ARTICLES OF ASSOCIATION OF EUCC ISAC AISBL

CHAPTER 1 – NAME, REGISTERED OFFICE, PURPOSE, DURATION

 

Article 1. Name

  • An international not-for-profit association (“association internationale sans but lucratif”/”internationale vereniging zonder winstoogmerk”) is incorporated under the name “EU Common Criteria Information Sharing and Analysis Centre ”, abbreviated “EUCC ISAC” (for the purpose of these articles of association, the “Association”).
  • This name shall be mentioned in all deeds, invoices, announcements, publications, letters, order notes, websites and other documents, whether electronic or not, issued by the Association, and shall immediately be preceded or followed by the words “association internationale sans but lucratif” or “internationale vereniging zonder winstoogmerk” or by its abbreviation “AISBL” or “IVZW”.

Article 2. Registered office

  • The registered office of the Association is located in the Brussels Region.
  • The Board of Directors has the competence to move the address of the registered office to any place within the Brussels Region in compliance with the Belgian language legislation. The Board may fulfil the necessary publications to these ends.

Article 3. Purpose

The Association has an international not-for-profit purpose and will not directly or indirectly distribute profits. The objectives of the Association are to ensure a permanent forum for public and private entities involved in the EUCC (EU Common Criteria) certification scheme Criteria by:

  • Facilitating the cooperation between the European Union Agency for Cybersecurity (ENISA), the European Commission, National cybersecurity certification authorities, the European Cybersecurity Certification Group (ECCG), and private organisations through capacity-building and the exchange of information;
  • Enhancing a long-lasting collaboration between the members of ECCG subgroup for EUCC maintenance and review (EsEm) and the EUCC community;
  • Providing support to the European Commission, ENISA, the EU Member states, the European Cybersecurity Certification Group and its sub-group when it comes to certification within the European cybersecurity certification framework;
  • Providing inputs and support for international cooperation and mutual recognition with third countries;
  • Providing inputs and support for recognition and acceptance of the EUCC scheme in commonly used private schemes;
  • Providing public authorities with the necessary inputs for the mission of EsEm by:
    • Providing support for the supporting documents maintenance (guidance and state-of-the-art (SoA) documents) that have been published on the ENISA cybersecurity certification website;
    • Providing support to new supporting documents to better harmonise and improve evaluation methods at both the substantial and high assurance levels;
    • Ensuring consistency of evaluation methods and testing across technical domains, from basic to high assurance levels;
    • Providing guidance metrics to calculate attack potential required by attacker to effect an attack;
    • Providing the necessary means to define and quote the potential cyberattacks (updates of attack methods and attack catalogues) to full-fill the requirement of the CSA of mandatory pen-testing for the level high);
    • Providing interpretation and Guidance on Common Criteria standards (ISO/IEC 15408) and its associated Common Evaluation Methodology (CEM) (ISO/IEC 18405) and Assurance Continuity;
    • Analysing vulnerabilities and fostering information sharing as required by the Cybersecurity Act (CSA);
    • Setting-up technical communities and related technical working groups to address the certification of security technologies with accurate expertise and proper awareness of eco-systems;
  • Giving assistance to European Cybersecurity Certification scheme that relies on the use of Common Criteria methodologies;
  • Providing feedback on usability of the scheme, seeking continuous improvement;
  • Providing the necessary elements for the development of EU Cybersecurity Certification Schemes, European and world-wide standards in the fields of cybersecurity and Common Criteria;
  • Developing cross-sectorial cooperation’s in order to enhance the robustness and tamper-resistance of certified products;
  • Fostering cooperation, information exchange and assistance amongst Manufacturers and providers of certified ICT products, Conformity Assessment Bodies (CABs), with a view to establishing expert views for discussion with the institutions of the European Union (EU) and, in particular, with the European Commission, ENISA and the European Cybersecurity Certification Group (ECCG) and its subgroups in particular EsEm;
  • Contributing to the advancement of development of European and world-wide acceptance of Common Criteria;
  • Providing a framework for the discussion of regulatory issues and exchange of experience;
  • Enhancing relations with similar associations outside the EU area;
  • Working together, where possible, to establish common policies among the European ISACs on relevant cybersecurity topics;
  • Supporting where applicable the development of new Technical Domains (TDs);
  • Supporting where applicable the development of specific Protection Profiles that would permit, in accordance with the conditions defined in Article 6 of the EUCC scheme, the certification above AVA_VAN.3 for ICT products that are not covered by a Technical Domain; such Protection Profiles are considered as state-of-the-art documents;
  • Provide support to other schemes issued under the European Cybersecurity Certification Framework;
  • Establish pilots eventually supporting the adoption of new supporting documents, new versions of the EUCC scheme provisions or annexes, or new versions of referred standards;
  • For the scope associated to its activities, provide support or propose recommendations to the EsEm for revisions of the EUCCscheme or annexes, or the adoption of the new version of referred standards, or their revision, and eventually conduct pilots and provide related lessons learned.

Article 4. Activities

  • In order to meet these objectives, the Association will, among other initiatives:
  • Provide the necessary means to define and quote the potential attacks (updates of attack methods and attack catalogues) to support the maintenance of the EUCC Scheme and fulfil the Cybersecurity Act requirements of mandatory pen-testing for the level high;
  • Provide interpretation and Guidance on Common Criteria standards (ISO/IEC 15408) and its associated Common Evaluation Methodology (CEM) (ISO/IEC 18045) and Assurance Continuity;
  • Provide technical information on vulnerabilities of EUCC certified products to appropriate bodies;
  • Create dedicated working groups and technical communities to address specific security technologies;
  • Undertake any other actions necessary to reach, further or support the objectives of the Association.
  • In the fulfilment of its objectives, the Association may carry out any act or activity in accordance with the law, in particular any legal provisions with respect to international not-for-profit associations. This includes, among others, the recruitment of staff, the acquisition, lease or rent, production, transfer or exchange of all movable and immovable properties, to contract, to borrow and lend money, provide mortgages, pledges or any other form of guarantee on its possessions.

Article 5. Duration

The duration of the Association is unlimited. The Association may be dissolved at any moment in accordance with then applicable law and these articles of association (the “Articles of Association”).

CHAPTER 2 – MEMBERS

 

Article 6. Membership

The Association’s membership is made of:

  • Executive members, which are full Members (as defined below) with voting rights
  • National cybersecurity certification authorities (“NCCAs” or, individiually, an “NCCA”) or Conformity assessment bodies (“CABs” or, individiually, a “CAB”) operated by an NCCA involved in the EsEM or, if any such NCCA or CAB operated by an NCCA does not have legal personality or prefers not becoming a Member, a senior representative of the NCCA or the CAB operated by an NCCA involved in the EsEM;
  • National Accreditation Bodies (“NABs” or, individiually, an “NAB”) or, if any such NAB does not have legal personality, a senior representative of the NAB;
  • Manufacturers or providers of certified ICT products that have relevant and recent products within the last 3 years evaluated in Europe by a CAB under the EUCC Scheme and that expressed sufficient and motivated interests in EUCC scheme product certification; Representative of a member organisation should demonstrate pertinent skills related to the work conducted by the technical groups;
  • CABs that are not operated by an NCCA, accredited under the Cybersecurity certification framework by a qualified NAB or, if any such CAB that is not operated by an NCCA does not have legal personality, a senior representative of the CAB accredited under the Cybersecurity certification framework by a qualified NAB;
  • Labs and Information Technology Security Evaluation Facilities (ITSEFs), that operate within the European Union and supported by a NCCA; Representative of such member organisations should demonstrate pertinent skills related to the work conducted by the technical groups;
  • End-user group or an organisation contributing to the development or using the EUCC Scheme certified products (e.g. Payment schemes, Telco’s, trade associations etc.) and which have a significant part of their business in Europe.

 

Executive members have direct access to the General Assembly, the Steering Committee and Technical Groups with voting rights. This is without prejudice to the possibility for each Technical Group to exclude an Executive member from participation to this Technical Group as stipulated under Article 27.6.

 

  • Associate members, which are Members (as defined below) with no voting rights
  • One or several senior representatives designed by the EsEm;
  • NCCAs or CABs operated by an NCCA involved in the EsEM or, if any such NCCA or CAB operated by an NCCA does not have legal personality or prefers not becoming a Member, a senior representative of the NCCA or CAB operated by an NCCA involved in the EsEm;
  • NABs or, if any such NAB does not have legal personality, a senior representative of the NAB;

Associate members have direct access to the General Assembly, the Steering Committee and Technical Groups without voting rights. This is without prejudice to the possibility for each Technical Group to exclude an Associate member from participation to this Technical Group as stipulated under Article 27.6.

Executive members and Associate members are together referred to as the “Members” and individually as a “Member”.

In principle, membership is not automatic. Admission shall take place as stipulated under Article 9.

Article 7. Observers

  • If the conditions of Articles 6.1 and/or 6.2 are not fulfilled, an observership can be applied for under the following conditions for non-European public authorities and consortia led by non-European public authorities which fulfil one of the following conditions (the “Observers”):
  • to be a Cybersecurity certification authority operating outside the European Union that shows it interest in Common Criteria and in the EUCC scheme or, if such non-European Cybersecurity certification authority does not have legal personality, a senior rerepresentative of the non-European Cybersecurity certification authority;
  • to be a non-European consortium made of laboratories, conformity assessment bodies, vendors and led by a third-country national cybersecurity certification authority.
  • The rights and benefits of Observers are limited to those rights which are explicitly granted to them under these Articles of Association and/or under an Observer agreement approved by the Steering Committee and the Technical Group(s) concerned.

Article 8. Number

The number of Executive members is unlimited but may not be less than 2.

 

Article 9. Admission

  • Admission of Executive members

Any organisation with legal personality which fulfils one of the conditions stipulated under Article 6.1 or, when made possible under Article 6.1, any natural person who is a senior representative duly designated by such organisation may become an Executive member provided it/he/she is admitted as an Executive member by a Technical Group and the Steering Committee pursuant to this Article 9. The admission shall not only be based on the conditions listed under Article 6.1 but also on the profile and the expected contribution of the candidate (the organisation and/or its senior representative) to the Association.

  • Admission of Associate members

Any organisation with legal personality which fulfils one of the conditions stipulated under Article 6.2 or, when made possible under Article 6.2, any natural person who is a senior representative duly designated by such organisation may become an Associate member provided it/he/she is admitted as an Associate member by a Technical Group and the Steering Committee pursuant to this Article 9. The admission shall not only be based on the conditions listed under Article 6.2 but also on the profile and the expected contribution of the candidate (the organisation and/or its senior representative) to the Association.

  • Admission of Observers

Any organisation with legal personality which fulfils one of the conditions stipulated under Article 7.1 or, when made possible under Article 7.1, any natural person who is a senior representative duly designated by such organisation may become an Observer provided it/he/she is admitted as an Observer by the Steering Committee pursuant to this Article 9. The Steering Committee decides on the duration and on the conditions under which the Observer can participate in the Association’s activities. The admission shall not only be based on the conditions listed under Article 7.1 but also on the profile and the expected contribution of the candidate (the organisation and/or its senior representative) to the Association.

  • Automatic Members

In derogation to Articles 9.1 and 9.2, at any time the following organisations (or their designated senior representative, if applicable) have the right to become Members without any Membership assessment/admission being required (the “Automatic Members”) :

  • NCCAs and CABs operated by an NCCA involved in the EsEM or, if any such NCCA or CAB operated by an NCCA does not have legal personality or prefers not becoming a Member, a senior representative of the NCCA or CAB operated by an NCCA involved in the EsEm;
  • a senior representative of ENISA – the European Cybersecurity Agency;
  • the European Commission (represented by DG Connect’s representatives) or if it prefers not becoming a Member, a senior representative of the European Commission.
  • Eurosmart AISBL

Each Automatic Members has the right to be represented at the level of the Steering Committee.

Also in derogation to Articles 9.1 and 9.2, within one year after the incorporation of the Association the following organisations (or their designated senior representative, if applicable) (the “Historic Members”) have the right to become Members without any Membership assessment/admission being required: the organisations (or their senior representative, if applicable) which were, as per 30 June 2024, members of the following technical groups coordinated by the Joint Interpretations Working group (JIWG) of the Senior Officials Group Information Systems Security (SOG-IS) Recognition Agreement

  • JHAS (JIL Hardware-related Attacks Subgroup);
  • JEDS (JIWG Embedded Devices Subgroup);
  • ISCI WG1 (International Smartcard Certification Initiative – Working Group 1).

All other candidates to Membership require the prior express decision by a Technical Group and the Steering Committee to approve their admission as Members. This includes:

  • Manufacturers or providers of certified ICT products;
  • CABs that are not operated by NCCAs;
  • Labs and Information Technology Security Evaluation Facilities (ITSEFs);
  • End-user groups or organisations contributing to the development or using the EUCC Scheme certified products and which have a significant part of their business in Europe.

No derogations apply to the requirement for candidate Observers to seek and obtain their admission as provided under Article 9.3.

  • Membership application procedure

Each organisation which is a candidate to Membership or Observership (directly or through a senior representative) shall notify its application in writing to the relevant Technical Group (if applicable) and the Steering Committee. If applicable, the organisation shall indicate in its application which senior representative it designates to become a Member or an Observer. The organisation shall also indicate whether it applies to become an Executive member, an Associate member or an Observer. Any other information and documentation which is relevant for the application shall be included.

The Automatic Members and, within one year after the incorporation of the Association, the Historic Members shall automatically become Members of the Association upon notification of their application.

Regarding the application of other organisations, the Technical Group that receives the application must assess and, if appropriate, approve the admission as a Member. Once informed of the Technical Group’ approval, the Steering Committee can veto the Technical Group approval within a maximum period of 3 months. from the refusal to admit a new Member or Observer by a Technical Group or a veto by the Steering Committee against an admission should be motivated.

  • Membership in Trial Status

Manufacturers or providers of ICT products which have not yet realised an evaluation/certification under the EUCC scheme but have demonstrated sufficient interest in EUCC topics may request a Membership in Trial Status (MITS).

For the assessment of the MITS applications, a Technical Group’s Terms of Reference (TOR) should

  • Specify and limit the rights of the MITS, which are limited to those explicitly granted to the MITS (which may be an Executive member or an Associate member in trial);
  • Set the trial period and its renewal and termination conditions;
  • Define objective criteria for the validation and the non-validation of the trial period.

MITS applications follow the same validation process as ordinary applications pursuant Articles 9.1, 9.2 and 9.5.

Article 10. Resignation

Any Member or Observer may resign from the Association provided that it notifies the Secretariat thereof by a registered letter at least three months before the end of the financial year. The resignation becomes effective at the end of the financial year in which the Secretariat was notified or, if the resignation was notified to the Secretariat less than 3 months before the end of the financial year, at the end of the next financial year. The resignating Member opr Observer shall fully comply with all its obligations as a Member or Observer, including the payment of any applicable Membership fees, until the effective date of its resignation.

 

Article 11. Automatic loss of Membership and Observership, periodic assessment and exclusion

11.1 Any Executive member, Associate member or Observer which no longer fulfils at least one of the conditions listed under respectively Article 6.1, Article 6.2 or Article 6.3, automatically loses its capacity as a Member or Observer of the Association. The Steering Committee or the Technical Group where the Member is involved may grant derogations. For the avoidance of doubt, any organisation without legal personality may at any time inform the Association that the senior representative which it designated in order to become a Member or an Observer is no longer a senior representative of the organisation, in which case such Member or Observer shall automatically loose his/her capacity as a Member or Observer. The organisation concerned may put forward a new senior representative for the purpose of becoming a Member or Observer, subject to being admitted as a Member or Observer by a Technical Group and/or the Steering Committee pursuant to Article 9 of the Articles of Association.

11.2 A Technical Group may decide to exclude any Member, MITS or Observer which does not conform to the statutes of the Association, the Terms of Reference (ToR) of the Technical Group its/his/her belongs to, or the IPR policy or if the Member, MITS or Observer has been acting again the interest and/or objectives of the Association and/or if its actions are detrimental to its good reputation, after giving that Member or Observer the opportunity to be heard in its/his/her defence. In the case of a disagreement by the Member, MITS or Observer with the decision of the Technical Group to terminate its/his/her Membership or Observership, the Member of Observer may request in writing to the Steering Committee to veto this exclusion. This request must be notified by the excluded Member or Observer to the Steering Committee within one month of the notification of the Technical Group’s decision to the excluded Member or Observer. Moreover, once informed about the Technical Group’s decision, the Steering Committee may, at its own initiative, veto the exclusion within a maximum period of 3 months.

Article 12. Register

  • The Board of Directors shall keep a register of the Members (including MITS) and a register of the Observers at the registered office of the Association.
  • The registers record the name, legal form (if applicable), nationality and registered office or domicile of each of the Members and Observers, respectively. All decisions regarding admission, resignation or exclusion of the Members and Observers are recorded in these registers by the Board of Directors within eight days of the Board of Directors having knowledge of the decision.
  • Members and Observers may consult these registers at the registered office of the Association.

 

Article 13. Contributions

  • The Association will be a self-financed and independent organisation supported through grants, public funding, Membership fees, subscriptions, donations and testamentary provisions and any transfer not prohibited by law.
  • In order to pursue the objectives and to carry out the activities of the Association, each Member may be required to pay Membership fees. As part of the annual budget, the Board of Director may determine the applicable Membership fees for the next financial year as well as the payment terms thereof for each of the type of Members, except for the Automatic Members that are not subjected to any Membership fee obligation. If the Board of Directors fails to decide or agree on any change to the existing Membership fees, the last approve Membership fees shall apply.

 

CHAPTER 3 – GENERAL ASSEMBLY

Article 14. Composition

  • The General Assembly consists of all Executive members. Associate members and Observers can be invited (without voting rights) by a decision of the Steering Committee or the Board of Directors.
  • Upon invitation, third parties may participate in all or specific debates of General Assembly meeting without voting rights.

 

Article 15. Powers

The General Assembly has the power to:

  • Elect and dismiss its statutory auditor (if any) and determine its remuneration;
  • Approve the annual accounts;
  • Determine the budget of the Association on a proposal from the Board of directors;
  • Take any decision reserved by law or these Articles of Association to the General Assembly.
  • Advise the Steering Committee and the Technical groups on any decision to fulfil the objectives set forth in Article 3;
  • Advise the Steering Committee on decisions with respect to public relations strategies and the communication of the views of the Association;
  • Propose the creation of new Technical Groups;
  • Approve any strategic decisions and/ or decisions with a long-term impact;
  • Elect and dismiss Steering Committee members that are not de jure Steering Committee members;
  • Grant discharge to the Directors and the statutory auditor (if any);
  • Establish the internal rules of the Association;
  • Mandate the Board of Directors to develop a policy for the General Assembly;
  • Amend these Articles of Association;
  • Decide the winding up the Association and on the allocation of the surplus (after fulfilment of its liabilities).

The above powers are exclusively reserved to the General Assembly.

 

Article 16. Meetings

  • The General Assembly will be convened at least once a year and more frequently when appropriate. Members and Observers may attend the meetings of the General Assembly by telephone and/or audio-visual connection through the internet/or video conferencing facilities, to the extent that these facilities are available. Members may give a power of attorney to other members in order to be represented at a General Assembly meeting by a duly mandated proxy holder. Each power of attorney must be in writing and should be sent in advance of the meeting to the President or the Secretary General. Similarly, any person representing a Member at a meeting of the General Assembly at which he or she participated by using telephone and/or audio-visual connection through the internet and/or video conferencing facilities, must have a power of attorney which shall be sent to the President (or the Secretary General) in advance of the meeting. For voting on deliberations, a Member (be it a natural person or a legal entity acting through its statutory representative or through an attorney-in-fact) shall not act as a proxy and/or vote on behalf of more than two other Members.

If a General Assembly is held remotely through digital channels, the President or the Secretary General shall inform the Executive members that they will have the possibility to participate remotely through digital channels. Executive members attending through digital channels shall be considered to be present at that meeting for the purpose of determining whether the quorum has been reached and their votes shall be taken into account in order to determine whether the required majority has been reached. In order for such remote participation to be valid, the Association must be able to verify, through the digital channels used, the capacity and identity of the (representative of the) member concerned. The Association’s Internal Rules may impose additional conditions for the use of digital channels in order to participate remotely to a General Assembly meeting provided the purpose of these additional conditions is to guarantee the security of the digital communication channel used. Without prejudice to any additional conditions or restrictions which may be imposed by law, the digital channels must at least enable the concerned to follow directly, simultaneously and continuously the discussions taking place within the General Assembly meeting and to exercise their right of vote on all matters regarding which the General Assembly is requested to take a decision. Moreover, the digital channel must enable the members to participate to the General Assembly’s deliberations and to ask questions unless the Steering Committee justifies in the convocation the reason why it cannot provide such digital communication channel. The convocation to the General Assembly meeting must include a clear and precise description of the procedure enabling a remote participation to the meeting. The minutes of the General Assembly meeting must mention the problems and technical incidents which have prevented or disturbed the remote participation to the General Assembly meeting or the vote. The officers of the General Assembly are not entitled to participate through digital channels.

  • Any meeting of the General Assembly may be convened by the Steering Committee or by the Board of Directors. The General Assembly must be convened by the Steering Committee, at the request of at least one fifth of its Members or of the statutory auditor (if any).
  • In principle, Associate Members and Observers may participate in the meetings of the General Assembly but without voting rights. However, the President or the Board of Directors may decide to convene meetings of the General Assembly, or part thereof that shall be open to Executive members only. Moreover, the General Assembly itself may decide at any time that access to part or the totality of a meeting of the General Assembly shall be limited to the Executive members. Materials related to such meetings or part thereof (including the minutes of the meeting) will be accessible to Executive members only.
  • Convocations to attend will be circulated to all Members and Observers (unless they are not invited) at least two weeks in advance. The date of each meeting, with the proposed agenda of the meeting, the attendance condition (physical, venue, conference call) shall be fixed and communicated to the Members and Observers (unless they are not invited) at least two weeks before the meeting.
  • The Board of Directors (if it convenes the General Assembly), or as the case may be, the Steering Committee (if it convenes the General Assembly), shall establish an agenda for each meeting. Any proposal from any Member or Observer may be added to the agenda. Unless otherwise agreed by the Board of Directors, or as the case may be, Steering Committee, proposed agenda items should be submitted in writing two weeks in advance of the meeting.
  • The meetings of the General Assembly are chaired by the President, even if he or she is not an Executive member. If the President is not an Executive member, he or she shall have no voting rights. Another Director shall replace and represent the President at the General Assembly in the case of the President’s absence or impediment. If the President were to step down before the end of the full mandate stipulated in Article 20.2, another Director will serve as acting President until elections are convened.

Article 17. Deliberations

  • Unless a stricter quorum is provided for in these Articles of Association and/or by Belgian law, the General Assembly may deliberate only if at least half (50%) of the Executive members (headcount) are present or represented. For the purpose of determining whether or not the required quorum is achieved:
  • Executive members who are present or represented at the meeting (even if they abstain from voting) and Executive members who vote (even if this is an abstention vote) through the electronic voting procedure are considered present;
  • Executive members who are not present or represented at the meeting and Executive members failing to vote through the electronic voting procedure are considered absent.
  • The Executive members present or represented at the General Assembly shall use their best efforts in order to reach consensus. Subject to a quorum being present, a decision of the General Assembly shall be taken by a simple majority of the votes unless a higher majority is imposed by law or these Articles of Association. Each Executive Member shall be entitled to one vote. For the purpose of determining whether or not the required majority is achieved:
  • Abstention votes and votes which are null, and void are not taken into account in order to determine whether or not the required majority is achieved, i.e. whether or not the required majority is achieved must be calculated based on all validly expressed votes, exclusing all abstention and null and void votes;
  • Executive members who do not attend and are not represented at the meeting and non-respondents in the electronic voting procedure are not taken into account in order to calculate whether the majority has been achieved.
  • If appropriate, the President, after having consulted the Board of Directors or the Steering Committee, may decide that the Executive members are also authorised to vote before a meeting of the General Assembly on the items which are on the agenda of the meeting of the General Assembly through an electronic vote. In such a case, the electronic voting system put into place by the Association must enable it to verify the quality and identity of the voting members. The voting procedure and instructions will enable to vote in favour (yes), against (no) or to abstain. Whenever the electronic voting procedure is applied, the President, assisted by the Secretary General (if any), shall ensure that all Executive members are aware that a vote is sought by electronic procedure. If the President or the relevant person sending the email invitation for the purpose of the electronic vote receives an “out-of-office” message accompanied by the request to address another person/address for urgent matters, then he/she must forward that message to the address indicated. The invitation to the electronic voting shall set out clearly the timescale for such electronic voting. Executive members should be given an appropriate period of time to prepare the vote, with a minimum of 10 working days as from the issuance of the invitations to vote. All practicalities of such electronic voting shall be clearly specified in the convocation to the General Assembly meeting. The electronic vote is secret. The President, assisted by the Secretary General (if any), will inform all Executive members of the outcome of the vote within 3 working days after the end of the electronic procedure and at the earliest at the end of the vote during the General Assembly meeting.
  • Resolutions by Executive members can be approved outside of a meeting of the General Assembly by unanimous written resolutions of all Executive members. The Secretary General or the President circulates the written resolutions and sets a deadline for the (electronic and/or wet ink) signing of the resolutions. The practical organisation of the unanimous written resolutions shall take place on the basis of the principles set out in the invitation to sign the written resolutions circulated by the Secretary General or the President and/or, if applicable, the Internal Rules.
  • The Articles of Association may be altered by the General Assembly following a proposal of the Steering Committee or the Board of Directors.

The General Assembly may deliberate on amendments of these Articles of Association only if at least two thirds of the Executive members are present or represented. These decisions require a two thirds majority of Executive members present or represented.

If two thirds of the Executive members are not present or represented at the first meeting, at least 15 days after the first meeting a second meeting may be convened which may validly deliberate irrespective of the number of Executive members present or represented.

If applicable, modifications to the Articles of Association are approved by the King and/or before a Belgian notary and are published in the Annexes of the Belgian State Gazette.

  • The General Assembly may deliberate on winding up the Association and its liquidation only if at least two thirds of the Executive members are present or represented. These decisions require a four-fifths majority of the Executive members present or represented.

If two thirds of the Executive members are not present or represented at the first meeting, at least 15 days after the first meeting a second meeting may be convened which may validly deliberate irrespective of the number of Executive members present or represented.

  • The General Assembly shall decide upon the allocation of the surplus which would remain after the payment of the debts of the Association.
  • If the law requires a majority or quorum which differs from and is stricter than the rules in these Articles of Association, the standards set by law will apply.

Article 18. Register

Decisions of the General Assembly are recorded in a special register that each Member and Observer may consult. In addition, their decisions may be published. However, materials and minutes relating to meetings which are not accessible to Associate members and/or Observers will be recorded in a special register which will be accessible to Executive members only.

CHAPTER 4 – BOARD OF DIRECTORS

 

Article 19. Composition

The Board of Directors (“conseil d’administration”) shall comprise at least 2 and no more than 4 Directors (including one President and one Treasurer). The Directors are the legal administrators of the Association. Only individuals (and not legal entities) can become Directors.

Directors must be elected by the voting members of the Steering Committee among candidates put forward by one or several Steering Committee Members. The replacement of any Director by a member of the same organisation shall require a decision by the Steering Committee.

Article 20. Directors, President and Treasurer

  • The Directors are elected by the Steering Committee for a period of one year. This term shall be renewable.
  • The President is elected by the Board of Directors among the Directors for a period of one year. This term shall be renewable.
  • A Treasurer may be elected by the Board of Directors among the Directors for a period of 1 year. This term shall be renewable.

 

Article 21. Powers and functioning

  • Without prejudice to the powers reserved to the Steering Committee and the General Assembly, the powers of the Board of Directors include:
  • prepare the annual accounts with the support of the Steering Committee to be approved by the General Assembly;
  • prepare the budget including the proposed Membership fee for the next financial year;
  • represent the Association towards third parties;
  • supervise the Secretariat.

The above powers are exclusively reserved to the Board of Directors. Moreover, the Board of Directors has the (not necessarily exclusive) powers expressly granted to it in these Articles of Association.

  • The Board of Directors organises the General Assembly meetings and executes all other tasks which are not delegated to the General Assembly or the Steering Committee by these Articles of Association or by law (i.e. residual powers).
  • Meetings of the Board of Directors are convened by any Director at least 5 days before the meeting (or two days if the matter is urgent). In order to validly deliberate and take decisions, at least more than one half of the Directors must be present or represented, regardless of the number of elected Directors. Subject to a quorum being present, a decision of the Board of Directors shall be taken by a simple majority of the votes.

Directors may attend the meetings of the Board of Directors by telephone and/or audio-visual connection through the Internet and/or video conferencing facilities. Directors so attending shall be considered to be present at that meeting. A director may give a power of attorney in order to be represented at a meeting of the Board of Directors but to another Director only.

  • The minutes of all meetings of the Board of Directors shall be kept in a register. This register shall be accessible to any Executive member upon request to the Secretariat.

CHAPTER 5 – STEERING COMMITTEE

Article 22. Composition

22.1 The Steering Committee (“comité de direction”) is composed of

22.1.1 De jure Steering Committee members:

  • Representatives who are the chair and vice-chair of the EsEm;
  • The chairs and vice-chairs of each Technical Group. If a chair, co-chair or sub-chair of a Technical Group or is not able to participate in the meeting, he/she may be replaced by another member of the Technical Group or according to their own decision-making processes;
  • The representatives or delegates of each NCCAs and each CABs operated by NCCAs, involved in the EsEM;

22.1.2 Steering Committee members elected by the General Assembly:

  • Two representatives of Manufacturers or providers of certified ICT products at level “high”;
  • Two representatives of Manufacturers or providers of certified ICT products et level “substantial”;
  • Two CABs representatives for the level “high”;
  • Two CABs representatives for the level “substantial”;
  • One representative of End-user groups or organisations.

The Members of the Steering Committee that are not de jure members are elected by the General Assembly after having been selected from and presented by their peers:

  • Manufacturers or providers of certified ICT products shall present candidates for electing two representatives for level “high” and two representatives for level “substantial”;
  • CABs that are not operated by NCCAs shall present candidates for electing two representatives for level “high” and two representatives for level “substantial”;
  • End-user groups or organisations shall present candidates for electing one representative.

Article 23. Powers and functioning

  • Without prejudice to the powers reserved to the Board of Directors, pursuant to Article 21 and the General Assembly, the Steering Committee has the power to:
  • veto a Membership approval decision of a Technical Group;
  • veto a Membership exclusion decision of a Technical Group;
  • examine a request by an excluded Member or Observer and decide whether or not to maintain the decision of the Technical Group;
  • Ensure consistency and facilitate internal liaison between the technical groups;
  • Ensure a continuous dialogue between the public authorities’ members and the industry members with a particular focus on documents submitted by the technical groups to the EsEm;
  • Supervise all groups of the Association and ensures the deliverables of the Association have received the proper feedback from the EsEm within their relevant group;
  • Establish the activity report of the Association and trace the progress in the Program of Work;
  • Address specific request to the Technical Groups
  • Provide recommendation to the TORs of the Technical Group;
  • Decide to create new Technical Groups;
  • Decide to create Technical sub-groups to address specific technical domains;
  • Decide to or record decision to stop a Technical Group;
  • Maintain the Program of Work for the whole Association (this includes the creation, discussion and assignment of new tasks to groups) and provide recommendations for yearly work plan of the Technical Groups;
  • Create temporary task forces;
  • Decide transient or permanent liaison with any other entities,particularly with:
    • the EsEm, to exchange on priorities, support requests, and provide feedback on documents related to the maintenance of the EUCC scheme;
    • ENISA, the European Commission – DG Connect to define the modalities of participation for their representatives within the Steering Committee and the technical groups.
  • Receive and Prepare liaison report with defined entities.

The above powers, expect for membership requests, are exclusively reserved to the Steering Committee. Moreover, the Steering Committee has the (not necessarily exclusive) powers expressly granted to it in these Articles of Association.

Article 24. Deliberation process

  • The normal deliberation process within the Steering Committee shall be consensus-based, with members encouraged to engage in open dialogue and constructive debate to reach mutual agreement on proposed decisions. Should consensus prove unattainable, the decision under consideration shall be subject to a vote. A quorum, constituting at least one half of the total number of Steering Committee members, must be present or represented for the vote to proceed. Each Steering Committee member shall be entitled to one vote. For a decision to be deemed valid, it must garner the support of at least 50% plus one vote cast by the Steering Committee members present or represented.
  • The Steering Committee shall possess the authority to exercise a veto solely in matters pertaining to the Membership application approved by a Technical Group and the exclusion of a Member approved by a Technical Group. In these specific instances, at least 3 voting members of the Steering Committee may propose the veto if they believe that the decision, as presented, poses a significant risk to the organisation’s integrity, values, or mission.

Upon proposing the veto, the member(s) must provide the reasons for their objection and, if applicable, offering alternative solutions or courses of action.

Subsequently, the Steering Committee shall convene to deliberate on the veto proposal. During this deliberation process, each member of the Steering Committee shall have the opportunity to express their perspectives, concerns, and insights.

Following thorough deliberation, the Steering Committee shall collectively determine the outcome of the veto proposal. If a consensus is reached among the Steering Committee members to uphold the veto, the decision of the Technical Group shall be overturned. However, if the Steering Committee members fail to reach a consensus, the Steering Committee may proceed to a vote in accordance with Article 24.1 of these Articles of Association.

  • When possible, the members of the Steering Committee may attend the meetings by telephone and/or audio-visual connection through the Internet and/or video conferencing facilities. Steering Committee members so attending shall be considered to be present at that meeting. A Steering Committee member may give a power of attorney in order to be represented at a meeting of the Steering committee but to another member of the Steering Committee only.
  • When relevant, the minutes and record of decisions could be recorded, be kept in a register and be accessible to the Members upon request to the Secretariat. Upon decision of the Steering Committee, the minutes and/or the record of decisions can be transmitted to one or several Technical Groups.

 

CHAPTER 5 – SECRETARIAT

Article 25. Tasks

  • The Secretariat shall prepare and maintain the minutes of the meetings, assist the General Assembly, the Board of Directors, the Steering Committee and the Technical Groups in their functions and finally, execute all other functions assigned to it by the Association. The Secretariat shall support the groups of the Association in administrative and logistical aspects to allow technical experts to focus on technical discussions.
  • The Secretariat will work under the responsibility of the Board of Directors.

Article 26. General Secretariat

  • The Secretariat may be headed by a Secretary General or ensured by a subcontractor who is responsible for the tasks assigned to the Secretariat.
  • The Secretary General or the subcontractor shall be appointed by the Steering Committee on proposal by the President after consulting the Board of Directors. He/she/the subcontractor shall exercise the powers delegated to him/her by the Board of Directors, if any, and execute the tasks assigned to him/her by the Board of Directors, including the day-to-day management of the Association (if the Board of Directors so decides).

CHAPTER 6 – WORKING GROUPS

Article 27. Technical Groups – Task Forces

  • Technical Groups are the following:
  • Attack Management Group;
  • Evaluation and Certification Methodology Group;
  • PP Management Group;
  • Vulnerability Analysis Group.

Other Technical Groups or Technical sub-groups to address specific technical domains may be created by the Steering Committee.

  • Task forces may be created by the Steering Committee to ensure alignment and consistency between two or more Technical Groups, or to prepare the creation of a new Technical Group. The Steering Committee decides on the scope, duration, composition and validation process. A task force leader shall be appointed by the Steering Committee.
  • Technical Groups shall define their own specific Terms of Reference (“TOR”). TORs shall be submitted to the Steering Committee. Each TOR define at least:
  • Mission and power of the Technical Group;
  • Composition;
  • Appointment of the chair of the Technical Group;
  • Functioning and decision-making process;
  • Compliance to the Intellectual property rights (IPR) of the Association;
  • Compliance to the Non disclosure agreement (NDA) of the Association.
  • Chairs of the Technical Groups are members of the Steering Committee and represent their respective Technical Groups. The vote of the chairs at Steering Committee meetings must reflect a decision of the Technical Group. The chairs report decisions of the Steering Committee to their Technical Groups. The TORs of the Technical Group may provide further elements on the decision-making process and on the vote of the chair at the Steering Committee.
  • Membership requests should be addressed to Technical(s) Group(s) the applicant want to join. Technical Group(s) approve and/or reject the application according to their TOR, subject to the Steering Committee’s veto right.
  • With the exception of Automatic Members, Technical Groups should monitor the contributions of their members. Such assessment shall take place at least every 3 years by each Technical Group or more often if so determined by the Technical Group’s TOR. The rules for contributions should be defined by the TOR of each Technical Group and should include at least regular attendance at meetings and participation in the work of the Technical Group. If a Technical Group member (except for Automatic Members) does not sufficiently fulfill these contribution obligations, the Technical Group may decide to exclude the member from the Technical Group.

CHAPTER 7 – REPRESENTATION

Article 28. Powers of representation

The Association will be validly represented by:

  • the Board of Directors;
  • Two Directors acting jointly;
  • The Secretary General within the limits of the powers granted by the Steering Committee;
  • Attorneys-in-fact within the limits of the powers granted by the Board of directors.

CHAPTER 7 – ACCOUNTABILITY

Article 29. Accounting year

The accounting year begins on 1 January and ends on 31 December.

Article 30. Accounts

  • Each year and at the latest six months after the end of the accounting year, the Board of Directors will submit the annual accounts, established in accordance with the law, to the General Assembly.
  • Within thirty days of their approval by the General Assembly, the President will file the annual accounts as required by law.
  • If required by law, the General Assembly shall designate a statutory auditor.

Article 31. Budget

The Board of Director, with prior approval of the Steering Committee, shall present a proposal for the budget for the next financial year to the General Assembly no later than at the end of the third quarter of the year preceding the budget year.

CHAPTER 7 – COMMUNICATION AND INTERNAL RULES

Article 32. Publications

The Technical Groups may publish the result of their meetings. Each Technical Group shall determine what information and which results shall be published regarding the conclusions of its meetings, decisions made and all other documents. The General Assembly/Board of Directors/each Technical Group shall also determine in what way the information and results shall be published.

Article 33. Working language

The working language of the Association shall be English. However, as long as the Association keeps its registered office in Brussels, all documents which the law requires to be drafted in French or in Dutch shall be drafted in French.

Article 34. Internal Rules, IPR policy, terms of Reference

Practicalities, details and procedures in relation to the working of the General Assembly, the Board of Directors and the Secretariat which are not specified in these Articles of Association can be provided in the Association’s Internal Rules which are approved by the General Assembly and can be updated regularly. In such a case, the Board of Directors may amend and publish this amendment to the Articles of Association in order to include the date of these Internal Rules in the Articles of Association as provided by law.

Practicalities, details and procedures in relation to the working of each Technical Groups which are not specified in these Articles of Association can be provided in the Technical Group’s Terms of Reference which are approved by the relevant Technical Group and can be updated regularly.

IPR policy can be adopted or modified by the General Assembly. This IPR policy shall be based on fair, reasonable and non-discriminatory (FRAND) terms and conditions. Adoption or alteration to the IPR policy of the association are taken by two thirds majority of the votes of the Executive members present or represented.

 

Article 35. Applicable law

All matters not expressly stipulated in the Articles of Association shall be governed by, and interpreted in accordance with, Belgian law.