ICT protection and encryption products
Organizations with secured communication and information systems must use protection products that have been approved by the competent National Security Authority or international organizations. More information can be found in the relevant regulations and in the safety instructions of classified contracts.
The National Distribution Authority (NDA) manages the material for cryptographic protection of classified information in Belgium.
For the protection of national classified information and provided prior consent, the NSA also allows the use of ICT security products that were approved by the Council of the European Union or NATO.
- List of ICT security products that were recognized by the NATO (AC/322-D (2010) 0042 (22-09-2010)
- List of ICT security products that were recognized by the Council of the EU
Classified information of the level ‘confidential’ must also be protected against the abuse of unwanted electromagnetic radiation. This is done via security measures that protect against electronic systems including eavesdropping and technical surveillance. Here also, the Council of the European Union and NATO work with products from certified companies. With prior permission, the NSA can allow the use of these products.
When a company or administration uses communication and information systems that handle classified information, they are subjected to prior approval by the NSA. The certification procedure determines, through a risk assessment, if communication and information systems offer adequate protection in accordance with the applicable standards. All interconnections of communication and information systems need also be approved.
If you want to apply for certification of a communication and information system you have to transfer the conformity certificate to NSA through your local accreditation government (LSAA). On the basis of this certificate and upon an audit, the NSA will decide on whether it approves your information and communication systems.
A certification must be requested for:
- New communication and information systems
- Relocation of communication and information systems or interconnections
- Introduction of approved fixed abilities (e.g. introduction of Web servers)
- Introduction of new capacities (e.g. introduction of self-developed software)
The homologation of CIS and any eventual interconnections takes place in two stages:
1. Test phase
During this phase, tests are carried out for a limited period. In the testing phase only unclassified information may be exchanged.
During the second phase it will be assessed whether certification is granted. A certification is in principle valid for maximum 3 years.
In exceptional and urgent cases, where delay would cause serious damage, an accelerated procedure can be applied. Certification may then temporarily be allowed after approval. However, the relevant communications and information systems should be certified as soon as possible in accordance with the regular procedure described above.