EUCC Certification Scheme

EU Cybersecurity Certification Scheme on Common Criteria (EUCC)

The European Commission adopted the implementing regulation concerning the EU cybersecurity certification scheme on Common Criteria (EUCC).

Voluntary-based, the new EUCC scheme allows ICT suppliers who wish to showcase proof of assurance to go through an EU commonly understood assessment process to certify ICT products such as technological components (chips, smartcards), hardware and software.

The scheme is based on the time-proven SOG-IS Common Criteria evaluation framework already used across 17 EU Member States. It proposes two levels of assurance based on the level of risk associated with the intended use of the product, service or process, in terms of probability and impact of an accident.

Implementing Act for EUCC & Amendments

Implementing Act for the Common Criteria-based cybersecurity certification scheme (EUCC)

The Commission published on October 3, 2023 the draft Implementing Act on EUCC and its annexes for public consultation. After the public consultation ended on October 31, 2023, the Commission published the final reworked Implementing Act (EUCC Implementing Act) on January 31, 2024.

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union and shall apply from 12 months after entry into force.

Chapter IV and Annex V shall apply from the date of the entry into force of this Regulation.

Initial EUCC Implementing Act

Amendments

Amendment of December 2024

The EUCC has been amended by Commission Implementing Regulation (EU) 2024/3144 of Dec 2024, 18 to:

Introduce of a new state-of-the-art document related to the accreditation of certification bodies (CBs);
Amend an existing state-of-the-art document related to the accreditation of cybersecurity testing facilities (ITSEFs);
Make several changes to the main EUCC text

Amendment of December 2025

A second amendment of EUCC has been adopted on 8 December 2025 as regards definitions, ICT product series certification, assurance continuity and state-of-the-art documents.

Presentation of the first EUCC Amendment

EUCC Amendment Presentation

EUCC Certification Brand Book

The Commission's Brand Book provides guidance for the design of cybersecurity certification mark and labels, in line with the EUCC Commission Implementing Regulation (EU) 2024/482.

EUCC Brand Book

State-of-the-Art documents for EUCC

To support the Implementing Act on the European Cybersecurity Certification Scheme on Common Criteria, EUCC, ENISA is publishing the related state-of-the-art (SotA) documents listed in its Annex I to clarify the understanding of requirements on specific scopes of assessment. As mentioned in the Implementing Act, a ‘state-of-the-art document’ is a document which specifies evaluation methods, techniques and tools that apply to the certification of ICT products or security requirements of a generic ICT product category in order to harmonize evaluation in technical domains or of protection profiles.

State-of-the-art documents may have 2 different statuses.

The first is: “final” which indicates the document has been adopted with the EUCC Implementing Act or its amendments.
The second is: “draft”. State-of-the-art documents labelled as “drafts” have been endorsed by the ECCG as per the linked opinion, and are planned to be included in the Annex 1 of a next to come amendment of the scheme.

General EUCC level SotAs

Title

Version

Comments

Accreditation of ITSEFs for EUCC

v1.6c

This version has been adopted with the EUCC amendment of Dec 2024 and is applicable for accreditations that are newly issued or reviewed after 8 July 2025.

Accreditation of CBs for EUCC

v1.6b

This version has been adopted with the EUCC amendment of Dec 2024.

SotA on Technical Domain Smart Cards & Similar Devices

Title	Versions	Comments
Minimum ITSEF requirements for security evaluations of smart cards and similar devices	V1.1
Minimum Site Security Requirements	V2	This final version has been adopted with the EUCC amendment of Dec 2025.
Application of Common Criteria to integrated circuits	V2	This final version has been adopted with the EUCC amendment of Dec 2025.
Security Architecture Requirements for Smart Cards and Similar Devices	V1.1
Certification of “open” smart card products	V1.1
Composite product evaluation for smart cards and similar devices for CC3.1	V2	This final version has been adopted with the EUCC amendment of Dec 2025.
Composite product evaluation and certification for CC:2022	V1	Feb. 25
Application of Attack Potential to Smartcards	V2	This final version has been adopted with the EUCC amendment of Dec 2025.
Formal methods: transition from CC v3.1 to CC:2022	v1.1	This final version has been adopted with the EUCC amendment of Dec 2025.
Star Methodology	v1	This final version has been adopted with the EUCC amendment of Dec 2025.

SotA on Technical Domain Hardware Devices with Security Boxes

Title	Version	Comments
Minimum ITSEF requirements for security evaluations of Hardware devices with security boxes	V1.1
Application of attack potential to hardware devices with security boxes	V2	This final version has been adopted with the EUCC amendment of Dec 2025.
Minimum Site Security Requirements	V2	This final version has been adopted with the EUCC amendment of Dec 2025.
Star Methodology	v1	This final version has been adopted with the EUCC amendment of Dec 2025.

Interpretations of Protection Profiles (PP)

Title	Version	Date
Hardware assessment in EN 419221-5 (HSM PP)	V1	This final version has been adopted with the EUCC amendment of Dec 2025.
Digital Tachograph Motion Sensor PP Clarifications	V1	This final version has been adopted with the EUCC amendment of Dec 2025.
Security Evaluation and Certification of Qualified Electronic Signature/Seal Creation Devices	V1	This final version has been adopted with the EUCC amendment of Dec 2025.

Guidelines for EUCC

Guidelines are supporting the EUCC scheme and provide recommendations to developers of ICT products and protection profiles, as well as conformity assessment bodies (both ITSEFs and CBs) regarding the implementation of the scheme's provisions.

Note: checklists and templates of reports supporting SotA documents are published together with these SotAs.

Guidelines

Title	Version	Comments
EUCC Guidelines Authorisation of CABs and ECCG opinion	v0.7	These guidelines have been endorsed by ECCG in view of working on a future state-of-the-art document.
EUCC Guidelines on Cryptography	v.2	This new version 2 provides a significant update with recommendations on post-quantum cryptographic (PQC) mechanisms
EUCC Guidelines on Cryptography and ECCG opinion	v0.2	These guidelines refer to "SOG-IS Crypto Evaluation Scheme Agreed Cryptographic Mechanisms”, available at: https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.3.pdf
EUCC Guidelines on Vulnerability Management and Disclosure and ECCG opinion	v1.1	These guidelines have been endorsed by ECCG in December 2024 and adopted via written procedure on 10^th of January 2025 in view of working on a future state-of-the-art document
EUCC guidelines: evaluation methodology for product series	v1	These guidelines are developed with the support of the ECCG sub-group on EUCC maintenance and review
EUCC Guidelines on assurance continuity - practical change scenarios for certified ICT products	v1	These guidelines on minor and major changes to certified EUCC products are developed with the support of the ECCG sub-group on EUCC maintenance and review

Register of Protection Profiles

The following protection profiles have been certified at AVA_VAN level 4 and 5 and/or are recommended for ICT products covered by the above mentioned technical domains as defined in Annexes 2 and 3 of the EUCC Implementing Regulation.

SOG-IS Protection Profiles

Access to SOG-IS - Protection Profiles