Spain’s national security framework (ENS) update will make Common Criteria a requirement for some IT products intended for the Spanish government.
The Spanish government will require the Common Criteria certification or equivalent for IT components which will be used in information systems classified as “high security” by the national security framework (ENS).
The latest modification of the Spanish national security framework (ENS) at the end of 2015 contains significant changes for providers of the Spanish government’s hardware and software products. The ENS update (Royal Decree 951/2015 of 23rd of October) establishes three levels of security (low, medium and high) for all IT products used in public administration. In the case of systems, products or equipment classified as high security, the decree update indicates that the administration will give preference to IT products for which security has been evaluated and certified by independent bodies according to the ISO/IEC 15408 standard (Common Criteria) or an equivalent.
In the near future, the national cryptologic centre (CCN) will be in charge of formally indicating the level of Common Criteria certification required for each type of product. As a general rule, the CCN has indicated that they will require a Common Criteria certificate with the protection profile applicable to each type of product
. For products without a defined protection profile, a level EAL 2 CC evaluation will be required, in which the main security functionality of the product will be evaluated.
Applus+ laboratory is accredited by the CCN for carrying out Common Criteria evaluations. Our experts can advise you about the Common Criteria certification process and about the type of security evaluation applicable to your product in order to comply with the national security framework.