EU: Updates of the cybersecurity certification of ICT products

 

The EU has published a Draft Commission Implementing Regulation amending Implementing Regulation (EU) 2024/482 as regards applicable international standards and correcting that Implementing Regulation.

In the EU Common Criteria-based cybersecurity certification scheme (EUCC), the state-of-the-art documents contain information that is relevant for its implementation. The amending implementing regulation will introduce in the EUCC one updated and one new state-of-the-art document, respectively related to the accreditation of Information Technology Security Evaluation Facility (ITSEFs) and accreditation of certification bodies (CBs). Furthermore, the amendment includes a clarification related to the applicable version of the Common Criteria standards and it defines transition rules between the former and latest version. Lastly, the amendment also introduces some corrections in the text to clarify the interpretation of certain articles.

The implementing regulation covers cybersecurity certification of ICT products based on the Common Criteria standards. Today, ICT products that undergo Common Criteria certification typically include integrated circuits, smart cards and related products (cryptographic elements, microcontrollers, dedicated software), network devices and systems (routers, switches, access points) and products for digital signatures (cryptographic modules, hardware security modules, secure servers).

Commission Implementing Regulation (EU) 2024/4822 outlines the roles, responsibilities, and structure of the European Common Criteria-based cybersecurity certification scheme (EUCC) in line with the European cybersecurity certification framework established under Regulation (EU) 2019/881. This regulation is grounded in internationally recognized standards, specifically the Common Criteria and the Common Evaluation Methodology, managed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). While the regulation references ISO/IEC standards, it does not specify the exact version applicable for certificates issued under the EUCC, making it necessary to define the appropriate version. Governmental organizations that contributed to the development of these standards through the Common Criteria Recognition Arrangement (CCRA) share copyright ownership with ISO/IEC and retain the right to use their version. Given the significance of CCRA’s role, these standards should serve as a foundation for certification under the EUCC during a transition period.

As international standards related to the Common Criteria may undergo updates, transition rules must be defined to allow vendors, Information Technologies Security Evaluation Facilities (ITSEFs), certification bodies, and other stakeholders sufficient time for adjustments. These transition rules should align with global practices, such as those set by the CCRA. Moreover, the Common Criteria and Common Evaluation Methodology, along with their errata, are subject to interpretations by the CCRA, which help facilitate their implementation and may be considered by ITSEFs and certification bodies.

Implementing Regulation (EU) 2024/482 does not indicate until when ICT product certifications may continue using previous versions of the Common Criteria and Common Evaluation Methodology. Annexes I-III to this regulation reference older versions of ISO/IEC 15408 and 18045, thus clarifying the conditions under which these older versions may still apply and how the transition to the latest international standards will proceed. During this transition, stakeholders should prioritize updating relevant technical domains and protection profiles.

For calculating the deadlines mentioned in Article 1(5) of this regulation, the “date of issuance of the initial certificate” should be interpreted as the issuance date of the most recent certificate for an ICT product or protection profile. Additionally, Annex I to this regulation lists state-of-the-art documents for evaluating ICT products and protection profiles. It should be updated to include new and revised documents endorsed by the European Cybersecurity Certification Group (ECCG), ensuring a consistent accreditation process for conformity assessment bodies under the EUCC.

Accreditation requirements for ITSEFs must be revised to clarify the criteria for independence and impartiality, and a new state-of-the-art document should be established for the accreditation of certification bodies (CBs). Transition periods should also be set for vendors, ITSEFs, and certification or accreditation bodies to adjust to any new or updated state-of-the-art documents.

Finally, further corrections to Articles 8, 16, 29, and 44 of Implementing Regulation (EU) 2024/482 are made to ensure uniform wording and clearer legal interpretation. Additionally, rules for notifying conformity assessment bodies should be standardized across all schemes under the cybersecurity certification framework.

Other relevant documents for the topic are:

• Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) 526/2013 (Cybersecurity Act)
• Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC)
• EUCC Scheme draft state-of-the-art document “Accreditation of ITSEFs for the EUCC Scheme”, version 1.6b, June 2024.
• EUCC Scheme draft state-of-the-art document “Accreditation of CBs for the EUCC Scheme”, version 1.6, June 2024.

To find out more about the new cybersecurity requirements for products in the EU, please contact the Product Compliance Institute directly.