

6.   The peer-reviewed NCCA shall cooperate and provide the peer-review team with access to the information and documents that are necessary to carry out the peer review. The peer-reviewed NCCA shall submit the self-assessment questionnaire and the latest annual summary report adopted in accordance with Article 58(7), point (g), of Regulation (EU) 2019/881 at least 21 days before the date of the on-site visit. Additional documents shall be submitted upon request of the peer-review team, within 7 days from the receipt of such requests.

7.   Documents shall be provided in English unless otherwise agreed pursuant to paragraph 5. Where documents are not provided in English, the peer-review team may request that documents necessary to carry out the peer review be translated into English.

8.   Before drawing up the peer-review report in accordance with Article 5, the peer-review team shall discuss preliminary findings with the peer-reviewed NCCA.

Article 5Peer-review report

1.   Within 21 days of the execution of the peer review, the peer-review team shall draw up a draft peer-review report, which shall include details of the Member State of the peer-reviewed NCCA, the peer-reviewer NCCAs, the Commission and any observer, as well as findings and conclusions of the peer review. Where necessary, the report shall include recommendations to enable improvement on the aspects covered by the peer review.

2.   ENISA, in cooperation with the Commission and the ECCG, may develop a template for the peer-review report.

3.   After drawing up the draft peer-review report in accordance with paragraph 1, the peer-review team shall provide it to the peer-reviewed NCCA for comments to be made within 14 days. The peer-review team shall evaluate the comments and, where possible, integrate them into the final report, with a view to ensuring consensus. In case of disagreement, the response of the peer-reviewed NCCA shall be annexed to the final report.

4.   The final report shall be sent within two months from the execution of the peer-review to the ECCG, including a summary for publication. In accordance with Article 59(6) of Regulation (EU) 2019/881, the ECCG shall examine the report and endorse its summary, which shall be published on the website on European cybersecurity certification schemes created pursuant to Article 50 of Regulation (EU) 2019/881. The summary shall also include the response of the peer-reviewed NCCA or parts thereof, in agreement with the peer-reviewed NCCA.

5.   The peer-review team shall anonymise personal data that it may have collected during the peer review before circulating the peer-review report outside of the peer-review team.

Article 6Confidentiality

1.   All parties involved in the peer reviews shall respect the confidentiality of information and data obtained in carrying out their tasks and activities in such a manner as to protect, in particular:

(a)

intellectual property rights and confidential business information or trade secrets of a natural or legal person, including source code, except the cases referred to in Article 5 of Directive (EU) 2016/943 of the European Parliament and of the Council  ( 3 ) ;

(b)

the effective implementation of this Regulation;

(c)

public and national security interests;

(d)

integrity of criminal or administrative proceedings.

2.   The peer-review team shall ensure that any information obtained through the peer-review process is handled securely. Once the final report and the summary referred to in Article 5(4) have been drawn up, the peer-review team, including any observer, shall delete or destroy all documents, other than the final report and the summary, that have been collected or generated as part of the peer-review process.

3.   ENISA, taking into account existing best practices of the NCCAs, may, in cooperation with the ECCG, develop guidelines on secure and confidential communications.

Article 7Capacity-building

ENISA shall analyse the aggregated results of the peer reviews and highlight lessons learned and best practices, in order to contribute to capacity-building for the NCCAs and to the maintenance of European cybersecurity certification schemes. That analysis may include, where appropriate, training and additional guidelines for NCCAs, developed in cooperation with the ECCG.

Article 8Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union .

Schedules & Appendices

ANNEX ISchedule of national cybersecurity certification authorities (NCCAs) that are subject to peer review

ANNEX I

Schedule of national cybersecurity certification authorities (NCCAs) that are subject to peer review

NCCAs of the following Member States shall be peer-reviewed by 31 December 2026 and every five years thereafter:

Sweden, Belgium, Slovakia, Germany, Malta, Czechia

NCCAs of the following Member States shall be peer-reviewed by 31 December 2027 and every five years thereafter:

Hungary, Greece, Estonia, Slovenia, Netherlands, Italy

NCCAs of the following Member States shall be peer-reviewed by 31 December 2028 and every five years thereafter:

Croatia, Denmark, Lithuania, Spain, Bulgaria, Ireland

NCCAs of the following Member States shall be peer-reviewed by 31 December 2029 and every five years thereafter:

Finland, Austria, Romania, Luxembourg, Latvia, Poland

NCCAs of the following Member States and EEA/EFTA countries shall be peer-reviewed by 31 December 2030 and every five years thereafter:

Cyprus, France, Portugal, Lichtenstein, Norway, Iceland

ANNEX IIMethodology of the peer review

ANNEX II

Methodology of the peer review

II.1    Separation between certification and supervisory activities

In assessing the separation between the certification activities and the supervisory activities of the peer-reviewed NCCA referred to in Article 59(3), point (a), of Regulation (EU) 2019/881, the peer review shall assess at least the following aspects:

(a)

a detailed description of the functioning of the peer-reviewed NCCA, clearly identifying the different entities and/or departments involved in the implementation of Regulation (EU) 2019/881;

(b)

a mapping of the activities of the peer-reviewed NCCA against the activities listed in Article 58(7) of Regulation (EU) 2019/881;

(c)

where the peer-reviewed NCCA issues certificates, an explanation demonstrating that there is no interference between its certification activities and the supervisory activities as identified in point (b).

II.2    Supervising and enforcing the rules for monitoring compliance with the certificates

In assessing the procedures of the peer-reviewed NCCA for supervising and enforcing the rules for monitoring the compliance of ICT products, ICT services and ICT processes and managed security services with European cybersecurity certificates referred to in Article 59(3), point (b), of Regulation (EU) 2019/881, the peer review shall assess at least the following aspects:

(a)

the quality and level of detailed description of such processes and procedures and the extent to which they are documented;

(b)

whether and to what extent such processes and procedures cover the relevant European cybersecurity certification schemes;

(c)

whether the peer-reviewed NCCA is effectively empowered to inspect conformity assessment bodies that issue certificates and, where necessary, to enforce the withdrawal of certificates;

(d)

the extent of the cooperation of the peer-reviewed NCCA with the relevant market surveillance authorities;

(e)

whether the peer-reviewed NCCA has a mechanism to handle complaints by natural or legal persons, required pursuant to Article 58(7), point (f), of Regulation (EU) 2019/881, including evidence as to whether natural and legal persons have the right to lodge a complaint and to obtain an effective judicial remedy in accordance with Articles 63 and 64 of that Regulation, respectively.

II.3    Monitoring and enforcing the obligations of manufacturers or providers

In assessing the procedures of the peer-reviewed NCCA for monitoring and enforcing the obligations of manufacturers or providers that carry out conformity self-assessment, as referred to in Article 59(3), point (c), of Regulation (EU) 2019/881, the peer review shall assess at least the following aspects:

(a)

whether the peer-reviewed NCCA has established such procedures and the extent to which they are documented, in particular whether it has established a mechanism to receive and process information from external sources;

(b)

whether and to what extent such procedures cover the relevant European cybersecurity certification schemes;

(c)

whether and to what extent the peer-reviewed NCCA carries out its own investigations and whether the scope of the investigations covers the obligations of manufacturers set out in Article 53(2) and (3) of Regulation (EU) 2019/881 and in the corresponding European cybersecurity certification schemes;

(d)

whether there is a procedure to exchange information between the certification activities and the supervisory activities of the peer-reviewed NCCA that are relevant to monitoring and enforcing the obligations of manufacturers or providers.

II.4    Monitoring, authorising and supervising conformity assessment bodies

In assessing the procedures of the peer-reviewed NCCA for monitoring, authorising and supervising the activities of the conformity assessment bodies, as referred to in Article 59(3), point (d), of Regulation (EU) 2019/881, the peer review shall assess at least the following aspects:

(a)

the quality and level of detailed description of such procedures and the extent to which they are documented, including for cooperation with the national accreditation body;

(b)

the key statistics on the number of authorisations granted, suspended or withdrawn, the total number of conformity assessment bodies in activity, the number of certificates issued, and the number of corrective actions taken by the peer-reviewed NCCA;

(c)

where the peer-reviewed NCCA allows the issuing of European cybersecurity certificates at level ‘high’ upon prior approval or on the basis of a general delegation of the task as set out in Article 56(6) of Regulation (EU) 2019/881, the expertise of the staff, and the procedures via which the peer-reviewed NCCA monitors and supervises the activities of the conformity assessment bodies.

10 articles

Cite this act

Commission Implementing Regulation (EU) 2025/2540 of 9 December 2025 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the establishment of the plan for peer review (EUR-Lex). Retrieved via LawPlayer, https://lawplayer.com/eu/act/32025R2540

© European Union, https://eur-lex.europa.eu, 1998-2026. Reuse authorised under Commission Decision 2011/833/EU, provided the source is acknowledged.

EU-EurLex-Reuse-2011-833

本頁資料來源:EUR-Lex·整理提供:法律人 LawPlayer· lawplayer.com