Cybersecurity Act

The MDIA is designated as a National Cybersecurity Certification Authority (NCCA) in Malta. In this role, with the powers conferred to it under the Cybersecurity Act and the Subsidiary Legislation for Cybersecurity Certification Regulations, the MDIA has the function of:

Supervising and enforcing European cybersecurity certification scheme rules for the monitoring of compliance with certificates issued in Malta.
Monitoring compliance with and enforcing obligations of manufacturers or service providers, that are established in Malta and that carry out conformity self-assessment Supporting the National Accreditation Body (NAB) in monitoring and supervision of the activities of conformity assessment bodies.
Authorising conformity assessment bodies in accordance with the applicable requirements, and restrict, suspend or withdraw existing authorisation in case of infringements.
Handling complaints by natural or legal persons in relation to European cybersecurity certificates issued by conformity assessment bodies

At EU level, the MDIA works with the European Commission, ENISA and other EU NCCAs to support consistent cybersecurity certification across Europe. This includes:

Active participation in the European Cybersecurity Certification Group (ECCG) and pertinent subgroups.
Taking part in the EU peer review mechanism for NCCAs.
Sharing information and best practices through the ECCG.
Collaborates with other EU NCCAs when cross border coordination is needed, including through the ECCG.

Once a European cybersecurity certification scheme is adopted, manufacturers or providers of ICT products, ICT services, ICT processes, and managed security services should be able to submit applications for certification of their ICT products or ICT services to the conformity assessment body of their choice anywhere in the Union.

A European cybersecurity certification scheme may allow for the conformity self-assessment under the sole responsibility of the manufacturer or provider of ICT products, ICT services, ICT processes, and managed security services. Conformity self-assessment shall be permitted only in relation to ICT products, ICT services, ICT processes, and managed security services that present a low risk corresponding to assurance level ‘basic’. The manufacturer or provider of ICT products, ICT services, ICT processes, and managed security services may issue an EU statement of conformity stating that the fulfilment of the requirements set out in the scheme has been demonstrated. By issuing such a statement, the manufacturer or provider of ICT products, ICT services, ICT processes, and managed security services shall assume responsibility for the compliance of the of ICT products, ICT services, ICT processes, and managed security services with the requirements set out in that scheme.

The manufacturer or provider of ICT products, ICT services, ICT processes, and managed security services shall make the EU statement of conformity, technical documentation, and all other relevant information relating to the conformity of the of ICT products, ICT services, ICT processes, and managed security services with the scheme available to the Malta Digital Innovation Authority as the national cybersecurity certification authority referred to in Article 58 for the period provided for in the corresponding European cybersecurity certification scheme. A copy of the EU statement of conformity shall be submitted to the national cybersecurity certification authority and to ENISA.

The European Union Cybersecurity Certification Scheme on Common Criteria (EUCC) is an EU wide cybersecurity certification scheme, adopted under the Cybersecurity Act (CSA), for assessing and certifying the cybersecurity of ICT Products and related protection profiles, as set out in the EUCC Implementing Regulation.

Under the EUCC scheme, the EU has established a harmonised assessment process for the certification of ICT products, including technological components, hardware, and software. The scheme is based on the Common Criteria, an internationally recognised standard (ISO/IEC 15408) widely used at global level.

Certificates are issued at two assurance levels: ‘substantial’ and ‘high’, hat have been mapped with AVA_VAN, the vulnerability assessment class of the Common Criteria.

EUCC certification requires third party conformity assessment by accredited bodies and conformity self assessment is not permitted under the EUCC scheme. Information on applicable fees in relation to the procedures carried out by the MDIA pursuant to the Cybersecurity Act is available through the MDIA Administrative Guidelines.

Where a Conformity Assessment Body (CAB) such as Certification Body or Information Technology Security Evaluation Facilities (“ITSEF”) is accredited and competent to certify or evaluate, as per accreditation scope, at assurance level ‘substantial’, the CAB shall submit the notification form to the MDIA.

Accredited CABs may submit a Notification by contacting [email protected] for further information.

1. Confirm whether the relevant scheme requires authorisation (this applies only where the scheme includes additional/specific requirements).

2. Obtain accreditation as required based on the specific activities to be carried out by the CAB, pursuant to the requirements of the scheme and required competences from the National Accreditation Board.

3. Submit an Authorisation Application to the MDIA, where authorisation is required, by contacting [email protected]

4. MDIA carries out the relevant assessment and issues decision for the relevant scheme and scope.

5. EU-level notification: MDIA notifies the European Commission of authorised CABs for the relevant scheme, in line with EU notification rules on procedures and formats.

CABs looking to seek first time authorisation, or renewal, may contact [email protected] for further information.

The MDIA has adopted a prior-approval model, where a European cybersecurity certification scheme pursuant to the Cybersecurity Act, requires an assurance level ‘high’. In such cases, the European cybersecurity certificate under that scheme is to be issued upon prior approval by the MDIA for each individual European cybersecurity certificate issued by a conformity assessment body.

1. Notification

The authorised CAB submits a formal certification notification to the MDIA to open a certification case, which shall include, the scheme and certification scope, stakeholder information, target and security specifications, composite product details, any other technical details as may be required.

For more information please contact [email protected].

2. Request for Certification Approval

Before any EUCC certificate is issued under the prior approval model, the authorised Certification Body submits a formal request for certification approval to the MDIA, linked to the reference assigned during the prior approval notification phase.

The MDIA then assesses the approval request and issues the formal approval or rejection decision to the Certification Body.

For more information please contact [email protected].