Is it correct to assume that COTS IT/network elements (e.g. servers, routers, switches) do not have the need for certification or declaration, if they are not part of the equipment subject to certification/declaration? E.g. certified software is delivered by DPO, which can be run on any platform/network at the ANSP, which is not certified but fulfils the specifications provided by the DPO.
Boundaries of the system / constituent are defined by the DPO. As such, COTS IT equipment can be well outside of the system subject to certification / declaration. Such system can be composed of SW only.
When a certain equipment requires underlying/supporting infrastructure (e.g. IT, network, cloud), the characteristics and requirements for this infrastructure are to be defined by the DPO and provided to the ANSP with the installation and operation instructions and any other integration requirements. The underlying infrastructure does not necessitate to be part of the equipment design and therefore does not necessarily form part of the certification envelope.