Publications

EUCC: Towards a new EU Common Criteria Scheme

22/05/2024

    What is the EUCC?

    The European Common Criteria-based cybersecurity certification scheme (EUCC) is established under the European Commission's Implementing Act Regulation (EU) 2024/482, related to Regulation (EU) 2019/881, commonly known as the Cybersecurity Act (CSA).

    The EUCC is the first scheme created under the CSA requirements. Some other schemes are still being put together: particularly, in particular the EU5G and the EUCS. And, with more to come!

    The EUCC scheme is designed to set the rules and obligations, as well as the structure, for certifying information and communication technology (ICT) products. The scheme leverages established international standards, notably the Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) and the Common Evaluation Methodology (ISO/IEC 18045) and mandates third-party conformity assessments by accredited ITSEFs.

    Certificates will be valid for a maximum of five years unless this period is extended with the authorisation of an NCCA (National Cybersecurity Certification Authority).

    Assurance Levels:

    The EUCC uses the Common Criteria’s vulnerability assessment family (AVA_VAN), components 1 to 5. This component will be indicating the CSA level of Substantial and High as follows:

    Relevant EUCC insights to consider:

    Along with the changes introduced by the EUCC, there are some significant aspects that need to be considered beyond the existing practices of current National Common Criteria schemes:

    Patch management:

    Patch management is the mechanism that involves the systematic installation of updates (patches) in the ICT products. The primary goal of patch management is to ensure that systems and applications are up-to-date and protected against known security threats and vulnerabilities, thereby complying with the assurance continuity principle.

    Patch management can be included in the scope of evaluation and will be evaluated as such. These mechanisms in scope will allow for pushing security updates to the developer’s product while maintaining the issued certificate.

    Experts in cybersecurity from jtsec (an Applus+ Laboratories company) collaborated to present a thorough model of the patch management mechanism into Common Criteria. Please refer to the latest version of ISO SC27 WG3 Technical Report “Towards Creating an Extension for Patch Management for ISO/IEC 15408 and ISO/IEC 18045”.

    Vulnerability handling process:

    Under the EUCC framework, entities holding EUCC certificates are required to establish and implement vulnerability management and disclosure protocols that ensure security throughout the entire EUCC product lifecycle. This includes the developer defining processes for vulnerability management and disclosure, as well as effectively communicating the outcomes to relevant stakeholders. Market surveillance and active monitoring will be conducted to identify any products on the market with vulnerabilities that could impact the certificate's validity.

    It is strongly recommended to follow the EUCC Guidelines on Vulnerability Management and Disclosure to ensure compliance with these requirements.

    Information for certification:

    Applicants shall prepare and publicly provide:

    • Guidance and recommendations to assist end users with the secure configuration, installation, deployment, operation, and maintenance of the ICT products or ICT services.
    • The period during which security support will be offered to end users.
    • Contact information of the manufacturer or provider.
    • Procedures or methods for receiving vulnerability information from end users and security researchers.
    • A reference to online repositories listing publicly disclosed vulnerabilities and security advisories related to the ICT product, service, or process.

     

    State-of-the-art documents 

    State of the art for EUCC compliance documents are published in ENISA documents and in Annex I, II, and III of the EUCC Implementing Act. Some of them are leveraged from the Common Criteria scheme. Stay tuned!

    Is EUCC Compliant with the upcoming CRA?

    The EUCC scheme and the Cyber Resilience Act (CRA) work in tandem to present compliance, however, achieving complete adherence to the CRA requires further actions in EUCC. Applus+ Laboratories helped and developed with ENISA a an analysis on the GAPs and how bridge them between both EUCC and CRA. See the complete publication in Cyber Resilience Act implementation via EUCC and its applicable technical elements.

    Applus+ Laboratories is:

    • An accredited and authorised EUCC ITSEF for the CSA levels of Substantial (AVA_VAN.1 and AVA_VAN.2) and High (from AVA_VAN.3 on) by the Spanish and Dutch NCCA. 
    • An accredited and notified Certification Body.

    To get started with your EUCC certification or for more information on the EUCC Scheme and its relationship with the existing Common Criteria, the Cybersecurity Resilience Act, and the upcoming steps related to different cybersecurity regulations being implemented by the EU, please feel free to contact us. 

    Additional Resources on the EUCC Scheme: 

     

    Back to Publications

    Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). Click HERE for more information. You can accept all cookies by pressing the "Accept" button or configure or reject their use by clicking here.

    Cookie settings panel