European Union: European Commission closes consultation on draft regulation for peer review of national cybersecurity certification authorities

On 29 August 2025, the European Commission closes the public consultation on the draft Commission Implementing Regulation laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council for the establishment of the plan for peer review of national cybersecurity certification authorities (NCCAs). The regulation details the procedures for five-yearly peer reviews of national cybersecurity certification authorities by two national cybersecurity certification authorities from other Member States and the European Commission, with the European Union Agency for Cybersecurity as an observer. It also sets a fixed review schedule, allows postponement in exceptional cases, establishes a rotation system to ensure all Member States act as reviewers, and defines selection criteria for review team members. It also prescribes a common methodology including self-assessment, documentation review, interviews, and a maximum three-day on-site visit, outlines reporting, confidentiality, and secure-handling obligations, and provides for European Union Agency for Cybersecurity-led capacity-building.