Skip to main content
European Commission logo
EU Cybersecurity Certification Platform

Becoming a CAB

Becoming a CAB

Conformity Assessment Bodies (CABs) are entrusted with evaluating and certifying products, services, and processes to ensure they meet specific regulatory or industry standards. Becoming a CAB is a significant endeavor, as it involves substantial responsibility and expertise.

There are a few key points to consider if your organisation is interested in becoming one:

  • Understand the role of a CAB: It is crucial to have a comprehensive understanding of what CABs do. They are responsible for assessing and confirming that products, services, or processes adhere to existing cybersecurity standards or regulations. The main goal of CABs is to provide confidence to certificate users that the items they certify are cybersecure under the scheme they are working under.

  • Define your scope: Determine the specific scheme (or schemes) in which your organisation desires to operate in. This may include schemes such as EUCC, EUCS and EU5G. This choice will determine the standards and regulations that your organisation will be testing, assessing, and certifying.

  • Quality Management Systems: Your organisation shall implement robust quality management systems (QMS) to ensure consistency and reliability of your assessment processes. These systems shall adhere to international standards such as ISO/IEC 17065 for product and process certification or ISO/IEC 17021 for management systems certification.
  • State-of-the-Art technical expertise: CABs are expected to possess deep technical knowledge in their chosen cybersecurity domain. Training and qualifying your staff knowledge are crucial to be able to conduct assessments and audits effectively and with the guarantees that novel attack methods and techniques cannot bypass the cybersecurity properties of the items under the certification processes.
  • Develop assessment processes: Your organisation shall create standardised assessment and audit procedures specific to the chosen schemes in which the organisation is willing to be a CAB. These procedures shall ensure that the testing procedures, validation of results and certification processes can be carried out in an objective, repeatable and traceable way.