Cybersecurity certification schemes

EUCC (European Cybersecurity Certification Scheme on Common Criteria) is a certification scheme for ICT products that is based on the Common Criteria for Information Technology Security Evaluation (CC) and the Common Methodology for Information Technology Security Evaluation (CEM) that have been published e.g. as standards ISO/IEC 15408 and ISO/IEC 18405.

EUCC allows the certification of products at the assurance levels ‘substantial’ and ‘high’. They always require an evaluation by a third party. In this case, a testing laboratory carries out the testing of the product, and if all requirements for the certificate are met, the certification organisation grants the cybersecurity certificate in accordance with EUCC.

The certification of a product is carried out in relation to its security target, which is described in the Security Target (ST) documentation. ST describes, among other things, the security features and requirements of the object of evaluation and the precise scope of the evaluation. 

Components 1-5 of the vulnerability assessment family (AVA_VAN) of Common Criteria are used in EUCC-compliant certification. The components AVA_VAN.1 and AVA_VAN.2 map to certification at the assurance level ‘substantial’ and AVA_VAN.3 - AVA_VAN.5 map to certification at the assurance level ‘high’.

The EUCC implementing regulation and the related state-of-the-art documents cover more detailed instructions and requirements for different parties. For example, descriptions of the contents of the certification report and the certificate, how a certified product is labelled or the requirements for vulnerability management can be found in the certification scheme. 

In addition to products, EUCC also enables the certification of Protection Profiles (PP). 

The implementing regulation for the EUCC certification scheme was published in the Official Journal of the European Union in February 2024, and it can be found via the link below. 

EUCC - Implementing Regulation (EU) 2024/482

EUCC's state-of-the-art documents

EUCS (European Union Cybersecurity Certification Scheme on Cloud Services) is a certification scheme designed for cloud services. EUCS is at the preparation stage, and therefore its final contents are not yet precisely known. 

According to the draft released at the end of 2020 for consultation, the future EUCS system would be applied to all kinds of cloud services (IaaS, PaaS, SaaS and other cloud services) and it would allow three different assurance levels for certification: basic, substantial and high. However, the final contents will only be revealed once the certification scheme has been completed, and the features mentioned here can differ from the final version.  

EU5G is a certification scheme intended for 5G. EU5G is at the preparation stage.

EUDIW is a certification scheme for the European Digital Identity Wallet under the eIDAS Regulation. EUDIW is in the preparation phase.
 

EUMSS is a certification scheme for Managed Security Services. It is planned to consist of a horizontal layer covering minimum requirements for all managed security services and vertical layers that define the special technical requirements for different types of managed security services. The first vertical will focus on Incident Management.
EUMSS is currently under preparation.