EUCC: Towards a new EU Common Criteria Scheme


    What is the EUCC?

    The European Common Criteria-based cybersecurity certification scheme (EUCC) is established under the European Commission's Implementing Act Regulation (EU) 2024/482, related to Regulation (EU) 2019/881, commonly known as the Cybersecurity Act (CSA).

    The EUCC is the first scheme created under the CSA requirements. Some other schemes are still being put together: particularly, in particular the EU5G and the EUCS. And, with more to come!

    The EUCC scheme is designed to set the rules and obligations, as well as the structure, for certifying information and communication technology (ICT) products. The scheme leverages established international standards, notably the Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) and the Common Evaluation Methodology (ISO/IEC 18045) and mandates third-party conformity assessments by accredited ITSEFs.

    Certificates will be valid for a maximum of five years unless this period is extended with the authorisation of an NCCA (National Cybersecurity Certification Authority).

    Assurance Levels:

    The EUCC uses the Common Criteria’s vulnerability assessment family (AVA_VAN), components 1 to 5. This component will be indicating the CSA level of Substantial and High as follows:

    Relevant EUCC insights to consider:

    Along with the changes introduced by the EUCC, there are some significant aspects that need to be considered beyond the existing practices of current National Common Criteria schemes:

    • Patch management: Patch management is the mechanism that involves the systematic installation of updates (patches) in the ICT products. The primary goal of patch management is to ensure that systems and applications are up-to-date and protected against known security threats and vulnerabilities, thereby complying with the assurance continuity principle.

      Patch management can be included in the scope of evaluation and will be evaluated as such. These mechanisms in scope will allow for pushing security updates to the developer’s product while maintaining the issued certificate.

      Experts in cybersecurity from jtsec (an Applus+ Laboratories company) collaborated to present a thorough model of the patch management mechanism into Common Criteria. Please refer to the latest version of ISO SC27 WG3 Technical Report “Towards Creating an Extension for Patch Management for ISO/IEC 15408 and ISO/IEC 18045”.


    • Vulnerability handling process: Under the EUCC framework, entities possessing EUCC certificates are required to establish and execute detailed vulnerability management protocols.

      This involves the developer generating vulnerability monitoring and flaw remediation processes and effectively communicating the results to stakeholders.

      Market surveillance and active monitoring will be in place to detect the products in the market that have any vulnerability that may affect the certificate status.


    • Information for certification:
      • Applicants shall prepare and publicly provide:
      • guidance and recommendations to assist end users with the secure configuration, installation, deployment, operation, and maintenance of the ICT products or ICT services;
      • the period during which security support will be offered to end users;
      • contact information of the manufacturer or provider;
      • procedures or methods for receiving vulnerability information from end users and security researchers;
      • a reference to online repositories listing publicly disclosed vulnerabilities and security advisories related to the ICT product, service, or process.


    • State-of-the-art documents: State of the art for EUCC compliance documents are published in ENISA documents and in Annex I, II, and III of the EUCC Implementing Act. Some of them are leveraged from the Common Criteria scheme. Stay tuned!


    Is EUCC Compliant with the upcoming CRA?

    The EUCC scheme and the Cyber Resilience Act (CRA) work in tandem to present compliance, however, achieving complete adherence to the CRA requires further actions in EUCC. Applus+ Laboratories helps ENISA to identify and analyze the gap between the two regulations and the EUCC workarounds to comply with CRA.

    Applus+ Laboratories is in the final stages of becoming one of the first accredited and authorized EUCC laboratories (ITSEF) for the CSA levels of Substantial and High. For more information on the EUCC certification scheme and its relationship with the existing Common Criteria, the Cybersecurity Resilience Act, and the upcoming steps related to different cybersecurity regulations being implemented by the EU, please feel free to contact us.

    Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.

    Cookie settings panel