Skip to main content
News article26 May 2021European Union Agency for Cybersecurity2 min read

Crossing a bridge: the first EU cybersecurity certification scheme is availed to the Commission

The European Union Agency for Cybersecurity formally transmits to the European Commission the first candidate cybersecurity certification scheme on Common Criteria.

In July 2019, the EUCC was the first candidate cybersecurity certification Scheme request received by the EU Agency for Cybersecurity (ENISA) under the Cybersecurity Act.

This scheme aims to serve as a successor to the currently existing schemes operating under the SOGIS MRA (Senior Officials Group Information Systems Security Mutual Recognition Agreement).

It covers the certification of ICT products, using the Common Criteria ISO/IEC 15408 and is the foundation of a European Cybersecurity certification framework. The latter will consist of several schemes that it is expected to gradually increase trust in ICT products, services and processes certified under these schemes and reduce the costs within the Digital Single Market.

ENISA has developed it with the support of an Ad Hoc Working Group composed of outstanding cybersecurity certification experts, and members of the European Cybersecurity Certification Group (ECCG), that is composed of representatives of the EU Member States.

This scheme was originally published on 1 July 2020 and it was put for consultation which allowed certification actors and interested parties to provide their feedback through a dedicated survey. The results of this public consultation and the revised scheme can be downloaded from the following links:

ENISA Report - Public Consultation on the draft Candidate EUCC Scheme

Cybersecurity Certification: Candidate EUCC Scheme V1.1.1

Key points of the public consultation outcome

  • Confirms the intent of certification stakeholders to use the scheme in the internal market, when it is made available;
  • stakeholders encourage ENISA to further develop guidance to support the implementation and execution of the scheme;
  • stakeholders indicated some elements of the scheme that needed to be adjusted or fixed, such as conditions or timelines for the maintenance of certificates, the monitoring and handling of non-compliances or vulnerabilities.

Key recommendations to ENISA

Further to the candidate scheme ENISA has supported the EU cybersecurity certification framework to:

  1. Develop a communications plan targeting consumers to support the implementation of the EUCC scheme and ensure they are well informed in what cybersecurity certification of ICT products entails;
  2. Ease the participation of interested EU Member States newcomers to cybersecurity certification to participate to the EUCC scheme by providing a dedicated training programme;
  3. Establish a transition project in order to provide and ensure the best conditions for a smooth transfer from the current national SOG-IS activities to the current EUCC.

The Agency has currently transmitted the candidate EUCC scheme v.1.1.1 to the Commission in line with the provisions of Article 49 (6, 7) of Regulation (EU) 2019/881 (Cybersecurity Act). The Commission will initiate a Commission Implementing Regulation that may be adopted.

ENISA has advanced in the development of a second candidate scheme, related to cloud services. This EU Cloud Services cybersecurity certification scheme was in its first draft published for public consultation at the end of December 2020. Documents related to public consultation of the candidate Cloud Services scheme are available on the page dedicated to Public Consultations on Cybersecurity Candidate Schemes.

Furthermore, ENISA is about to launch the call for an AHWG for the preparation of an EU cybersecurity certification scheme on 5G soon.

For further information

Announcement of the public consultation  for First Candidate Cybersecurity Certification Scheme

Original draft of the Candidate EUCC Scheme


Publication date
26 May 2021
European Union Agency for Cybersecurity