EU: Updates on ICT product series certification

 

The EU Commission has published a new draft act on cybersecurity certification of ICT products based on the Common Criteria standards.

The name of the act is Draft Commission Implementing Regulation amending Implementing Regulation (EU) 2024/482 as regards definitions, ICT product series certification, assurance continuity and state-of-the-art documents.

The amended Implementing Regulation focuses on the cybersecurity certification of ICT products under the EU’s Common Criteria-based scheme (EUCC). These certifications apply to a wide range of ICT products, including integrated circuits, smart cards, cryptographic components, microcontrollers, dedicated software, network equipment (such as routers, switches, and access points), and devices used for digital signatures (e.g. cryptographic modules, hardware security modules, and secure servers).

The EUCC scheme relies on state-of-the-art (SOTA) documents that provide essential guidance for its implementation. The amendment updates Annex I of the Implementing Regulation by introducing five revised SOTA documents. These updated documents cover:

• Minimum site security requirements
• Application of attack potential methodology to smartcards
• Application of attack potential methodology to hardware devices with security boxes
• Application of Common Criteria to integrated circuits
• Evaluation of composite products, particularly smartcards and similar devices

In addition to the updates, five new SOTA documents will be added to Annex I. These address:

• Evaluation and certification of composite products
• Reuse of site audit results in evaluations
• Clarifications on the interpretation of specific Protection Profiles, such as those for qualified electronic signature creation devices

The amendment also introduces targeted changes to the core provisions of the EUCC and its annexes. These include updated definitions for what constitutes a major or minor change to a certified product, as well as minor corrections to the regulatory text.

The five documents in question are:

• EUCC Scheme draft state-of-the-art document “Application of attack potential to hardware devices with security boxes “, version 2, February 2025. Available here: https://certification.enisa.europa.eu/publications/application-attack-potential-hardware-devices-security-boxes_en
• EUCC Scheme draft state-of-the-art document “Application of attack potential to smartcards and similar devices”, version 2, February 2025. Available here: https://certification.enisa.europa.eu/publications/application-attack-potential-smartcards_en
• EUCC Scheme draft state-of-the-art document “Application of CC to integrated circuits”, version 2, December 2024. Available here: https://certification.enisa.europa.eu/publications/application-common-criteria-integrated-circuits_en
• EUCC Scheme draft state-of-the-art document “Composite product evaluation for Smart Cards and similar devices for CC 3.2”, version 2, December 2024. Available here: https://certification.enisa.europa.eu/publications/composite-product-evaluation-smart-cards-and-similar-devices-cc31_en
• EUCC Scheme draft state-of-the-art document “Composite product evaluation and certification for CC:2022”, version 1, February 2025. Available here: https://certification.enisa.europa.eu/publications/composite-product-evaluation-and-certification-cc2022_en
• EUCC Scheme draft state-of-the-art document “Digital Tachograph Motion Sensor Protection Profile clarifications”, version 1, February 2025. Available here: https://certification.enisa.europa.eu/publications/digital-tachograph-motion-sensor-pp-clarifications_en

To find out more about product compliance in EU, do not hesitate to contact the Product Compliance Institute.