The EUCC & It’s Effect on Common Criteria Strategies

What is The EUCC?

The European Union Cybersecurity Act (EUCC) is a framework for evaluating security of Information and Communication Technology (ICT) products and services. It was originally defined in the Cybersecurity Act (EU 2019/881) in March of 2019. This act also created the European Union Agency for Cybersecurity (ENISA), establishing it as an EU Agency and defining the EUCC framework at a very high level. The act was amended in December 2024 to add managed security services as part of the certification schemes. An implementing act, which clarified the framework was published in January 2024.

For more information and background on EUCC, read our previous post on “The EUCC and What It Means For You“.

What is Common Criteria?

Common Criteria is an international cybersecurity standard recognized by 33 countries, or schemes.  18 of these schemes participate as certificate authorizing entities). While Common Criteria offers a common framework for evaluating products, each national certifying scheme was allowed to establish their own rules for doing so. Over the years certain nations have made more large scale changes to the framework. While these changes initially create turmoil, the Common Criteria community works to integrate the changes in the overall framework. We see this with NIAP in the U.S. when they moved to certifying only Protection Profile based certifications.

We are now seeing it again, as the EU, and specifically ENISA, have created the EUCC.

How is EUCC Affecting CC?

This shift to the EUCC will impact all vendors seeking evaluation in Europe. After Feb 27, 2025, certifications within the EU will need to use the EUCC framework, EU schemes will no longer approve Common Criteria evaluations.

The EUCC still uses the Common Criteria standard as a framework for evaluation but now emphasizes vulnerability assessment. Instead of the classical Evaluation Assurance Level (EAL) products will be classified by the vulnerability level that is sought. What used to be an EAL 2, is now assurance level Substantial and conforms with AVA_VAN level 1 or 2. Additionally an assurance class AVA_PAM will now cover patch management of the certified products. Protection Profiles will also be used, however, only 2 main profiles exist currently: Smart Cards and Hardware Devices. We anticipate more being created over time.

This move to focus on vulnerabilities goes deeper than the certification itself. In the past, if your product achieved certification, it was valid until the Expiration Date. Some schemes stated they could remove the product due to vulnerabilities, but it was rarely, if ever done. In the EUCC, schemes are accountable for reviewing their certified products and ensuring that no vulnerabilities exist against them. Managing vulnerabilities, patches, and certification will become a continual effort and not just a once every few years problem. The scheme vulnerability review also appears to be enforced retroactively on currently certified products. Vendors should consider having a plan in place prior to releasing CVEs.

Scheme and labs are still learning the nuances of EUCC and undergoing evaluation by ENISA to be approved for processing and issuing certificates. National schemes who were previously the highest authority on the standard, must now conform with EU requirements.

The standard does include more flexibility. Labs can now work with multiple schemes within the EUCC and not just one national scheme. Some labs may be able to issue Substantial certificates without needing a national scheme review. All certification of the High level (previously EAL 4 or higher), must be reviewed by a national scheme.

What’s Next?

The Common Criteria members have all stated that mutual recognition is the goal. We anticipate a bumpy ride while the EU starts implementing this new standard and other national schemes work with the EU to move towards mutual recognition.

For now, it seems that selling within the EU will require conformance to EUCC standards and selling the U.S. will highly recommend using a NIAP approved PP.

The good news is Corsec can help vendors with either EUCC or CC evaluations. Finding the right path to meet all of your customers needs will be a challenge that Corsec is happy to help solve.