Certification at assurance levels ‘basic’ and ‘substantial’ assurance levels
For certification tasks at assurance levels ‘basic’ and ‘substantial’, a conformity assessment body must have the accreditation granted by a national accreditation body required by the certification scheme in question as well as the competence in accordance with the certification scheme. In Finland, FINAS acts as the national accreditation body.
Procedure
- The conformity assessment body applies for a suitable accreditation from the national accreditation body
- The conformity assessment body sends the accreditation certificate to the Finnish Transport and Communications Agency Traficom, which is responsible for the duties of the NCCA (National Cybersecurity Certification Authority). We will update our website with more detailed notification instructions later. If necessary, you can request more details on delivering the information from the address ncca@traficom.fi.
- The National Cybersecurity Certification Authority notifies the Commission and the European Union Agency for Cybersecurity (ENISA) about the information of the conformity assessment body. ENISA publishes information on the notified conformity assessment bodies on its website.
- If necessary, a kick-off meeting will be agreed between the conformity assessment body and the NCCA, in which practices and operating procedures related to the certification scheme will be reviewed.
Certification at assurance level ‘high’
For certification tasks at the assurance level ‘high’, the conformity assessment body must have the accreditation required by the certification scheme in question, granted by the national accreditation body, as well as the competence required by the certification scheme. In Finland, FINAS acts as the national accreditation body.
The assessment body must also meet the certification scheme specific additional requirements and receive an authorisation from the Finnish Transport and Communications Agency Traficom to act as a conformity assessment body for the assurance level ‘high’ within the requested scope of application.
Procedure
- The conformity assessment body submits an application for a suitable accreditation to the national accreditation body
- The conformity assessment body fills in the application and submits it with attachments to the Finnish Transport and Communications Agency Traficom, which is responsible for the duties of the NCCA (National Cybersecurity Certification Authority).
We will update our website with more detailed application instructions later. If you have any questions, you can send them to the address ncca@traficom.fi - Traficom reviews the application and initiates the authorisation process. Depending on the certification scheme, the authorisation process may include proof of compliance with the additional requirements through means such as an audit/surveys and a pilot project.
- Traficom makes the decision on the authorisation and notifies the applicant of its end result. Traficom also notifies the Commission and the European Union Agency for Cybersecurity (ENISA) about the information on authorised conformity assessment bodies. ENISA publishes information on the notified conformity assessment bodies on its website.
- If necessary, a kick-off meeting will be agreed between the conformity assessment body and the NCCA, in which practices and operating procedures related to the certification scheme will be reviewed.