Applus+ provides security evaluation services for obtaining the LINCE certification, enabling IT products to be included in the Spanish CPSTIC Catalogue


What is LINCE certification and how do I achieve it?

LINCE, which stands for Certificación Nacional Esencial de Seguridad (Essential National Security Certification), was developed by the Spanish National Crytologic Centre, known as the CCN (Centro Criptológico Nacional). It was developed to fill the need for a lighter evaluation method than Common Criteria, one more suitable for the products that manage sensitive information but without such a high level of threat. 

The CCN acts as the certification body for the LINCE scheme, which certifies that a product has successfully passed an authorized security evaluation. This certification enables the product to be included in the Spanish STIC Product Catalogue. The evaluation has the following requirements:

  • It must analyze the extent to which the product complies with the fundamental security requirements defined in the guidelines [CCN-STIC-140]
  • It must measure the resilience of the product’s security functions
  • It must be orientated towards vulnerability analysis and penetration testing
  • It must be carried out within a predefined timeframe and with a predefined workload

LINCE Certification consists of a base package and the following two optional modules, which allow for increased security assurance:

  • Cryptographic Evaluation Module, or MEC (Módulo de Evaluación Criptográfica), which functionally evaluates the cryptographic mechanisms implemented in a product
  • Source Code Review Module, or MCF (Módulo de Revisión de Código Fuente), which allows the product to be evaluated at greater depth with a ‘white box’ evaluation of the source code 

Consequently, all of the following are combinations of assessment can be undertaken as part of the LINCE Certification scheme:

  • Basic: LINCE Assessment
  • Basic + MEC: LINCE Assessment + Cryptographic Assessment
  • Basic + MCF: LINCE Assessment + Source Code Review
  • Basic + MEC + MCF: LINCE Assessment + Cryptographic Assessment + Source Code Review

As a rule, LINCE assessments should be carried out with estimated workloads of around 25 working days for one person, and should take no longer than a maximum of 8 weeks to complete. 

For the optional modules (MEC and MCF), an additional 5 working days and 2 weeks’ maximum duration are added for each of the modules.  Including the two modules, a LINCE certification must be carried out within 35 working days for one person, with a maximum duration of 12 weeks.

What is the Catalogue of ICT Security Products (CPSTIC)?

The Catalogue is the list of ICT security products recommended by the Products and Technologies Department of the National Cryptologic Centre, or CCN-PYTEC (Departamento de Productos y Tecnologías del Centro Criptológico Nacional), to be used by the Spanish Administration in the protection of its IT assets. 

All of the products listed have been evaluated under cybersecurity certification schemes by accredited and independent laboratories—and under the supervision of the CCN—to ensure that they meet the highest security standards.

The catalogue aims to be a reference for the Spanish public sector, and the companies that provide services to it, in the tendering and purchasing of ICT products. For this, the catalogue makes a distinction between two types of products:

QUALIFIED PRODUCTS, which have certified security functionalities and are suitable for use in systems which comply with the Spanish National Security Scheme, or ENS (Esquema Nacional de Seguridad) in the High and Medium categories. Basic category products are not included in the Catalogue

APPROVED PRODUCTS, which are approved for use in systems managing classified information.

LINCE certification provides access to the STIC catalogue of ENS Medium Category qualified products, while Common Criteria certification provides access to ENS High Category. For more information on inclusion in the catalogue of High Category qualified products, please refer to our STIC Catalogue Guide.

*Except in special cases

Applus+ Laboratories: Experts in Cybersecurity Evaluations

Our various IT laboratories have all the required resources and accreditations for evaluating cybersecurity, as well as extensive, proven experience in security assessments and certification processes. For more information on the optimal route for your product to be included in the ICT security product catalogue, get in touch with our experts.


Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.

Cookie settings panel