Skip to main content

EUCC Certification Scheme

Common Criteria-based Cybersecurity Certification Scheme (EUCC) EUCC Scheme dedicated to certifying ICT products such as hardware and software products and components is published!

EU Cybersecurity Certification Scheme on Common Criteria (EUCC)

The European Commission adopted the implementing regulation concerning the EU cybersecurity certification scheme on Common Criteria (EUCC).

Voluntary-based, the new EUCC scheme allows ICT suppliers who wish to showcase proof of assurance to go through an EU commonly understood assessment process to certify ICT products such as technological components (chips, smartcards), hardware and software.

The scheme is based on the time-proven SOG-IS Common Criteria evaluation framework already used across 17 EU Member States. It proposes two levels of assurance based on the level of risk associated with the intended use of the product, service or process, in terms of probability and impact of an accident.

Implementing Act for EUCC

Implementing Act for the Common Criteria-based cybersecurity certification scheme (EUCC)

The Commission published on October 3, 2023 the draft Implementing Act on EUCC and its annexes for public consultation. After the public consultation ended on October 31, 2023, the Commission published the final reworked Implementing Act (EUCC Implementing Act) on January 31, 2024.

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union and shall apply from 12 months after entry into force.

Chapter IV and Annex V shall apply from the date of the entry into force of this Regulation.

EUR-Lex

State-of-the-Art documents for EUCC

To support the Implementing Act on the European Cybersecurity Certification Scheme on Common Criteria, EUCC, ENISA is publishing the related state-of-the-art (SoA) documents listed in its Annex I to clarify the understanding of requirements on specific scopes of assessment. As mentioned in the Implementing Act, a ‘state-of-the-art document’ is a document which specifies evaluation methods, techniques and tools that apply to the certification of ICT products or security requirements of a generic ICT product category in order to harmonize evaluation in technical domains or of protection profiles.

 

This documentation has been endorsed by the ECCG, the group gathering the EU representatives of the National Cybersecurity Certification Authorities. Some of the following documents are updated versions of the SOG-IS Supporting documents, in this case the document refers to the SOG-IS one.

Guidelines for EUCC

Guidelines are supporting the EUCC scheme and provide recommendations to developers of ICT products and protection profiles, as well as conformity assessment bodies (both ITSEFs and CBs) regarding the implementation of the scheme's provisions.

Register of Protection Profiles

The following protection profiles have been certified at AVA_VAN level 4 and 5 and/or are recommended for ICT products covered by the above mentioned technical domains as defined in Annexes 2 and 3 of the EUCC Implementing Regulation.