EU Cybersecurity Certification Scheme on Common Criteria (EUCC)
The European Commission adopted the implementing regulation concerning the EU cybersecurity certification scheme on Common Criteria (EUCC).
Voluntary-based, the new EUCC scheme allows ICT suppliers who wish to showcase proof of assurance to go through an EU commonly understood assessment process to certify ICT products such as technological components (chips, smartcards), hardware and software.
The scheme is based on the time-proven SOG-IS Common Criteria evaluation framework already used across 17 EU Member States. It proposes two levels of assurance based on the level of risk associated with the intended use of the product, service or process, in terms of probability and impact of an accident.
Implementing Act for EUCC
Implementing Act for the Common Criteria-based cybersecurity certification scheme (EUCC)
The Commission published on October 3, 2023 the draft Implementing Act on EUCC and its annexes for public consultation. After the public consultation ended on October 31, 2023, the Commission published the final reworked Implementing Act (EUCC Implementing Act) on January 31, 2024.
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union and shall apply from 12 months after entry into force.
Chapter IV and Annex V shall apply from the date of the entry into force of this Regulation.
State-of-the-Art documents for EUCC
To support the Implementing Act on the European Cybersecurity Certification Scheme on Common Criteria, EUCC, ENISA is publishing the related state-of-the-art (SoA) documents listed in its Annex I to clarify the understanding of requirements on specific scopes of assessment. As mentioned in the Implementing Act, a ‘state-of-the-art document’ is a document which specifies evaluation methods, techniques and tools that apply to the certification of ICT products or security requirements of a generic ICT product category in order to harmonize evaluation in technical domains or of protection profiles.
This documentation has been endorsed by the ECCG, the group gathering the EU representatives of the National Cybersecurity Certification Authorities. Some of the following documents are updated versions of the SOG-IS Supporting documents, in this case the document refers to the SOG-IS one.
| Title | Version | Comments |
| Accreditation of ITSEFs for the EUCC | V1.1 | This version has been adopted with the EUCC Implementing Act. |
| Draft - Accreditation of ITSEFs for EUCC and ECCG opinion | v1.6b | This draft version of the state-of-the-art document is published for information only. After endorsement by the ECCG, it has been submitted for inclusion in the list of applicable state-of-the-art documents listed in Annex I of Commission Implementing Regulation (EU) 2024/482. It has received a positive opinion from the ECCG but has not yet been adopted by the Commission via an amendment of the Implementing Regulation (EU) 2024/482. State-of-the-art documents will only become applicable and legally binding following their inclusion in the Implementing Regulation and in line with relevant transition rules specified by such Regulation. Therefore, this document should not yet be considered as final and legally binding. Furthermore, changes might be introduced in state-of-the-art documents in the context of the comitology procedure. |
| Draft - Accreditation of CBs for EUCC and ECCG opinion | v1.6a | This draft version of the state-of-the-art document is published for information only. After endorsement by the ECCG, it has been submitted for inclusion in the list of applicable state-of-the-art documents listed in Annex I of Commission Implementing Regulation (EU) 2024/482. It has received a positive opinion from the ECCG but has not yet been adopted by the Commission via an amendment of the Implementing Regulation (EU) 2024/482. State-of-the-art documents will only become applicable and legally binding following their inclusion in the Implementing Regulation and in line with relevant transition rules specified by such Regulation. Therefore, this document should not yet be considered as final and legally binding. Furthermore, changes might be introduced in state-of-the-art documents in the context of the comitology procedure. |
Guidelines for EUCC
Guidelines are supporting the EUCC scheme and provide recommendations to developers of ICT products and protection profiles, as well as conformity assessment bodies (both ITSEFs and CBs) regarding the implementation of the scheme's provisions.
| Title | Version | Comments |
| EUCC Guidelines Authorisation of CABs and ECCG opinion | v0.7 | These guidelines have been endorsed by ECCG in view of working on a future state-of-the-art document. |
| EUCC Guidelines on Cryptography and ECCG opinion | v0.2 | These guidelines refer to "SOG-IS Crypto Evaluation Scheme Agreed Cryptographic Mechanisms”, available at: https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.3.pdf |
Register of Protection Profiles
The following protection profiles have been certified at AVA_VAN level 4 and 5 and/or are recommended for ICT products covered by the above mentioned technical domains as defined in Annexes 2 and 3 of the EUCC Implementing Regulation.
Access to SOG-IS - Protection Profiles