The EUCC scheme allows ICT suppliers who wish to showcase proof of assurance to go through an EU commonly understood assessment process to certify ICT products such as technological components (chips, smartcards), hardware and software.
With EUCC, the EU commonly agreed on assessment process to certify ICT products such as technological components, hardware and software. The scheme is based on Common Criteria, an international standard (ISO/IEC 15408) broadly used internationally.
Some regulations might require Common Criteria certification, but in all cases, such a certificate provides a competitive advantage by giving trust to customers and users.
EUCC in Application
The scope of EUCC
The vendor or manufacturer can specify the security functional requirements (SFRs) and security assurance requirements (SARs) against which their ICT products will be assessed. The methodology offers to define Protection Profiles corresponding to product Categories.
These requirements also allow for an assurance level to be indicated: the EUCC covers two, substantial and high, that have been mapped with AVA_VAN, the vulnerability assessment class of the Common Criteria.
EUCC Certificates
Since February 2025, EUCC Certificates can be issued. Certificates are issued by Certification Bodies based on an evaluation process carried out by an accredited and, where necessary, authorised laboratory. The laboratory performs documental and technical assessment activities defined by the Common Criteria standard.
During the validity period of their certificate, ICT products are subject to monitoring, vulnerability management, and disclosure procedures.
The ENISA website dedicated to certification will present EUCC certificates and other EU certificates issued under the CSA.
EUCC a live scheme
ENISA developed a candidate scheme first in 2020, with the support of an ad hoc Working Group, and reused widely the experience of the SOG-IS Mutual Recognition Agreement.
The EUCC scheme, adopted in 2024 and amended since then, is now in operation and under regular maintenance.
Access EUCC Library
EUCC is composed of a rich list of documents from the Implementing Act and its amendments to state-of-the-art documents and guidelines.
EUCC Certification scheme Documents
Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 (EUCC Implementing Regulation) made reference to ISO/IEC standards, but didn’t specify the applicable version of those standards. Commission Implementing Regulation (EU) 2024/3144 of 18 December 2024 (EUCC amendment) therefore specified which version of the standards applies for certificates issued under the EUCC, and defined transition rules that would align with global practices, such as those set out by the CCRA (see in particular Article 1 of the amendment).
In line with the amended Articles 2 and 3 of the EUCC Implementing Regulation, the following standards shall apply to evaluations performed under the EUCC scheme:
- the Common Criteria, as set out in standards ISO/IEC 15408-1:2022, ISO/IEC 15408-2:2022, ISO/IEC 15408-3:2022, ISO/IEC 15408-4:2022 or ISO/IEC 15408-5:2022, or set out in Common Criteria for Information Technology Security Evaluation, version CC:2022, Parts 1 through 5, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security;
- the Common Evaluation Methodology, as set out in standard ISO/IEC 18045:2022, or the Common Methodology for Information Technology Security Evaluation, version CEM:2022, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security.
In addition, the use of the errata to CC:2022 and CEM:2022 available on the CCRA portal is not mandatory but is recommended to allow consistency in the interpretations with the CCRA.
Furthermore, the transition rules between the former and latest version of the above-mentioned standards were defined in Article 3 of the EUCC Implementing Regulation. Such rules enable the use of the older standard versions within the defined timeframe and ensure sufficient time to update relevant protection profiles as appropriate. More specifically, the amended Article 3 reads as follows:
“2. Until 31 December 2027, a certificate may be issued under the EUCC scheme applying either of the following standards:
- ISO/IEC 15408-1:2009, ISO/IEC 15408-2:2008 or ISO/IEC 15408-3:2008;
- Common Criteria for Information Technology Security Evaluation, version 3.1, revision 5, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security;
- ISO/IEC 18045:2008;
- Common Methodology for Information Technology Security Evaluation, revision 5, version 3.1, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security.
3. Until 31 December 2027, a certificate applying the standards referred to in paragraph 1 may be issued under the EUCC scheme claiming conformance to a protection profile that has applied the standards listed in paragraph 2.
4. A certificate applying the standards referred to in paragraph 1 may also be issued under the EUCC scheme claiming conformance to a protection profile that has applied either of the following standards, provided that the use of such protection profile is required under Commission Implementing Regulation (EU) 2016/799, Regulation (EU) No 910/2014 of the European Parliament and of the Council or Commission Implementing Decision (EU) 2016/650:
- Common Criteria for Information Technology Security Evaluation, version 3.1, revision 1 to 4, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security;
- Common Methodology for Information Technology Security Evaluation, version 3.1., revision 1 to 4, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security.”
A consolidated version of the EUCC Implementing Regulation that includes the amendments made to the scheme with Regulation (EU) 2024/3144 can be found here (please note that the consolidated text is meant purely as a documentation tool and has no legal effect).
A presentation of the EUCC scheme review, including clarifications on the applicable standards and the transition rules, is provided here.
Article 5(1) of the EUCC Implementing Regulation sets out the following:
“1. Certification of an ICT product shall be carried out against its security target:
- as defined by the applicant; or
- incorporating a certified protection profile as part of the ICT process, where the ICT product falls in the ICT product category covered by that protection profile.”
Therefore, the EUCC Implementing Regulation allows the following options:
- to develop a security target which does not refer to any PP;
- to develop a security target which refers to a non-EUCC certified PP, and still assess conformance to the PP into the certification report; or
- incorporating an EUCC-certified PP.
In case the applicant defines the security target based on a non-EUCC certified PP (option b), the certification body (CB) takes full responsibility for the certification results. It is hence up to the CB to ensure that all relevant and necessary activities have been performed and the results of the certification against this PP are in line with the EUCC requirements.
According to Article 7(1)(e) of the EUCC Implementing Regulation, the PPs listed in Annex II shall apply in the case the ICT product submitted to evaluation falls into the category of the PP.
Protection profiles listed in Annex III are recommended, as per recital (31) of the EUCC Implementing Regulation.
The general rule is that a new or updated version of a SotA should be applied to certification processes initiated after the SotAs become applicable through the adoption of the amendment to the EUCC. However, considering Common Criteria (CC) mandate the use of the most recent versions of the vulnerability assessment and attack potential methodologies by ITSEFs, it is highly recommended to use the latest draft versions of the ‘Application of attack potential to smart cards and similar devices’ and ‘Application of attack potential to hardware devices with security boxes’ SotAs, endorsed by the ECCG and published on the ENISA certification website even before they become formally applicable.
In a nutshell:
Accreditation is mandatory to perform evaluation and certification activities at assurance level ‘substantial’, and authorisation, in addition, is required to perform similar activities at assurance level ‘high’.
To go further:
Pursuant to Article 9(1) of the EUCC Implementing Regulation, the certification bodies shall issue an EUCC certificate under certain conditions listed there, one of which is that:
“the category of ICT product falls within the scope of the accreditation, and where applicable of the authorisation, of the certification body and the ITSEF involved in the certification” (point (a) of Article 9(1)).
In addition, Article 21(1) outlines additional or specific requirements for a certification body which read like that:
“1. A certification body shall be authorised by the national cybersecurity certification authority to issue EUCC certificates at assurance level ‘high’ where that body demonstrates that, in addition to meeting the requirements laid down in Article 60(1) and the Annex to Regulation (EU) 2019/881 regarding accreditation of conformity assessment bodies, the following:
- it has the expertise and competences required for the certification decision at assurance level ‘high’;
- it conducts its certification activities in cooperation with an ITSEF authorised in accordance with Article 22; and
- it has the requisite competences and put in place appropriate technical and operational measures to effectively protect confidential and sensitive information for assurance level ‘high’, in addition to the requirements set out in Article 43.”,
whereas Article 22(1) sets out additional or specific requirements for an ITSEF:
“1. An ITSEF shall be authorised by the national cybersecurity certification authority to carry out the evaluation of ICT products which are subject to certification under the assurance level ‘high’, where the ITSEF demonstrates that, in addition to meeting the requirements laid down in Article 60(1) and the Annex to Regulation (EU) 2019/881 regarding accreditation of conformity assessment bodies, it complies with all of the following conditions:
- it has the necessary expertise for performing the evaluation activities to determine the resistance to state-of-the-art cyberattacks carried out by actors with significant skills and resources;
- for the technical domains and protection profiles, which are part of the ICT process for those ICT products, it has:
- the expertise to perform the specific evaluation activities necessary to methodically determine a target of evaluation’s resistance against skilled attackers in its operational environment assuming an attack potential of ‘moderate’ or ‘high’ as set out in the standards referred to in Article 3;
- the technical competences as specified in the state-of-the-art documents listed in Annex I;
- it has the requisite competences and put in place appropriate technical and operational measures to effectively protect confidential and sensitive information for assurance level ’high’ in addition to the requirements set out in Article 43.
The list of accredited and authorised conformity assessment bodies (CABs), as notified by the NCCAs to the European Commission, is available in the NANDO platform:
Notification and NANDO allow everyone to know, in one single place, which CABs have reached the accreditation and, where relevant, authorisation requirements.
Frequently Asked Questions on Certification process
This section displays Questions and answer on the generic certification Process
Yes, the manufacturer or provider of ICT products, services or processes can obtain a certificate from a CAB of his choice in the EU that is accredited pursuant to Article 60 of CSA under the concrete scheme. The same rationale applies for cases under Article 56(6) where a certificate has to be issued by the CB of an NCCA or by a delegated CB or by a CB under the prior approval model.