EUCC - A New Cybersecurity Scheme for the Certification of ICT Products in Europe

The European Union Cybersecurity Certification (EUCC) is a new scheme for certifying information and computer technology products in Europe; it is an update from the previous existing SOG-IS MRA.

EUCC is a Common Criteria-based certification scheme that uses the internationally acclaimed, proven methods used in Common Criteria with additional concepts to provide a modern and flexible solution to stakeholders such as patch management for certified products.

Common Criteria

Common Criteria (CC) refers to an international set of standards and guidelines used in evaluating security products and systems. Common Criteria was initially developed to ensure technology products met specific security standards and government regulations. Assurances are separated by metrics concerning overall effectiveness and correctness.

Common Criteria helps ensure higher product standards while also protecting against pressing cybersecurity concerns, including data breaches, information leaks, and privacy concerns.  

Once technology products are inspected by experts and have been sufficiently assessed, they receive a recognized Common Criteria Certification.  

Understanding the core concepts and rationale behind Common Criteria is crucial for understanding internationally uniform cybersecurity protocols and interpreting the new EUCC scheme.

EUCC

The EUCC scheme draws from the same central components of Common Criteria, applying them to technology products within the European Union. EUCC adds additional requirements on top of existing Common Criteria and  Cybersecurity Evaluation Methodology (CEM) practices.

New requirements to cybersecurity certifications include additional monitoring and handling of compliances, more transparent and publicly available vulnerability information, and offering increased support to consumers such as patch management for certified products.

Implementation
Implementation of the EUCC scheme began at the end of 2020. Certification schemes under SOGIS-MRA can  EUCC is scheduled to be fully operational at the beginning of 2022, possibly converting existing assessments and certifications to match the new EUCC scheme.

Application

EUCC is applied to ICT products which:

embeds a meaningful set of security functional requirements as described by Common Criteria Part 2
aims to achieve ‘substantial’ or ‘high’ level of assurance for the CSA covered by EUCC.

Improvements and Comparisons

EUCC represents some improvements over existing schemes.

Pros include an increased emphasis on:

• Additional monitoring
• Compliances
• Transparency
• Publicly available vulnerabilities
• Increased customer support

Some cons to this include:

• Limited recognition & acceptance (only in the EU)
• Slow transition period
• Additional requirements for developers
• Additional effort from developers

EUCC Moving Forward

The new EUCC scheme will change some cybersecurity protocols regarding product certification throughout Europe, but still draws on many of the same core concepts as the Common Criteria. It marks a departure from the previous SOG-IS MRA.  

For the time being, both methods will be held to a high standard when assessing and evaluating the cybersecurity protocols of ICT products.

The European Commission has initiated a public consultation between 3rd October to 31. October 2023. on the draft implementing regulation that establishes the European Common Criteria-based cybersecurity certification scheme (EUCC) for information and communication technologies (ICT) products. The received feedback and the draft of the Commission Implementing Regulation is available on the European Commission's website. The final regulation is expected in Q4 2023 and is planned to become applicable 12 months after it enters into force. Once applicable, national cybersecurity certification schemes and related procedures covered by the EUCC will cease to have effect, specifically, those applying evaluation standards covered by the Common Criteria.