European common criteria-based cybersecurity certification scheme (EUCC)

SUMMARY OF:

Implementing Regulation (EU) 2024/482 – rules for the application of Regulation (EU) 2019/881 on the adoption of the European common criteria-based cybersecurity certification scheme

WHAT IS THE AIM OF THE REGULATION?

This implementing regulation sets out rules for applying Regulation (EU) 2019/881 (see summary) for the European common criteria-based cybersecurity certification scheme (EUCC).

The EUCC is a framework for assessing and certifying the cybersecurity of information and communication technology(ICT) products and protection profiles. The scheme aims to ensure that ICT products meet stringent security standards through a structured process, aiming to enhance cybersecurity, achieve consistency across the European Union (EU) and provide trusted certification. The EUCC builds on the mutual recognition agreement (‘MRA’) of information technology security certificates of the Senior Officials Group Information Systems Security (‘SOG-IS’).

KEY POINTS

EVALUATION STANDARDS AND METHODS

• The scheme uses the common criteria (ISO/IEC 15408) and the common evaluation methodology (ISO/IEC 18045) for evaluations.
• Certification bodies issue EUCC certificates at two assurance levels: ‘substantial’ (AVA_VAN levels* 1 or 2) and ‘high’ (AVA_VAN levels 3, 4 or 5). The assurance level determines the depth and rigour of the evaluation.
• ICT products are certified against their security targets, which can incorporate a certified protection profile if applicable.
• Self-assessment for conformity is not permitted under the EUCC scheme.

CERTIFICATION OF ICT PRODUCTS

• Evaluations must adhere to the common criteria, the common evaluation methodology and applicable state-of-the-art documents.
• Certification at higher assurance levels (AVA_VAN levels 4 or 5) has to be carried out as a rule on the basis of technical domains or protection profiles adopted as state-of-the-art documents and listed in Annex I.
• Applicants must provide comprehensive documentation, including previous evaluation results if applicable, to support the certification process.
• Certification bodies issue certificates if all conditions are met, and these certificates include the specific information outlined in Annex VII.
• National cybersecurity certification schemes must align with the EUCC and cease to produce effects within 12 months of the regulation’s entry into force. A national certification process started during that period must be completed within 24 months following the entry into force.
• Certificates are:
  • valid for up to 5 years, with possible extensions upon approval;
  • reviewed periodically to ensure ongoing compliance with security requirements;
  • withdrawn if the certified product no longer meets the required standards or if there are significant non-conformities.

CERTIFICATION OF PROTECTION PROFILES

Protection profiles lay down security requirements for specific ICT product categories. These profiles are:

• evaluated similarly to ICT products, ensuring they meet the necessary security requirements for specific ICT categories;
• certified by national cybersecurity certification authorities or accredited public bodies, or a certification body, upon prior approval.

MARKING AND LABELLING

• Certified products may bear a mark and label indicating their certification status.
• These must be clearly visible and contain details such as the assurance level, unique identification number and a QR code linking to certification information.

CONFORMITY ASSESSMENT BODIES

• Certification bodies and information technology security evaluation facilities (ITSEFs) must be accredited in line with Regulation (EC) No 765/2008 (see summary), and, for high assurance levels, authorised by national cybersecurity certification authorities.
• National cybersecurity certification authorities monitor compliance of certification bodies, ITSEFs and certificate holders. They also handle complaints and conduct investigations into non-conformity.
• Non-conforming products must undergo remedial measures, and certificates may be suspended or withdrawn if issues are not resolved.
• Certification bodies issuing high assurance certificates must undergo regular peer assessments to ensure consistency and high standards in certification practices.
• The European Cybersecurity Certification Group plays a crucial role in maintaining the scheme, endorsing state-of-the-art documents and ensuring ongoing relevance and effectiveness.

VULNERABILITY MANAGEMENT AND DISCLOSURE

• Certificate holders must establish procedures to manage and disclose vulnerabilities, carry out vulnerability impact analyses and report significant vulnerabilities to certification bodies and authorities.
• Withdrawn certificates must be disclosed in relevant databases, ensuring transparency about known vulnerabilities.

RETAINING AND PROTECTING INFORMATION

• Certification bodies and ITSEFs must maintain records of evaluations and certifications for at least 5 years after certificate withdrawal.
• All parties involved in the certification process must protect confidential information and business secrets.

MUTUAL RECOGNITION AGREEMENTS WITH NON-EU COUNTRIES

• Non-EU countries can recognise EUCC certifications through mutual recognition agreements, provided they meet criteria on monitoring, supervision and vulnerability management.

FROM WHEN DOES THE REGULATION APPLY?

It applies from 27 February 2025.

BACKGROUND

For further information, see:

• EU cybersecurity certification (European Union Agency for Cybersecurity)
• Cybersecurity certification framework (European Union Agency for Cybersecurity).

KEY TERMS

MAIN DOCUMENT

Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (OJ L, 2024/482, 7.2.2024).

RELATED DOCUMENTS

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, pp. 80–152).

Successive amendments to Directive (EU) 2022/2555 have been incorporated into the original text. This consolidated version is of documentary value only.

Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, pp. 15–69).

Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (OJ L 169, 25.6.2019, pp. 1–44).

See consolidated version.

Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, pp. 30–47).

See consolidated version.

Council Recommendation 95/144/EC of 7 April 1995 on common information technology security evaluation criteria (OJ L 93, 26.4.1995, pp. 27–28).

last update 01.07.2024