The Common Criteria-based European Cybersecurity Certification Scheme (EUCC) is a certification scheme created under the Cybersecurity Act (CSA).
The aim of the CSA is to improve cybersecurity across a wide range of digital products, services and processes. It also establishes a unified approach to cybersecurity certification in the European internal market.
Reasons for certification
Certificates give businesses and individual consumers accurate information regarding the security assurance of their certified ICT products, services and processes. Although certification does not mean that a product, service or process is cyber-secure (and this is stated explicitly), a certificate does demonstrate compliance with the criteria of the cybersecurity scheme.
European cybersecurity certification is voluntary, in principle, but can be made mandatory by other EU law, or in member state law adopted in accordance with EU law. This could be the case for general cybersecurity requirements in specific EU and/or member state law which are presumed to be met if a valid certificate can be provided.
The scheme’s certificates are applicable across the EU and valid in all member states.
The EUCC scheme
The EUCC scheme is the first certification scheme developed under the CSA. It is based on the international Common Criteria standard (ISO/IEC 15408), which was designed for carrying out independent security evaluations. The Common Criteria (CC) does this by providing a common set of requirements for the security functionality of ICT products and the assurance measures applied to these products during a security evaluation. These ICT products may be implemented in hardware, firmware or software.
The Common Criteria standard has proven to be particularly efficient in Europe for security evaluation and the certification of integrated circuits and smartcards. It has led to enhanced security for electronic signature devices, ID documents such as passports, banking cards and digital tachographs. Furthermore, they have been widely used to certify ICT networking products as well as software products.
The EUCC scheme was created by utilising the decades of experience gained through national Common Criteria schemes operating under the Senior Officials Group on Information Systems Security (SOG-IS). It can support the certification of many different types of generic and sector-specific ICT products. As such, it is more of a horizontal scheme. Users of the scheme may establish Protection Profiles to express their security requirements for a specific type of ICT product.
The EUCC looks into the certification of ICT products based on the Common Criteria, the Common Methodology for Information Technology Security Evaluation and the corresponding standards (ISO/IEC 15408 and ISO/IEC 18045 respectively).
The EUCC scheme allows for the cybersecurity certification of ICT products according to the Common Criteria. It covers any type of ICT product that includes a meaningful set of security functional requirements, as defined in the Common Criteria. It does not cover conformity self-assessment or certification of production or development sites.
In addition, the EUCC scheme provides the option of covering the certification of Protection Profiles.
Normally the Evaluation Assurance Level (EAL) is leading for Common Criteria certification, but the starting point for EUCC certification is the chosen Vulnerability Analysis level (AVA_VAN). The AVA_VAN level will always be shown on the certificate. An EAL is not mandatory for EUCC certification, but will be shown on the certificate if it is within the scope of certification.
Certification above AVA_VAN.3 for ICT products that are not covered by a Technical Domain will only be possible based on a specific Protection Profile that has been certified and endorsed as ‘state-of-the-art’ under the EUCC scheme that includes mandatory guidance for the specific evaluation methodology.