What is EUCC? 

The assurance levels are used to inform users of the cybersecurity risk of a product, and can be basic, substantial, and/or high. They are commensurate with the level of risk associated with the intended use of the product, service or process, in terms of probability and impact of an accident. A high assurance level would mean that the certified product passed the highest security tests:

(86) The assurance level of a European certification scheme is a basis for confidence that an ICT product, ICT service or ICT process meets the security requirements of a specific European cybersecurity certification scheme. In order to ensure the consistency of the European cybersecurity certification framework, a European cybersecurity certification scheme should be able to specify assurance levels for European cybersecurity certificates and EU statements of conformity issued under that scheme. Each European cybersecurity certificate might refer to one of the assurance levels: ‘basic’, ‘substantial’ or ‘high’, while the EU statement of conformity might only refer to the assurance level ‘basic’. The assurance levels would provide the corresponding rigour and depth of the evaluation of the ICT product, ICT service or ICT process and would be characterised by reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to mitigate or prevent incidents. Each assurance level should be consistent among the different sectorial domains where certification is applied.

The resulting certificate will be recognised in all EU Member States, making it easier for businesses to trade across borders and for purchasers to understand the security features of the product or service.

The European Cybersecurity Certification Group (ECCG) was established to help ensure the consistent implementation and application of the Cybersecurity Act.

The ECCG has the following tasks:

• to advise and assist the Commission in its work to ensure the consistent implementation and application of the Cybersecurity Act, in particular regarding the Union rolling work programme, cybersecurity certification policy issues, the coordination of policy approaches, and the preparation of European cybersecurity certification schemes;
• to assist, advise and cooperate with ENISA in relation to the preparation of a candidate scheme;
• to adopt an opinion on candidate schemes prepared by ENISA;
• to request ENISA to prepare candidate schemes;
• to adopt opinions addressed to the Commission relating to the maintenance and review of existing European cybersecurity certifications schemes;
• to examine relevant developments in the field of cybersecurity certification and to exchange information and good practices on cybersecurity certification schemes;
• to facilitate the cooperation between national cybersecurity certification authorities under the Cybersecurity Act through capacity-building and the exchange of information, in particular by establishing methods for the efficient exchange of information relating to issues concerning cybersecurity certification;
• to support the implementation of peer assessment mechanisms in accordance with the rules established in a European cybersecurity certification;
• to facilitate the alignment of European cybersecurity certification schemes with internationally recognised standards, including by reviewing existing European cybersecurity certification schemes and, where appropriate, making recommendations to ENISA to engage with relevant international standardisation organisations to address insufficiencies or gaps in available internationally recognised standards.

Main provision of the CSA with regard to the present EUCC is reflected by Article 54 – Elements of European, as follows:

“A European cybersecurity certification scheme shall include at least the following elements:

• a. the subject matter and scope of the certification scheme, including the type or categories of ICT products, ICT services and ICT processes covered;
• b. a clear description of the purpose of the scheme and of how the selected standards, evaluation methods and assurance levels correspond to the needs of the intended users of the scheme;
• c. references to the international, European or national standards applied in the evaluation or, where such standards are not available or appropriate, to technical specifications that meet the requirements set out in Annex II to Regulation (EU) No 1025/2012 or, if such specifications are not available, to technical specifications or other cybersecurity requirements defined in the European cybersecurity certification scheme;
• d. where applicable, one or more assurance levels;
• e. an indication of whether conformity self-assessment is permitted under the scheme;
• f. where applicable, specific or additional requirements to which conformity assessment bodies are subject in order to guarantee their technical competence to evaluate the cybersecurity requirements;
• g. the specific evaluation criteria and methods to be used, including types of evaluation, in order to demonstrate that the security objectives referred to in Article 51 are achieved;
• h. where applicable, the information which is necessary for certification and which is to be supplied or otherwise be made available to the conformity assessment bodies by an applicant;
• i. where the scheme provides for marks or labels, the conditions under which such marks or labels may be used;
• j. rules for monitoring compliance of ICT products, ICT services and ICT processes with the requirements of the European cybersecurity certificates or the EU statements of conformity, including mechanisms to demonstrate continued compliance with the specified cybersecurity requirements;
• k. where applicable, the conditions for issuing, maintaining, continuing and renewing the European cybersecurity certificates, as well as the conditions for extending or reducing the scope of certification;
• l. rules concerning the consequences for ICT products, ICT services and ICT processes that have been certified or for which an EU statement of conformity has been issued, but which do not comply with the requirements of the scheme;
• m. rules concerning how previously undetected cybersecurity vulnerabilities in ICT products, ICT services and ICT processes are to be reported and dealt with;
• n. where applicable, rules concerning the retention of records by conformity assessment bodies;
• o. the identification of national or international cybersecurity certification schemes covering the same type or categories of ICT products, ICT services and ICT processes, security requirements, evaluation criteria and methods, and assurance levels;
• p. the content and the format of the European cybersecurity certificates and the EU statements of conformity to be issued;
• q. the period of the availability of the EU statement of conformity, technical documentation, and all other relevant information to be made available by the manufacturer or provider of ICT products, ICT services or ICT processes;
• r. maximum period of validity of European cybersecurity certificates issued under the scheme;
• s. disclosure policy for European cybersecurity certificates issued, amended or withdrawn under the scheme;
• t. conditions for the mutual recognition of certification schemes with third countries;
• u. where applicable, rules concerning any peer assessment mechanism established by the scheme for the authorities or bodies issuing European cybersecurity certificates for assurance level ‘high’ pursuant to Article 56(6). Such mechanism shall be without prejudice to the peer review provided for in Article 59;
• v. format and procedures to be followed by manufacturers or providers of ICT products, ICT services or ICT processes in supplying and updating the supplementary cybersecurity information in accordance with Article 55.”

The EUCC scheme (Common Criteria based European candidate cybersecurity certification scheme) looks into the certification of ICT products cybersecurity, based on the Common Criteria, the Common Methodology for Information Technology Security Evaluation, and corresponding standards, respectively, IEC 15408 – Information security, cybersecurity and privacy protection – Evaluation criteria for IT security and ISO/IEC 18045.

The Common Criteria have proven particularly efficient in the last two decades in Europe for the certification of integrated circuits and smartcards and have therefore contributed to enhance the level of security of electronic signature devices, for means of identification such as passports, banking cards and tachographs for lorries. Furthermore, they have been used intensively for the certification of the cybersecurity of ICT software products. This scheme will improve the European Union Internal Market conditions for ICT products, and as a result also have positive effects for ICT services and ICT processes relying on such products. The candidate EUCC scheme addresses the necessary requirements associated with the definition of a scheme, as defined under article 49.1 of the CSA, prescribing that the requirements of articles 51, 52 and 54 of the CSA shall be met. It contains in addition background information associated to the requirements that provides clarification on the requirements and allows to illustrate a particular choice or to justify a particular case as expected by the CSA.

On January 31st 2024, the European Cybersecurity Scheme on Common Criteria (EUCC) drafted by the European Union Agency for Cybersecurity (ENISA) has been adopted as the first scheme within the EU cybersecurity certification framework.

‘AVA_VAN level’ means an assurance vulnerability analysis level that indicates the degree of cybersecurity evaluation activities carried out to determine the level of resistance against potential exploitability of flaws or weaknesses in the target of evaluation in its operational environment as set out in the Common Criteria. The EUCC uses the Common Criteria’s vulnerability assessment family (AVA_VAN), components 1 to 5. EUCC certificates at assurance level ‘substantial’ shall correspond to certificates that cover AVA_VAN level 1 or 2. EUCC certificates at assurance level ‘high’ shall correspond to certificates that cover AVA_VAN level 3, 4 or 5.

AVA_VAN levels

AVA_VAN.1 Vulnerability Survey

• TOE resistance against BASIC Attack Potential (AP)

AVA_VAN.2 (Unstructured) Vulnerability Analysis

• TOE resistance against BASIC AP

AVA_VAN.3 Focused (Unstructured) Vulnerability Analysis

• TOE resistance against ENHANCED-BASIC AP

AVA_VAN.4 Methodical Vulnerability Analysis

• TOE resistance against MODERATE AP

AVA_VAN.5 Advanced Methodical Vulnerability Analysis

• TOE resistance against HIGH AP

An EUCC certificate shall at least contain:

a. unique identifier established by the certification body issuing the certificate;

b. information related to the certified ICT product or protection profile and the holder of the certificate, including:

1. 1. name of the ICT product or protection profile and, where applicable, of the target of evaluation;
   2. type of ICT product or protection profile and, where applicable, of the target of evaluation;
   3. version of the ICT product or protection profile;
   4. name, address and contact information of the holder of the certificate;
   5. link to the website of the holder of the certificate containing the supplementary cybersecurity information referred to in Article 55 of Regulation (EU) 2019/881;

   c. Information related to the evaluation and certification of the ICT product or protection profile, including

2. 1. name, address and contact information of the certification body that issued the certificate;
   2. where different from the certification body, name of the ITSEF which performed the evaluation;
   3. name of the responsible national cybersecurity certification authority;
   4. a reference to this Regulation;
   5. a reference to the certification report associated with the certificate referred to in Annex V;
   6. the applicable assurance level in accordance with Article 4;
   7. a reference to the version of the standards used for the evaluation, referred to in Article 3;
   8. identification of the assurance level or package specified in the standards referred to in Article 3 and in conformity with Annex VIII, including the assurance components used and the AVA_VAN level covered;
   9. where applicable, reference to one or more protection profiles with which the ICT product or protection profile complies;
   10. date of issuance;
   11. period of validity of the certificate;

d. the mark and label associated with the certificate in accordance with Article 11.

Latest updates on EUCC

The European Union Cybersecurity Certification Scheme (EUCC) faces several upcoming challenges:

• Patch management: Patch management involves the systematic installation of updates (patches) to ICT products. The main objective of patch management is to ensure that systems and applications are up-to-date and protected against known security threats and vulnerabilities. This mechanism will allow security updates to be sent to the developer’s product, while maintaining the issued certificate.
• Vulnerability management process: Entities holding EUCC certificates must establish and execute detailed vulnerability management protocols. This involves the developer generating vulnerability monitoring and bug fix processes and effectively communicating the results to stakeholders.
• Preparation for future schemes: As the first EU cybersecurity certification scheme to be adopted, the EUCC is expected to pave the way for upcoming schemes currently under preparation [17], such as the EU Certification scheme on Cloud Services and the EU 5G mobile network certification scheme.

These challenges represent opportunities to improve cybersecurity and trust in ICT products and services in the European Union.