Difference of assurance levels

In the matter of certification, the Cybersecurity Act offers three levels of assurance (basic, substantial and high), and the EUCC scheme covers two: substantial and high.

Assurance level substantial allows Conformity Assessment Bodies (CABs) accredited by a National Accreditation Body (NAB) to evaluate (as an ITSEF) and certify ICT products. At level high, authorisation by the National Cybersecurity Certification Authority (NCCA), in addition, is required to perform similar activities 

Private and public CABs

The EUCC scheme allows private CABs to operate both for evaluation and certification activities, whereas historically, within the Common Criteria SOG-IS scheme (which EUCC aims to replace), only public Certification Bodies (CBs) were delivering certificates (with the exception of one national scheme relying on the prior approval model). 

DEKRA has been accredited by ENAC, the Spanish National Accreditation Body (NAB) both as an ITSEF to perform EUCC evaluations and as a CB to deliver EUCC certificates, with the endorsement of the Technical Support Office of CCN (Centro Criptológico Nacional) , the Spanish NCCA. 

The first EUCC certificate at level substantial

DEKRA issued the first certificate at the substantial level, for GMV GNSS Cryptographic Module, which consists of a software library for the Linux platform whose primary purpose is to provide cryptographic services for GNSS client implementation. 

The newly delivered certificate is valid for 5 years and subject to supervision and monitoring by CCN and vulnerability management conditions defined by the EUCC scheme.