The EUCC (Common Criteria-based European Cybersecurity Certification Scheme) is a certification scheme created under the Cybersecurity Act (CSA). The aim of the CSA is to improve cybersecurity across a wide range of digital products, services and processes. It also establishes a unified approach to cybersecurity certification in the European internal market.
Reasons for certification
Certificates give businesses and individual consumers accurate information regarding the security assurance of their certified ICT-products, services and processes. Although certification does not mean that a product, service or process is cyber-secure (and this is stated explicitly), a certificate does demonstrate compliance with the criteria of the cybersecurity scheme.
European cybersecurity certification is voluntary, in principle, but can be made mandatory by other EU law, or in member state law adopted in accordance with EU law. This could be the case for general cybersecurity requirements in specific EU and/or member state law which are presumed to be met if a valid certificate can be provided.
The scheme’s certificates are applicable across the EU and valid in all member states.
The EUCC scheme
The EUCC scheme is the first scheme developed under the CSA. It is based on the international Common Criteria standard (ISO/IEC 15408), which was designed for carrying out independent security evaluations. The Common Criteria (CC) does this by providing a common set of requirements for the security functionality of ICT-products and the assurance measures applied to these products during a security evaluation. These ICT-products may be implemented in hardware, firmware or software.
The Common Criteria standard has proven to be particularly efficient in Europe for security evaluation and the certification of integrated circuits and smartcards. It has led to enhanced security for electronic signature devices, ID documents such as passports, banking cards and digital tachographs. Furthermore, they have been widely used to certify ICT networking products as well as software products.
The EUCC scheme was created by utilising the decades of experience gained through national Common Criteria schemes operating under the Senior Officials Group on Information Systems Security (SOG-IS). It can support the certification of many different types of generic and sector-specific ICT-products. As such, it is more of a horizontal scheme. Users of the scheme may establish Protection Profiles to express their security requirements for a specific type of ICT-product.
The EUCC looks into the certification of ICT-products based on the Common Criteria, the Common Methodology for Information Technology Security Evaluation and the corresponding standards (ISO/IEC 15408 and ISO/IEC 18045 respectively).
The EUCC scheme allows for the cybersecurity certification of ICT-products according to the Common Criteria. It covers any type of ICT-product that includes a meaningful set of security functional requirements, as defined in the Common Criteria. It does not cover conformity self-assessment or certification of production or development sites.
In addition, the EUCC scheme provides the option of covering the certification of Protection Profiles.
Normally the Evaluation Assurance Level (EAL) is leading for Common Criteria certification, but the starting point for EUCC certification is the chosen Vulnerability Analysis level (AVA_VAN). The AVA_VAN level will always be shown on the certificate. An EAL is not mandatory for EUCC certification, but will be shown on the certificate if it is within the scope of certification.
Certification above AVA_VAN.3 for ICT-products that are not covered by a Technical Domain will only be possible based on a specific Protection Profile that has been certified and endorsed as ‘state-of-the-art’ under the EUCC scheme that includes mandatory guidance for the specific evaluation methodology.
Currently, the EUCC scheme is waiting for final adoption. This means that currently no certificates are issued in the Netherlands under the EUCC. Later you will find a complete overview of all the certificates on this website.
Certification at which level?
The EUCC scheme covers a wide range of security requirements, by offering two of the security assurance levels defined in the CSA: Substantial and High.
These CSA assurance levels are directly correlated to the AVA_VAN level that a product will be assessed at, and are not to be confused with the Evaluation Assurance Level (EAL).
EUCC certificates at the assurance level Substantial will correspond to certificates that include AVA_VAN levels 1 or 2. EUCC certificates at the assurance level High will correspond to certificates that include AVA_VAN levels 3 to 5. Higher assurance levels and AVA_VAN levels require more effort to evaluate across multiple dimensions: scope, rigor and depth. All dependencies that apply to the selected AVA_VAN level in accordance with the Common Criteria need to be applied and included in the applicable security assurance requirements for the evaluation.
How to apply for certification?
All manufacturers and providers who wish to assess the security quality of their ICT-products through third-party certification may apply for certification under the EUCC.
In the Netherlands there are Conformity Assessment Bodies (CABs) that only perform activities relating to certification, while evaluation activities are outsourced to external organisations, usually called IT Security Evaluation Facilities (ITSEF). There is also the possibility for CABs to perform both evaluation and certification activities in-house.
Generally the first step is to select an ITSEF that is accredited (and also authorised if they carry out evaluations at the assurance level High). In cases where the ITSEF operates under multiple CABs, the CAB that will issue the certificate also needs to be chosen. In most cases, the ITSEF will only work under a single CAB, so in practice only the ITSEF needs to be selected. Look at the list of ITSEFs and CABs that are accredited and authorised in the Netherlands.
Once evaluation and certification contracts are in place with the ITSEF and CAB respectively, the CAB will handle the certification process, regardless of the chosen CSA assurance level.
At the assurance level High, the National Cybersecurity Certification Authority of the Netherlands will monitor the evaluation and certification steps.
Further details on the certification process at the assurance level High can be found here.
Currently there is an agreement between seventeen European member states to recognise each other's Common Criteria certificates. This recognition agreement was an initiative of the Senior Officials Group on the Security of Information Systems (SOG-IS), a working group of the European Commission. The EUCC is the successor of SOG-IS and extends recognition by these member states to a certificate that is recognised by all European member states. The introduction of the EUCC scheme therefore means that the SOG-IS recognition agreement will cease to exist.
In addition to SOG-IS, the Netherlands also participates in an international recognition agreement: the Common Criteria Recognition Agreement (CCRA). Look for more information on the CCRA.
The NCCA of the Netherlands is committed to ensuring that the Netherlands remains a participant in this recognition agreement, so that EUCC certificates issued in the Netherlands will also be compliant with the CCRA and remain recognised internationally.
References and EUCC guidance documents
Links to EUCC guidance will be added here once they have been published by ENISA.