This document is an excerpt from the EUR-Lex website
Document 02024R0482-20250108
Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (Text with EEA relevance)
Consolidated text: Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (Text with EEA relevance)
Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (Text with EEA relevance)
02024R0482 — EN — 08.01.2025 — 001.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
|
COMMISSION IMPLEMENTING REGULATION (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (OJ L 482 7.2.2024, p. 1) |
Amended by:
|
|
|
Official Journal |
||
|
No |
page |
date |
||
|
COMMISSION IMPLEMENTING REGULATION (EU) 2024/3144 of 18 December 2024 |
L 3144 |
1 |
19.12.2024 |
|
COMMISSION IMPLEMENTING REGULATION (EU) 2024/482
of 31 January 2024
laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC)
(Text with EEA relevance)
CHAPTER I
GENERAL PROVISIONS
Article 1
Subject matter and scope
This Regulation sets out the European Common Criteria-based cybersecurity certification scheme (EUCC).
This Regulation applies to all information and communication technologies (‘ICT’) products, including their documentation, which are submitted for certification under the EUCC, and to all protection profiles which are submitted for certification as part of the ICT process leading to the certification of ICT products.
Article 2
Definitions
For the purposes of this Regulation, the following definitions shall apply:
‘Common Criteria’ means the Common Criteria for Information Technology Security Evaluation, as set out in standards ISO/IEC 15408-1:2022, ISO/IEC 15408-2:2022, ISO/IEC 15408-3:2022, ISO/IEC 15408-4:2022 or ISO/IEC 15408-5:2022, or set out in Common Criteria for Information Technology Security Evaluation, version CC:2022, Parts 1 through 5, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security;
‘Common Evaluation Methodology’ means the Common Methodology for Information Technology Security Evaluation, as set out in standard ISO/IEC 18045:2022, or the Common Methodology for Information Technology Security Evaluation, version CEM:2022, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security;
‘target of evaluation’ means an ICT product or part thereof, or a protection profile as part of an ICT process, which is subjected to cybersecurity evaluation to receive EUCC certification;
‘security target’ means a claim of implementation-dependent security requirements for a specific ICT product;
‘protection profile’ means an ICT process that lays down the security requirements for a specific category of ICT products, addressing implementation-independent security needs, and that may be used to assess ICT products falling into that specific category for the purpose of their certification;
‘evaluation technical report’ means a document produced by an ITSEF to present the findings, verdicts and justifications obtained during the evaluation of an ICT product or a protection profile in accordance with the rules and obligations set out in this Regulation;
‘ITSEF’ means an Information Technology Security Evaluation Facility, which is a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008 that performs evaluation tasks;
‘AVA_VAN level’ means an assurance vulnerability analysis level that indicates the degree of cybersecurity evaluation activities carried out to determine the level of resistance against potential exploitability of flaws or weaknesses in the target of evaluation in its operational environment as set out in the Common Criteria;
‘EUCC certificate’ means a cybersecurity certificate issued under the EUCC for ICT products, or for protection profiles that can be used exclusively in the ICT process of certification of ICT products;
‘composite product’ means an ICT product that is evaluated together with another underlying ICT product that has already received an EUCC certificate and on whose security functionality the composite ICT product depends;
‘national cybersecurity certification authority’ means an authority designated by a Member State pursuant to Article 58(1) of Regulation (EU) 2019/881;
‘certification body’ means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008, which performs certification activities;
‘technical domain’ means a common technical framework related to a particular technology for the harmonised certification with a set of characteristic security requirements;
‘state-of-the-art document’ means a document which specifies evaluation methods, techniques and tools that apply to the certification of ICT products, or security requirements of a generic ICT product category, or any other requirements necessary for certification, in order to harmonise evaluation, in particular of technical domains or protection profiles;
‘market surveillance authority’ means an authority defined in Article 3(4) of Regulation (EU) 2019/1020.
Article 3
Evaluation standards
The following standards shall apply to evaluations performed under the EUCC scheme:
the Common Criteria;
the Common Evaluation Methodology.
Until 31 December 2027, a certificate may be issued under the EUCC scheme applying either of the following standards:
ISO/IEC 15408-1:2009, ISO/IEC 15408-2:2008 or ISO/IEC 15408-3:2008;
Common Criteria for Information Technology Security Evaluation, version 3.1, revision 5, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security;
ISO/IEC 18045:2008;
Common Methodology for Information Technology Security Evaluation, revision 5, version 3.1, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security.
A certificate applying the standards referred to in paragraph 1 may also be issued under the EUCC scheme claiming conformance to a protection profile that has applied either of the following standards, provided that the use of such protection profile is required under Commission Implementing Regulation (EU) 2016/799 ( 1 ), Regulation (EU) No 910/2014 of the European Parliament and of the Council ( 2 ) or Commission Implementing Decision (EU) 2016/650 ( 3 ):
Common Criteria for Information Technology Security Evaluation, version 3.1, revision 1 to 4, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security;
Common Methodology for Information Technology Security Evaluation, version 3.1., revision 1 to 4, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security.
Article 4
Assurance levels
Article 5
Methods for certifying ICT products
Certification of an ICT product shall be carried out against its security target:
as defined by the applicant; or
claiming conformance to a certified protection profile as part of the ICT process, where the ICT product falls in the ICT product category covered by that protection profile.
Article 6
Conformity self-assessment
A conformity self-assessment within the meaning of Article 53 of Regulation (EU) 2019/881 shall not be permitted.
CHAPTER II
CERTIFICATION OF ICT PRODUCTS
SECTION I
Specific standards and requirements for evaluation
Article 7
Evaluation criteria and methods for ICT products
An ICT product submitted for certification shall, as a minimum, be evaluated in accordance with the following:
the applicable elements of the standards referred to in Article 3;
the security assurance requirements classes for vulnerability assessment and independent functional testing, as set out in the evaluation standards referred to in Article 3;
the level of risk associated with the intended use of the ICT products concerned pursuant to Article 52 of Regulation (EU) 2019/881 and their security functions that support the security objectives set out in Article 51 of Regulation (EU) 2019/881;
the applicable state-of-the-art documents listed in Annex I; and
the applicable certified protection profiles listed in Annex II.
Certification of ICT products at AVA_VAN level 4 or 5 shall only be possible in the following scenarios:
where the ICT product is covered by any technical domain listed in Annex I, it shall be evaluated in accordance with the applicable state-of-the-art documents of those technical domains,
where the ICT product falls into a category of ICT products covered by a certified protection profile that includes AVA_VAN levels 4 or 5 and that has been listed as a state-of-the-art protection profile in Annex II, it shall be evaluated in accordance with the evaluation methodology specified for that protection profile,
where points a) and b) of this paragraph are not applicable and where the inclusion of a technical domain in Annex I or of a certified protection profile in Annex II is unlikely in the foreseeable future, and only in exceptional and duly justified cases, subject to the conditions set out in paragraph 4.
SECTION II
Issuance, renewal and withdrawal of EUCC certificates
Article 8
Information necessary for certification and evaluation
Applicants for certification may provide to the certification body and ITSEF appropriate evaluation results from prior certification pursuant to:
this Regulation;
another European cybersecurity certification scheme adopted pursuant to Article 49 of Regulation (EU) 2019/881;
a national scheme referred to in Article 49 of this Regulation.
Applicants for certification shall also provide the certification body and the ITSEF with the following information:
the link to their website containing the supplementary cybersecurity information referred to in Article 55 of Regulation (EU) 2019/881;
a description of the applicant’s vulnerability management and vulnerability disclosure procedures.
Article 9
Conditions for issuance of an EUCC certificate
The certification bodies shall issue an EUCC certificate where all of the following conditions are met:
the category of ICT product falls within the scope of the accreditation, and where applicable of the authorisation, of the certification body and the ITSEF involved in the certification;
the applicant for certification has signed a statement undertaking all commitments listed in paragraph 2;
the ITSEF has concluded the evaluation without objection in accordance with the evaluation standards, criteria and methods referred to in Articles 3 and 7;
the certification body has concluded the review of the evaluation results without objection;
the certification body has verified that the evaluation technical reports provided by the ITSEF are consistent with the provided evidence and that the evaluation standards, criteria and methods referred to in Articles 3 and 7 have been correctly applied.
The applicant for certification shall undertake the following commitments:
to provide the certification body and the ITSEF with all the necessary complete and correct information, and to provide additional necessary information if requested;
not to promote the ICT product as being certified under the EUCC before the EUCC certificate has been issued;
to promote the ICT product as being certified only with respect to the scope set out in the EUCC certificate;
to cease immediately the promotion of the ICT product as being certified in the event of the suspension, withdrawal or expiry of the EUCC certificate;
to ensure that the ICT products sold with reference to the EUCC certificate are strictly identical to the ICT product subject to the certification;
to respect the rules of use of the mark and label established for the EUCC certificate in accordance with Article 11.
Article 10
Content and format of an EUCC certificate
Article 11
Mark and label
The mark and label shall be set out as in Annex IX and contain:
the assurance level and the AVA_VAN level of the certified ICT product;
the unique identification of the certificate, consisting of:
the name of the scheme;
the name and the reference number of the accreditation of the certification body that has issued the certificate;
year and month of issuance;
identification number assigned by the certification body that has issued the certificate.
The mark and label shall be accompanied by a QR code with a link to a website containing at least:
the information on the validity of the certificate;
the necessary certification information as set out in Annexes V and VII;
the information to be made publicly available by the holder of the certificate in accordance with Article 55 of Regulation (EU) 2019/881; and
where applicable, the historic information related to the specific certification or certifications of the ICT product to enable traceability.
Article 12
Period of validity of an EUCC certificate
Article 13
Review of an EUCC certificate
Following the results of the review, and where applicable of the re-evaluation, the certification body shall:
confirm the EUCC certificate;
withdraw the EUCC certificate in accordance with Article 14;
withdraw the EUCC certificate in accordance with Article 14 and issue a new EUCC certificate with an identical scope and an extended validity period; or
withdraw the EUCC certificate in accordance with Article 14 and issue a new EUCC certificate with a different scope.
Article 14
Withdrawal of an EUCC certificate
CHAPTER III
CERTIFICATION OF PROTECTION PROFILES
SECTION I
Specific standards and requirements for evaluation
Article 15
Evaluation criteria and methods
A protection profile shall be evaluated, as a minimum, in accordance with the following:
the applicable elements of the standards referred to in Article 3;
the level of risk associated with the intended use of the ICT products concerned pursuant to Article 52 of Regulation (EU) 2019/881 and their security functions that support the security objectives set out in Article 51 of that; and
the applicable state-of-the-art documents listed in Annex I. A protection profile covered by a technical domain shall be certified against the requirements set out in that technical domain.
SECTION II
Issuing, renewing and withdrawing EUCC certificates for protection profiles
Article 16
Information necessary for certification and evaluation of protection profiles
An applicant for certification of a protection profile shall provide or otherwise make available to the certification body and the ITSEF all information necessary for the certification and evaluation activities in a complete and correct form. Article 8(2), (3), (4) and (7) shall apply mutatis mutandis.
Article 17
Issuance of EUCC certificates for protection profiles
▼M1 —————
A protection profile shall be certified solely by:
a national cybersecurity certification authority or another public body accredited as certification body; or
a certification body, upon prior approval by the national cybersecurity certification authority for each individual protection profile.
Article 18
Period of validity of an EUCC certificate for protection profiles
Article 19
Review of an EUCC certificate for protection profiles
Following the results of the review, and where applicable of the re-evaluation, the certification body shall do one of the following:
confirm the EUCC certificate;
withdraw the EUCC certificate in accordance with Article 20;
withdraw the EUCC certificate in accordance with Article 20 and issue a new EUCC certificate with an identical scope and an extended validity period;
withdraw the EUCC certificate in accordance with Article 20 and issue a new EUCC certificate with a different scope.
Article 20
Withdrawal of an EUCC certificate for a protection profile
CHAPTER IV
CONFORMITY ASSESSMENT BODIES
Article 20a
Specification of requirements for accreditation of conformity assessment bodies
The accreditation of conformity assessment bodies shall take into account the specification of requirements for accreditation of certification bodies and ITSEFs as laid down in the applicable state-of-the-art documents listed in point 2 of Annex I.
Article 21
Additional or specific requirements for a certification body
A certification body shall be authorised by the national cybersecurity certification authority to issue EUCC certificates at assurance level ‘high’ where that body demonstrates that, in addition to meeting the requirements laid down in Article 60(1) and the Annex to Regulation (EU) 2019/881 regarding accreditation of conformity assessment bodies, the following:
it has the expertise and competences required for the certification decision at assurance level ‘high’;
it conducts its certification activities in cooperation with an ITSEF authorised in accordance with Article 22; and
it has the requisite competences and put in place appropriate technical and operational measures to effectively protect confidential and sensitive information for assurance level ‘high’, in addition to the requirements set out in Article 43.
In its assessment, the national cybersecurity certification authority may reuse any appropriate evidence from prior authorisation or similar activities granted pursuant to:
this Regulation;
another European cybersecurity certification scheme adopted pursuant to Article 49 of Regulation (EU) 2019/881;
a national scheme referred to in Article 49 of this Regulation.
Article 22
Additional or specific requirements for an ITSEF
An ITSEF shall be authorised by the national cybersecurity certification authority to carry out the evaluation of ICT products which are subject to certification under the assurance level ‘high’, where the ITSEF demonstrates that, in addition to meeting the requirements laid down in Article 60(1) and the Annex to Regulation (EU) 2019/881 regarding accreditation of conformity assessment bodies, it complies with all of the following conditions:
it has the necessary expertise for performing the evaluation activities to determine the resistance to state-of-the-art cyberattacks carried out by actors with significant skills and resources;
for the technical domains and protection profiles, which are part of the ICT process for those ICT products, it has:
the expertise to perform the specific evaluation activities necessary to methodically determine a target of evaluation’s resistance against skilled attackers in its operational environment assuming an attack potential of ‘moderate’ or ‘high’ as set out in the standards referred to in Article 3;
the technical competences as specified in the state-of-the-art documents listed in Annex I;
it has the requisite competences and put in place appropriate technical and operational measures to effectively protect confidential and sensitive information for assurance level ’high’ in addition to the requirements set out in Article 43.
In its assessment, the national cybersecurity certification authority may reuse any appropriate evidence from prior authorisation or similar activities granted pursuant to:
this Regulation;
another European cybersecurity certification scheme adopted pursuant to Article 49 of Regulation (EU) 2019/881;
a national scheme referred to in Article 49 of this Regulation.
▼M1 —————
CHAPTER V
MONITORING, NON-CONFORMITY AND NON-COMPLIANCE
SECTION I
Compliance monitoring
Article 25
Monitoring activities by the national cybersecurity certification authority
Without prejudice to Article 58(7) of Regulation (EU) 2019/881, the national cybersecurity certification authority shall monitor the compliance of:
the certification body and the ITSEF with their obligations pursuant to this Regulation and Regulation (EU) 2019/881;
the holders of an EUCC certificate with their obligations pursuant to this Regulation and Regulation (EU) 2019/881;
the certified ICT products with the requirements set out in the EUCC;
the assurance expressed in the EUCC certificate addressing the evolving threat landscape.
The national cybersecurity certification authority shall perform its monitoring activities in particular on the basis of:
information coming from certification bodies, national accreditation bodies and relevant market surveillance authorities;
information resulting from its own or another authority’s audits and investigations;
sampling, carried out in accordance with paragraph 3;
complaints received.
The national cybersecurity certification authority shall select the sample of certified ICT products to be checked using objective criteria, including:
product category;
assurance levels of products;
holder of a certificate;
certification body and, where applicable, the subcontracted ITSEF;
any other information brought to the authority’s attention.
Article 26
Monitoring activities by the certification body
The certification body shall monitor:
the compliance of the holders of a certificate with their obligations under this Regulation and Regulation (EU) 2019/881 towards the EUCC certificate that was issued by the certification body;
the compliance of the ICT products it has certified with their respective security requirements;
the assurance expressed in the certified protection profiles.
The certification body shall undertake its monitoring activities on the basis of:
the information provided on the basis of the commitments of the applicant for certification referred to in Article 9(2);
information resulting from activities of other relevant market surveillance authorities;
complaints received;
vulnerability information that could impact the ICT products it has certified.
Article 27
Monitoring activities by the holder of the certificate
The holder of an EUCC certificate shall perform the following tasks to monitor the conformity of the certified ICT product with its security requirements:
monitor vulnerability information regarding the certified ICT product, including known dependencies by its own means but also in consideration of:
a publication or a submission regarding vulnerability information by a user or security researcher referred to in Article 55(1), point (c) of Regulation (EU) 2019/881;
a submission by any other source;
monitor the assurance expressed in the EUCC certificate.
SECTION II
Conformity and compliance
Article 28
Consequences of non-conformity of a certified ICT product or protection profile
Article 29
Consequences of non-compliance by the holder of the certificate
Where the certification body finds that:
the holder of the EUCC certificate or the applicant for certification is not compliant with its commitments and obligations as set out in Articles 9(2), 17(2), 27 and 41; or
the holder of the EUCC certificate does not comply with Article 56(8) of Regulation (EU) 2019/881 or Chapter VI of this Regulation;
it shall set a time period of not more than 30 days within which the holder of the EUCC certificate shall take remedial action.
Article 30
Suspension of the EUCC certificate
Article 31
Consequences of non-compliance by the conformity assessment body
In case of non-compliance by a certification body with its obligations, or by the relevant certification body in case of identifying non-compliance by an ITSEF, the national cybersecurity certification authority shall, without undue delay:
identify, with the support of the concerned ITSEF, the potentially affected EUCC certificates;
where necessary, request evaluation activities to be performed on one or more ICT products or protection profiles by either the ITSEF which performed the evaluation, or any other accredited and, where applicable, authorised ITSEF that may be in a better technical position to support that identification;
analyse the impacts of non-compliance;
notify the holder of the EUCC certificate affected by non-compliance.
On the basis of the measures referred to in paragraph 1, the certification body shall adopt either of the following decisions with respect to each affected EUCC certificate:
maintain the EUCC certificate unaltered;
withdraw the EUCC certificate in accordance with Article 14 or Article 20, and, where appropriate, issue a new EUCC certificate.
On the basis of the measures referred to in paragraph 1, the national cybersecurity certification authority shall:
where necessary, report the non-compliance of the certification body or related ITSEF to the national accreditation body;
where applicable, assess the potential impact on the authorisation.
CHAPTER VI
VULNERABILITY MANAGEMENT AND DISCLOSURE
Article 32
Scope of vulnerability management
This Chapter applies to ICT products for which an EUCC certificate was issued.
SECTION I
Vulnerability management
Article 33
Vulnerability management procedures
Article 34
Vulnerability impact analysis
Article 35
Vulnerability impact analysis report
The vulnerability impact analysis report shall contain an assessment of the following elements:
the impact of the vulnerability on the certified ICT product;
possible risks associated with the proximity or availability of an attack;
whether the vulnerability may be remedied;
where the vulnerability may be remedied, possible resolutions of the vulnerability.
Article 36
Vulnerability remediation
The holder of an EUCC certificate shall submit a proposal for an appropriate remedial action to the certification body. Certification body shall review the certificate in accordance with Article 13. The scope of the review shall be determined by the proposed remediation of the vulnerability.
SECTION II
Vulnerability disclosure
Article 37
Information shared with the national cybersecurity certification authority
Article 38
Cooperation with other national cybersecurity certification authorities
Article 39
Publication of the vulnerability
Upon withdrawal of a certificate, the holder of the EUCC certificate shall disclose and register any publicly known and remediated vulnerability in the ICT product on the European vulnerability database, established in accordance with Article 12 of Directive (EU) 2022/2555 of the European Parliament and of the Council ( 4 ) or other online repositories referred to in Article 55(1), point (d) of Regulation (EU) 2019/881.
CHAPTER VII
RETENTION, DISCLOSURE AND PROTECTION OF INFORMATION
Article 40
Retention of records by certification bodies and the ITSEF
Article 41
Information made available by the holder of a certificate
The holder of an EUCC certificate shall store the following securely for the period necessary for the purposes of this Regulation and for at least 5 years after the withdrawal of the relevant EUCC certificate:
records of the information provided to the certification body and to the ITSEF during the certification process;
specimen of the certified ICT product.
Article 42
Information to be made available by ENISA
ENISA shall publish the following information on the website referred to in Article 50(1) of Regulation (EU) 2019/881:
all EUCC certificates;
the information on the status of an EUCC certificate, notably whether it is in force, suspended, withdrawn, or expired;
certification reports corresponding to each EUCC certificate;
a list of accredited conformity assessment bodies;
a list of authorised conformity assessment bodies;
the state-of-the-art documents listed in Annex I
the opinions of the European Cybersecurity Certification Group referred to in Article 62(4), point (c), of Regulation (EU) 2019/881;
peer assessment reports issued in accordance with Article 47.
Article 43
Protection of information
Conformity assessment bodies, national cybersecurity certification authorities, ECCG, ENISA, the Commission and all other parties shall ensure the security and protection of business secrets and other confidential information, including trade secrets, as well as the preserving intellectual property rights, and take the necessary and appropriate technical and organisational measures.
CHAPTER VIII
MUTUAL RECOGNITION AGREEMENTS WITH THIRD COUNTRIES
Article 44
Conditions
Mutual recognition agreements referred to in paragraph 1, may only be concluded with third countries that meet the following conditions:
have an authority that:
is a public body, independent of the entities it supervises and monitors in terms of organisational and legal structure, financial funding and decision making;
has appropriate monitoring and supervising powers to carry out investigations and is empowered to take appropriate corrective measures to ensure compliance;
has an effective, proportionate and dissuasive penalty system to ensure compliance;
agrees to collaborate with the European Cybersecurity Certification Group and ENISA to exchange best practice and relevant developments in the field of cybersecurity certification and to work towards a uniform interpretation of the currently applicable evaluation criteria and methods, amongst others, by applying harmonised documentation that is equivalent to the state-of-the-art documents listed in Annex I
have an independent accreditation body performing accreditations using equivalent standards to those referred to in Regulation (EC) No 765/2008;
commit that the evaluation and certification processes and procedures will be carried out in a duly professional manner, taking into account compliance with the international standards referred to in this Regulation, in particular in Article 3;
have the capacity to report previously undetected vulnerabilities and an established, adequate vulnerability management and disclosure procedure in place;
have established procedures that enable it to effectively lodge and handle complaints and provide effective legal remedy for the complainant;
establishing a mechanism for cooperation with other Union and Member States’ bodies relevant to the cybersecurity certification under this Regulation including the sharing of information about the possible non-compliance of certificates, monitoring relevant developments in the field of certification and ensuring a joint approach on certification maintenance and review.
In addition to the conditions set out in paragraph 3, a mutual recognition agreement referred to in paragraph 1 covering assurance level ‘high’ may only be concluded with third countries where also the following conditions are met:
the third country has an independent and public cybersecurity certification authority performing or delegating evaluation activities necessary to allow certification under assurance level ‘high’ that are equivalent to the requirements and procedures laid down for national cybersecurity authorities in this Regulation and in Regulation (EU) 2019/881;
the mutual recognition agreement establishes a joint mechanism equivalent to the peer assessment for EUCC certification to enhance the exchange of practices and jointly solve issues in the area of evaluation and certification.
CHAPTER IX
PEER ASSESSMENT OF CERTIFICATION BODIES
Article 45
Peer assessment procedure
The peer assessment may rely on evidence gathered in the course of previous peer assessments or equivalent procedures of the peer-assessed certification body or national cybersecurity certification authority, provided that:
the results are not older than 5 years;
the results are accompanied by a description of the peer assessment procedures established for that scheme where they relate to a peer assessment conducted under a different certification scheme;
the peer assessment report referred to in Article 47 specifies which results were reused with or without further assessment.
Article 46
Peer assessment phases
Article 47
Peer assessment report
The European Cybersecurity Certification Group shall adopt an opinion on the peer assessment report:
where the peer-assessment report does not identify non-conformities or where non-conformities have been appropriately addressed by the peer-assessed certification body, the European Cybersecurity Certification Group may issue a positive opinion and all relevant documents shall be published on ENISA’s certification website;
where the peer-assessed certification body does not address the non-conformities appropriately within the set time limit, the European Cybersecurity Certification Group may issue a negative opinion that shall be published on ENISA’s certification website, including the peer assessment report and all relevant documents.
CHAPTER X
MAINTENANCE OF THE SCHEME
Article 48
Maintenance of the EUCC
CHAPTER XI
FINAL PROVISIONS
Article 49
National schemes covered by the EUCC
Article 50
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from 27 February 2025.
Chapter IV and Annex V shall apply from the date of entry into force of this Regulation.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
ANNEX I
State-of-the-art documents supporting technical domains and other state-of-the-art documents
1. State-of-the-art documents supporting technical domains at AVA_VAN level 4 or 5:
the following documents related to the harmonised evaluation of technical domain ‘smart cards and similar devices’:
‘Minimum ITSEF requirements for security evaluations of smart cards and similar devices’, version 1.1;
‘Minimum Site Security Requirements’, version 1.1;
‘Application of Common Criteria to integrated circuits’, version 1.1;
‘Security Architecture requirements (ADV_ARC) for smart cards and similar devices’, version 1.1;
‘Certification of ‘open’ smart card products’, version 1.1;
‘Composite product evaluation for smart cards and similar devices’, version 1.1;
‘Application of Attack Potential to Smartcards and Similar Devices’, version 1.2;
the following documents related to the harmonised evaluation of technical domain ‘hardware devices with security boxes’:
‘Minimum ITSEF requirements for security evaluations of hardware devices with security boxes’, version 1.1;
‘Minimum Site Security Requirements’, version 1.1;
‘Application of Attack Potential to hardware devices with security boxes’, version 1.2.
2. State-of-the-art documents related to the harmonised accreditation of conformity assessment bodies:
‘Accreditation of ITSEFs for the EUCC’, version 1.1 for accreditations issued before 8 July 2025.
‘Accreditation of ITSEFs for the EUCC’, version 1.6c, for accreditations that are newly issued or reviewed after 8 July 2025.
‘Accreditation of CBs for the EUCC’, version 1.6b.
ANNEX II
Protection profiles certified at AVA_VAN level 4 or 5
1. For the category of remote qualified signature and seal creation devices:
EN 419241-2:2019 – Trustworthy Systems Supporting Server Signing - Part 2: Protection Profile for QSCD for Server Signing ;
EN 419221-5:2018 - Protection profiles for Trust Service Provider Cryptographic modules - Part 5: Cryptographic Module for Trust Services
2. Protection profiles that have been adopted as state-of-the-art documents:
[BLANK]
ANNEX III
Recommended protection profiles (illustrating technical domains from Annex I)
Protection profiles used in certification of ICT products falling under the below stated ICT product category:
for the category of machine readable travel documents:
PP Machine Readable Travel Document using Standard Inspection Procedure with PACE, BSI-CC-PP-0068-V2-2011-MA-01;
PP for a Machine Readable Travel Document with "ICAO Application" Extended Access Control, BSI-CC-PP-0056-2009;
PP for a Machine Readable Travel Document with "ICAO Application" Extended Access Control with PACE, BSI-CC-PP-0056-V2-2012-MA-02;
PP for a Machine Readable Travel Document with "ICAO Application" Basic Access Control, BSI-CC-PP-0055-2009;
for the category of secure signature creation devices:
EN 419211-1:2014 - Protection profiles for secure signature creation device - Part 1: Overview
EN 419211-2:2013 - Protection profiles for secure signature creation device - Part 2: Device with key generation;
EN 419211-3:2013 - Protection profiles for secure signature creation device - Part 3: Device with key import;
EN 419211-4:2013 - Protection profiles for secure signature creation device - Part 4: Extension for device with key generation and trusted channel to certificate generation application
EN 419211-5:2013 - Protection profiles for secure signature creation device - Part 5: Extension for device with key generation and trusted channel to signature creation application;
EN 419211-6:2014 - Protection profiles for secure signature creation device - Part 6: Extension for device with key import and trusted channel to signature creation application;
for the category of digital tachographs:
Digital Tachograph - Tachograph Card, as referred in Commission Implementing Regulation (EU) 2016/799 of 18 March 2016 implementing Regulation (EU) 165/2014 (Annex 1C);
Digital Tachograph - Vehicle unit as referred in Annex IB of Commission Regulation (EC) No. 1360/2002 intended to be installed in road transport vehicles;
Digital Tachograph - External GNSS Facility (EGF PP) as referred in Annex 1C of Commission Implementing Regulation (EU) 2016/799 of 18 March 2016 implementing Regulation (EU) 165/2014 of the European Parliament and of the Council;
Digital Tachograph - Motion Sensor (MS PP) as referred in Annex 1C of Commission Implementing Regulation (EU) 2016/799 of 18 March 2016 implementing Regulation (EU) 165/2014 of the European Parliament and of the Council;
for the category of secure integrated circuits, smart cards and related devices:
Security IC Platform PP, BSI-CC-PP-0084-2014;
Java Card System - Open Configuration, V3.0.5 BSI-CC-PP-0099-2017;
Java Card System - Closed Configuration, BSI-CC-PP-0101-2017;
PP for a PC Client Specific Trusted Platform Module Family 2.0 Level 0 Revision 1.16, ANSSI-CC-PP-2015/07;
Universal SIM card, PU-2009-RT-79, ANSSI-CC-PP-2010/04;
Embedded UICC (eUICC) for Machine-to-Machine Devices, BSI-CC-PP-0089-2015;
for the category of points of (payment) interaction and payment terminals:
Point of Interaction "POI-CHIP-ONLY", ANSSI-CC-PP-2015/01;
Point of Interaction "POI-CHIP-ONLY and Open Protocol Package", ANSSI-CC-PP-2015/02;
Point of Interaction "POI-COMPREHENSIVE", ANSSI-CC-PP-2015/03;
Point of Interaction "POI-COMPREHENSIVE and Open Protocol Package", ANSSI-CC-PP-2015/04;
Point of Interaction "POI-PED-ONLY", ANSSI-CC-PP-2015/05;
Point of Interaction "POI-PED-ONLY and Open Protocol Package", ANSSI-CC-PP-2015/06;
for the category of hardware devices with security boxes:
Cryptographic Module for CSP Signing Operations with Backup - PP CMCSOB, PP HSM CMCSOB 14167-2, ANSSI-CC-PP-2015/08;
Cryptographic Module for CSP key generation services - PP CMCKG, PP HSM CMCKG 14167-3, ANSSI-CC-PP-2015/09;
Cryptographic Module for CSP Signing Operations without Backup - PP CMCSO, PP HSM CMCKG 14167-4, ANSSI-CC-PP-2015/10.
ANNEX IV
Assurance continuity and certificate review
IV.1 Assurance continuity: scope
1. The following requirements for assurance continuity apply to the maintenance activities related to the following:
a re-assessment if an unchanged certified ICT product still meets its security requirements;
an evaluation of the impacts of changes to a certified ICT product on its certification;
if included in the certification, the application of patches in accordance with an assessed patch management process;
if included, the review of the certificate holder’s lifecycle management or production processes.
2. The holder of an EUCC certificate may request the review of the certificate in the following cases:
the EUCC certificate is due to expire within nine months;
there has been a change either in the certified ICT product or in another factor which could impact its security functionality;
the holder of the certificate demands that the vulnerability assessment is carried out again in order to reconfirm the EUCC certificate’s assurance associated with the ICT product’s resistance against present cyberattacks.
IV.2 Re-assessment
1. Where there is a need to assess the impact of changes in the threat environment of an unchanged certified ICT product, a re-assessment request shall be submitted to the certification body.
2. The re-assessment shall be carried out by the same ITSEF that was involved in the previous evaluation by reusing all its results that still apply. The evaluation shall focus on assurance activities which are potentially impacted by the changed threat environment of the certified ICT product, in particular the relevant AVA_VAN family and in addition the assurance lifecycle (ALC) family where sufficient evidence about the maintenance of the development environment shall be collected again.
3. The ITSEF shall describe the changes and detail the results of the re-assessment with an update of the previous evaluation technical report.
4. The certification body shall review the updated evaluation technical report and establish a re-assessment report. The status of the initial certificate shall then be modified in accordance with Article 13.
5. The re-assessment report and updated certificate shall be provided to the national cybersecurity certification authority and ENISA for publication on its cybersecurity certification website.
IV.3 Changes to a certified ICT product
1. Where a certified ICT product has been subject to changes, the holder of the certificate wishing to maintain the certificate shall provide to the certification body an impact analysis report.
2. The impact analysis report shall provide the following elements:
an introduction containing necessary information to identify the impact analysis report and the target of evaluation subject to changes;
a description of the changes to the product;
the identification of affected developer evidence;
a description of the developer evidence modifications;
the findings and the conclusions on the impact on assurance for each change.
3. The certification body shall examine the changes described in the impact analysis report in order to validate their impact upon the assurance of the certified target of evaluation, as proposed in the conclusions of the impact analysis report.
4. Following the examination, the certification body determines the scale of a change as minor or major in correspondence to its impact.
5. Where the changes have been confirmed by the certification body to be minor, no new certificate shall be issued for the modified ICT product and a maintenance report to the initial certification report shall be established.
The maintenance report shall be included as a subset of the impact analysis report, containing following sections:
introduction;
description of changes;
affected developer evidence.
6. The maintenance report referred to in point 5 shall be provided to ENISA for publication on its cybersecurity certification website.
7. Where the changes have been confirmed to be major, a re-evaluation shall be carried out in the context of the previous evaluation and by reusing any results from the previous evaluation that still apply.
8. After completion of the evaluation of the changed target of evaluation, the ITSEF shall establish a new evaluation technical report. The certification body shall review the updated evaluation technical report and, where applicable, establish a new certificate with a new certification report.
9. The new certificate and certification report shall be provided to ENISA for publication.
IV.4 Patch management
1. A patch management procedure provides for a structured process of updating a certified ICT product. The patch management procedure including the mechanism as implemented into the ICT product by the applicant for certification can be used after the certification of the ICT product under the responsibility of the conformity assessment body.
2. The applicant for certification may include into the certification of the ICT product a patch mechanism as part of a certified management procedure implemented into the ICT product under one of the following conditions:
the functionalities affected by the patch reside outside the target of evaluation of the certified ICT product;
the patch relates to a predetermined minor change to the certified ICT product;
the patch relates to a confirmed vulnerability with critical effects on the security of the certified ICT product.
3. If the patch relates to a major change to the target of evaluation of the certified ICT product in relation to a previously undetected vulnerability having no critical effects to the security of the ICT product, the provisions of Article 13 apply.
4. The patch management procedure for an ICT product will be composed of the following elements:
the process for the development and release of the patch for the ICT product;
the technical mechanism and functions for the adoption of the patch into the ICT product;
a set of evaluation activities related to the effectiveness and performance of the technical mechanism.
5. During the certification of the ICT product:
the applicant for certification of the ICT product shall provide the description of the patch management procedure;
the ITSEF shall verify the following elements:
the developer implemented the patch mechanisms into the ICT product in accordance to the patch management procedure that was submitted to certification;
the target of evaluation boundaries are separated in a way that the changes made to the separated processes do not affect the security of the target of evaluation;
the technical patch mechanism performs in accordance with the provisions of this section and the applicant’s claims;
the certification body shall include in the certification report the outcome of the assessed patch management procedure.
6. The holder of the certificate may proceed to apply the patch produced in compliance of the certified patch management procedure to the concerned certified ICT product and shall take the following steps within 5 working days in the following cases:
in the case referred to in point 2(a), report the patch concerned to the certification body that shall not change the corresponding EUCC certificate;
in the case referred to in point 2(b), submit the patch concerned to the ITSEF for review. The ITSEF shall inform the certification body after the reception of the patch upon which the certification body takes the appropriate action on the issuance of a new version of the corresponding EUCC certificate and the update of the certification report;
in the case referred to in point 2(c), submit the patch concerned to the ITSEF for the necessary re-evaluation but may deploy the patch in parallel. The ITSEF shall inform the certification body after which the certification body starts the related certification activities.
ANNEX V
CONTENT OF A CERTIFICATION REPORT
V.1 Certification report
1. On the basis of the evaluation technical reports provided by the ITSEF, the certification body establishes a certification report to be published together with the corresponding EUCC certificate.
2. The certification report is the source of detailed and practical information about the ICT product or the category of ICT products and about the ICT product’s secure deployment and shall therefore include all publicly available and sharable information of relevance to users and interested parties. Publicly available and sharable information can be referenced by the certification report.
3. The certification report shall at least contain the following sections:
executive summary;
identification of the ICT product or the ICT product category for protection profiles;
security services;
assumptions and clarification of scope;
architectural information;
supplementary cybersecurity information, if applicable;
ICT product testing, if it was performed;
where applicable, an identification of the certificate holder’s lifecycle management processes and production facilities;
results of the evaluation and information regarding the certificate;
summary of the security target of the ICT product submitted to certification;
when available, the mark or label associated to the scheme;
bibliography.
4. The executive summary shall be a brief summary of the entire certification report. The executive summary shall provide a clear and concise overview of the evaluation results and shall include the following information:
name of the evaluated ICT product, enumeration of the product’s components that are part of the evaluation and the ICT product version;
name of the ITSEF that performed the evaluation and, where applicable, the list of subcontractors;
completion date of evaluation;
reference to the evaluation technical report established by the ITSEF;
brief description of the certification report results, including:
the version and if applicable release of the Common Criteria applied to the evaluation;
the Common Criteria assurance package and security assurance components including the AVA_VAN level applied during the evaluation and its corresponding assurance level as set out in Article 52 of Regulation (EU) 2019/881 to which the EUCC certificate refers to;
the security functionality of the evaluated ICT product;
a summary of threats and organisational security policies addressed by the evaluated ICT product;
special configuration requirements;
assumptions about the operating environment;
where applicable, the presence of an approved patch management procedure in accordance with Section IV.4 of Annex IV;
disclaimer(s).
5. The evaluated ICT product shall be clearly identified, including the following information:
the name of the evaluated ICT product;
an enumeration of the ICT product’s components that are part of the evaluation;
the version number of the ICT product’s components;
identification of additional requirements to the operating environment of the certified ICT product;
name and contact information of the holder of the EUCC certificate;
where applicable, the patch management procedure included into the certificate;
link to the website of the holder of the EUCC certificate where supplementary cybersecurity information for the certified ICT product in accordance with Article 55 of Regulation (EU) 2019/881 is provided.
6. The information included in this Section shall be as accurate as possible in order to ensure a complete and accurate representation of the ICT product that can be re-used in future evaluations.
7. The security policy section shall contain the description of the ICT product's security policy and the policies or rules that the evaluated ICT product shall enforce or comply with. It shall include a reference and a description of the following policies:
the vulnerability handling policy of the holder of the certificate;
the assurance continuity policy of the holder of the certificate.
8. Where applicable, the policy may include the conditions related to the use of a patch management procedure during the validity of the certificate.
9. The section for the assumptions and clarification of scope shall contain exhaustive information regarding the circumstances and objectives related to the intended use of the product as referred to in Article 7(1), point (c). The information shall include the following:
assumptions on the ICT product’s usage and deployment in the form of minimum requirements, such as proper installation and configuration and hardware requirements being satisfied;
assumptions on the environment for the compliant operation of the ICT product;
10. The information listed in point 9 shall be as understandable as possible in order to let users of the certified ICT product make informed decisions about the risks associated with its use.
11. The architectural information section shall include a high-level description of the ICT product and its main components in accordance with Common Criteria’s ADV_TDS subsystems design.
12. A complete listing of the ICT product supplementary cybersecurity information shall be provided in accordance with Article 55 of Regulation (EU) 2019/881. All relevant documentation shall be denoted by the version numbers.
13. The ICT product testing section shall include the following information:
the name and point of contact of the authority or body that issued the certificate including the responsible national cybersecurity certification authority;
the name of the ITSEF which performed the evaluation, when different from the certification body;
an identification of the used assurance components from the standards referred by Article 3;
the version of the state-of-the-art document and further security evaluation criteria used in the evaluation;
the complete and precise settings and configuration of the ICT product during the evaluation, including operational notes and observations if available;
any protection profile that has been used, including the following information:
the author of the protection profile;
the name and identifier of the protection profile;
the identifier of the protection profile’s certificate;
the name and contact details of the certification body and of the ITSEF involved in the evaluation of the protection profile;
the assurance package(s) required for a product conforming to the protection profile.
14. The results of the evaluation and information regarding the certificate section shall include the following information:
confirmation of the attained assurance level as referred to in Article 4 of this Regulation and Article 52 in Regulation (EU) 2019/881;
assurance requirements from the standards referred by Article 3 that the ICT product or protection profile actually meets, including the AVA_VAN level;
detailed description of the assurance requirements, as well as the details of how the product meets each of them;
date of issuance and period of validity of the certificate;
unique identifier of the certificate.
15. The security target shall be included in the certification report or referenced and summarised in the certification report and provided with the certification report association with it for the purposes of publication.
16. The security target may be sanitised in accordance with Section VI.2.
17. The mark or label associated to the EUCC may be inserted the certification report in accordance with the rules and procedures laid down Article 11
18. The bibliography section shall include references to all documents used in the compilation of the certification report. That information shall include at least the following:
the security evaluation criteria, state-of-the-art documents and further relevant specifications used and their version;
the evaluation technical report;
the evaluation technical report for composite evaluation, where applicable;
technical reference documentation;
developer documentation used in the evaluation effort.
19. In order to guarantee the reproducibility of the evaluation, all documentation referred to has to be uniquely identified with the proper release date, and proper version number.
V.2 Sanitization of a security target for publication
1. The security target to be included in or referenced by the certification report pursuant to point 1 of Section VI.1 may be sanitised by the removal or paraphrasing of proprietary technical information.
2. The resulting sanitised security target shall be a real representation of its complete original version. This means that the sanitised security target cannot omit information which is necessary to understand the security properties of the target of evaluation and the scope of the evaluation.
3. The content of the sanitised security target shall conform to the following minimum requirements:
its introduction shall not be sanitised as it includes no proprietary information in general;
the sanitised security target has to have a unique identifier that is distinct from its complete original version;
the target of evaluation description may be reduced as it may include proprietary and detailed information about the target of evaluation design which should not be published;
the target of evaluation security environment description (assumptions, threats, organisational security policies) shall not be reduced, in so far as that information is necessary to understand the scope of the evaluation;
the security objectives shall not be reduced as all information is to be made public to understand the intention of the security target and target of evaluation;
all security requirements shall be made public. Application notes may give information on how the functional requirements of the Common Criteria as referred to in Article 3 were used to understand the security target;
the target of evaluation summary specification shall include all target of evaluation security functions but additional proprietary information may be sanitised;
references to protection profiles applied to the target of evaluation shall be included;
the rationale may be sanitised to remove proprietary information.
4. Even if the sanitised security target is not formally evaluated in accordance with the evaluation standards referred to in Article 3, the certification body shall ensure that it complies with the complete and evaluated security target, and reference both the complete and the sanitised security target in the certification report.
ANNEX VI
SCOPE AND TEAM COMPOSITION FOR PEER ASSESSMENTS
VI.1 Scope of the peer assessment
1. The following types of peer assessments are covered:
Type 1: when a certification body performs certification activities at the AVA_VAN.3 level;
Type 2: when a certification body performs certification activities related to a technical domain listed as state-of-the-art documents in Annex I;
Type 3: when a certification body performs certification activities above the AVA_VAN.3 level making use of a protection profile listed as state-of-the-art documents in Annex II or III.
2. The peer-assessed certification body shall submit the list of certified ICT products that may be candidate to the review by the peer assessment team, in accordance with the following rules:
the candidate products shall cover the technical scope of the certification body authorisation, of which at least two different products evaluations at assurance level ‘high’ will be analysed through the peer assessment, and one protection profile if the certification body has issued certificate at assurance level ‘high’;
for a Type 2 peer assessment, the certification body shall submit at least one product per technical domain and per concerned ITSEF;
for a Type 3 peer assessment, at least one candidate product shall be evaluated in accordance with an applicable and relevant protection profiles.
VI.2 Peer assessment team
1. The assessment team shall consist of at least two experts each selected from a different certification body from different Member States that issues certificates at the assurance level ‘high’. The experts should demonstrate the relevant expertise in the standards as referred in Article 3 and state-of-the-art documents that are in scope of the peer assessment.
2. In the case of a delegation of certificate issuance or prior approval of certificates as referred to in Article 56(6) of Regulation (EU) 2019/881, an expert from the national cybersecurity certification authority related to the concerned certification body shall in addition participate in the team of experts selected in accordance with paragraph 1 of this Section.
3. For a Type 2 peer assessment the team members shall be selected from certification bodies being authorised for the concerned technical domain.
4. Each member of the assessment team shall have at least two years of experience of carrying out certification activities in a certification body;
5. For a Type 2 or 3 peer assessment, each member of the assessment team shall have at least two years of experience of carrying out certification activities in that relevant technical domain or protection profile and proven expertise and participation in the authorisation of an ITSEF
6. The national cybersecurity certification authority monitoring and supervising the peer-assessed certification body and at least one national cybersecurity certification authority whose certification body is not subject to the peer assessment shall participate in the peer assessment as an observer. ENISA may also participate in the peer assessment as an observer.
7. The peer-assessed certification body is presented with the composition of the peer assessment team. In justified cases, it may challenge the composition of the peer assessment team and ask for its review.
ANNEX VII
Content of an EUCC Certificate
An EUCC certificate shall at least contain:
a unique identifier established by the certification body issuing the certificate;
information related to the certified ICT product or protection profile and the holder of the certificate, including:
name of the ICT product or protection profile and, where applicable, of the target of evaluation;
type of ICT product or protection profile and, where applicable, of the target of evaluation;
version of the ICT product or protection profile;
name, address and contact information of the holder of the certificate;
link to the website of the holder of the certificate containing the supplementary cybersecurity information referred to in Article 55 of Regulation (EU) 2019/881;
information related to the evaluation and certification of the ICT product or protection profile, including:
name, address and contact information of the certification body that issued the certificate;
where different from the certification body, name of the ITSEF which performed the evaluation;
name of the responsible national cybersecurity certification authority;
a reference to this Regulation;
a reference to the certification report associated with the certificate referred to in Annex V;
the applicable assurance level in accordance with Article 4;
a reference to the version of the standards used for the evaluation, referred to in Article 3;
identification of the assurance level or package specified in the standards referred to in Article 3 and in conformity with Annex VIII, including the assurance components used and the AVA_VAN level covered;
where applicable, reference to one or more protection profiles with which the ICT product or protection profile complies;
date of issuance;
period of validity of the certificate;
the mark and label associated with the certificate in accordance with Article 11.
ANNEX VIII
Assurance package declaration
1. Contrary to the definitions in the Common Criteria, an augmentation:
shall not be denoted by the abbreviation ‘+’;
shall be detailed by a list of all concerned components;
shall be outlined in detail in the certification report.
2. The assurance level confirmed in an EUCC certificate may be complemented by the evaluation assurance level as specified in Article 3 of this Regulation.
3. If the assurance level confirmed in an EUCC certificate does not refer to an augmentation, the EUCC certificate shall indicate one of the following packages:
‘the specific assurance package’;
‘the assurance package conformant to a protection profile’ in case of referencing a protection profile without an evaluation assurance level.
ANNEX IX
Mark and label
1. The form of mark and label:
2. If the mark and label are reduced or enlarged, the proportions given in the drawing above shall be respected.
3. Where physically present, the mark and label shall be at least 5 mm high.
( 1 ) Commission Implementing Regulation (EU) 2016/799 of 18 March 2016 implementing Regulation (EU) No 165/2014 of the European Parliament and of the Council laying down the requirements for the construction, testing, installation, operation and repair of tachographs and their components (OJ L 139, 26.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg_impl/2016/799/oj).
( 2 ) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj).
( 3 ) Commission Implementing Decision (EU) 2016/650 of 25 April 2016 laying down standards for the security assessment of qualified signature and seal creation devices pursuant to Articles 30(3) and 39(2) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (OJ L 109, 26.4.2016, p. 40, ELI: http://data.europa.eu/eli/dec_impl/2016/650/oj).
( 4 ) Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).