EU: European Common Criteria-based cybersecurity certification scheme (EUCC)

 

The European Union has released a draft Commission Implementing Regulation that outlines the rules for applying Regulation (EU) 2019/881 from the European Parliament and the Council. This regulation pertains to the establishment of the European Common Criteria-based cybersecurity certification scheme (EUCC).

This draft Commission Implementing Regulation introduces the EU Common Criteria-based certification scheme (EUCC) as the inaugural scheme within the CSA certification framework.

The overarching goal of the European cybersecurity certification framework is to enhance the reliability of ICT products, ICT services, and ICT processes by utilizing European cybersecurity certification schemes. Certification serves as evidence that the cybersecurity requirements of the scheme have been satisfied. Additionally, the framework seeks to prevent redundancy in cybersecurity certification schemes among Member States, reduce expenses for businesses operating within the digital single market, and provide customers with clear, comparable assurance through certificates that include marks and labels.

The draft certification scheme primarily addresses specialized IT and ICT equipment, including integrated circuits, smart cards, and related items (such as cryptographic components, microcontrollers, dedicated software), network devices and systems (like routers, switches, access points), and products for digital signatures (such as cryptographic modules, hardware security modules, secure servers). The draft certification scheme is not intended for general-purpose or consumer products.

By offering scalable assurance regarding cybersecurity measures, even against the most advanced cyberattacks, the EUCC scheme will enhance trust within the digital single market. EUCC certification offers a cohesive and uniform overview of cybersecurity attributes throughout the value chain, allowing customers to make informed choices. In EUCC certification, cybersecurity claims for an ICT product extend throughout its lifecycle. EUCC certification enhances the likelihood of identifying and eliminating unwarranted risks, such as unauthorized data breaches, thereby discouraging the introduction of insecure products to the market.

The EUCC is built upon two standards, which are publicly available on the ISO website: the Common Criteria for Information Technology Security Evaluation (EN ISO/IEC 15408) and the Common Methodology for Information Technology Security Evaluation (EN ISO/IEC 18045).

The legal basis for this implementing regulation is Regulation (EU) No 2019/881 from the European Parliament and the Council, dated 17 April 2019. This regulation pertains to ENISA (the European Union Agency for Cybersecurity) and cybersecurity certification for information and communications technology, while repealing Regulation (EU) No 526/2013 (Cybersecurity Act).The proposed date of adoption is the 4th quarter of 2023.

The new regulation can be found HERE.

To find out more about cybersecurity in the EU, please contact the Product Compliance Institute directly.