EU Cybersecurity Certification Scheme on Common Criteria (EUCC)
The European Commission adopted the implementing regulation concerning the EU cybersecurity certification scheme on Common Criteria (EUCC).
Voluntary-based, the new EUCC scheme allows ICT suppliers who wish to showcase proof of assurance to go through an EU commonly understood assessment process to certify ICT products such as technological components (chips, smartcards), hardware and software.
The scheme is based on the time-proven SOG-IS Common Criteria evaluation framework already used across 17 EU Member States. It proposes two levels of assurance based on the level of risk associated with the intended use of the product, service or process, in terms of probability and impact of an accident.
Implementing Act for EUCC
Implementing Act for the Common Criteria-based cybersecurity certification scheme (EUCC)
The Commission published on October 3, 2023 the draft Implementing Act on EUCC and its annexes for public consultation. After the public consultation ended on October 31, 2023, the Commission published the final reworked Implementing Act (EUCC Implementing Act) on January 31, 2024.
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union and shall apply from 12 months after entry into force.
Chapter IV and Annex V shall apply from the date of the entry into force of this Regulation.
State-of-the-Art documents for EUCC
To support the Implementing Act on the European Cybersecurity Certification Scheme on Common Criteria, EUCC, ENISA is publishing the related state-of-the-art documents listed in its Annex I to clarify the understanding of requirements on specific scopes of assessment. As mentioned in the Implementing Act, a ‘state-of-the-art document’ is a document which specifies evaluation methods, techniques and tools that apply to the certification of ICT products or security requirements of a generic ICT product category in order to harmonize evaluation in technical domains or of protection profiles.
This documentation has been endorsed by the ECCG, the group gathering the EU representatives of the National Cybersecurity Certification Authorities. Some of the following documents are updated versions of the SOG-IS Supporting documents, in this case the document refers to the SOG-IS one.
State-of-the-art documents related to the harmonised accreditation of conformity assessment bodies:
Title |
Version |
Date of Publication |
V1.1 |
31/01 |
State-of-the-art documents related to the Technical Domain Smart cards and similar devices:
State-of-the-art documents related to the Technical Domain Hardware devices with security boxes :
Title |
Version |
Minimum ITSEF requirements for security evaluations of hardware devices with security boxes |
V1.1 |
‘Application of Attack Potential to hardware devices with security boxes’ |
V1.2 |
V1.1 |