Your strategic partner in testing and certification

Complete our quick form

GET A QUOTE

What is EUCC Certification?

The European Union Common Criteria-based cybersecurity certification scheme (EUCC) is the first certification scheme established under the EU Cybersecurity Act and implemented through Commission Implementing Regulation (EU) 2024/482.

EUCC defines a harmonized framework for the cybersecurity evaluation and certification of ICT products intended for the EU internal market, based on internationally recognized Common Criteria standards (ISO/IEC 15408 and ISO/IEC 18045), and requires third‑party conformity assessment.

Applus+ Laboratories brings more than 20 years of experience in Common Criteria and cybersecurity evaluations and can act as:

  • An EUCC ITSEF for Substantial and High assurance levels
  • An EUCC Certification Body (CAB) for the Substantial level

This enables manufacturers to demonstrate a high level of cybersecurity assurance for the EU market and strengthens trust in the security of their products.

EUCC and the Cyber Resilience Act (CRA)

While EUCC is currently defined as a voluntary certification scheme, upcoming regulatory obligations under the Cyber Resilience Act (CRA) may require EUCC or equivalent certification for certain categories of products with digital elements.

In addition, the CRA introduces mandatory post‑market obligations such as vulnerability and incident reporting starting in September 2026, and full application of requirements from December 2027.

EUCC certification can play a key role in supporting CRA compliance when combined with additional regulatory measures. See our dedicated EUCC & CRA article for further details.

Benefits of EUCC Certification

  • Trust and credibility: EUCC certification demonstrates compliance with EU‑level cybersecurity requirements, increasing customer and stakeholder confidence.
  • Regulatory readiness: EUCC supports compliance with current and upcoming EU cybersecurity regulations, including obligations introduced by the Cyber Resilience Act.
  • Market differentiation: Certified products stand out in competitive markets where cybersecurity assurance is increasingly required by customers and authorities.
  • Risk reduction across the product lifecycle: Evaluation and certification help identify and mitigate security risks, protecting both providers and end‑users from potential cyber threats.

Scope of EUCC Certification: Products and Assurance Levels

The EUCC scheme applies to a wide range of ICT products or Protection Profiles intended for the EU internal market. Products are evaluated against Substantial or High assurance levels, as defined under the Cybersecurity Act (CSA), using security requirements derived from Common Criteria.

Typical product categories include:

  • Network devices (firewalls, access points, load balancers, gateways)
  • Operating systems and software applications (including Linux, mobile and embedded software)
  • Hardware security devices (payment terminals, digital tachographs, secure hardware modules)
  • Smart cards and secure elements (eID, machine‑readable travel documents, secure elements, JavaCard / MULTOS platforms)

How to Obtain EUCC Certification

To start an EUCC evaluation process, manufacturers should:

  1. Select the appropriate assurance level (Substantial or High)
  2. Define the Security Target, based on an applicable Protection Profile if available
  3. Prepare the technical documentation required under EUCC Article 7
  4. Establish vulnerability management, disclosure, and patch management procedures
  5. Define remedial actions for non‑conformities
  6. Engage an accredited ITSEF and Certification Body

Applus+ Laboratories supports clients throughout the entire EUCC certification process.

Accreditation and Authorization

Applus+ Laboratories is:

  • An accredited EUCC ITSEF for Substantial (AVA_VAN.1–2) and High (AVA_VAN.3 and above) assurance levels
  • Authorized by the Spanish and Dutch National Cybersecurity Certification Authorities (NCCA)
  • An accredited and notified EUCC Certification Body (CAB) for the Substantial level

Our longstanding experience in Common Criteria and EU cybersecurity certification enables us to deliver reliable, efficient, and future‑proof evaluations.

ENISA and the EUCC Certification Scheme

ENISA (the European Union Agency for Cybersecurity) plays a central role in the EUCC framework by supporting the development, maintenance, and consistent application of EU cybersecurity certification schemes established under the EU Cybersecurity Act.

Within the EUCC scheme, ENISA contributes through technical guidance, state‑of‑the‑art cybersecurity references, and coordination activities, helping ensure a harmonized and robust implementation of EUCC across Member States.

What’s New in EUCC Certification Compared to Common Criteria

EUCC builds upon the established Common Criteria framework, maintaining its core evaluation principles while introducing additional requirements aligned with EU cybersecurity policy and lifecycle security expectations.

Compared to traditional Common Criteria schemes, EUCC places greater emphasis on assurance continuity, vulnerability handling, transparency, and state‑of‑the‑art practices.

Patch Management under EUCC

Under the EUCC scheme, patch management mechanisms may be included within the evaluation scope to support the principle of assurance continuity.

When properly designed and assessed, patch management allows manufacturers to deploy security updates and vulnerability fixes without invalidating the EUCC certificate, provided defined conditions are met.

Vulnerability Handling and Disclosure

EUCC‑certified products must be supported by robust vulnerability management and disclosure processes covering the entire product lifecycle.

  • Define and maintain vulnerability handling and disclosure procedures
  • Coordinate responsible disclosure with users and security researchers
  • Communicate relevant security information to stakeholders
  • Support market surveillance activities that may impact certificate validity

Following the EUCC Guidelines on Vulnerability Management and Disclosure is strongly recommended to ensure continued compliance and certificate maintenance.

Public Information Requirements

EUCC certification requires manufacturers to make specific information publicly available, including:

  • Guidance for secure configuration, installation, operation, and maintenance
  • The period during which security support will be provided
  • Manufacturer or provider contact details
  • Procedures for receiving vulnerability reports
  • References to public repositories of disclosed vulnerabilities and security advisories

State of the Art and Technical References

EUCC compliance is assessed against state‑of‑the‑art cybersecurity practices, as defined in:

  • EUCC Implementing Act Annexes
  • ENISA technical guidance
  • Common Criteria‑derived technical documentation

For High assurance levels, additional Technical Domain documents may apply and must be considered during evaluation.

 

List of Ongoing EUCC Certifications

FILE DEVELOPER PRODUCT NAME CSA level Status
EUCC-2026-001 Cisco Systems, Inc. Cisco Catalyst 9800 Series Wireless Controllers and Access Points 17.18 Substantial Ongoing
EUCC-2026-002 Cisco Systems, Inc. Cisco Aggregation Services Router 1000 Series (ASR1K), Cisco Catalyst 8200, 8300, 8400, 8500 Series Routers (Cat8k) running IOS-XE 17.18 Substantial Ongoing
EUCC-2026-003 Cisco Systems, Inc. Cisco 1000 Series Integrated Services Routers (C1100) running IOS-XE 17.18 Substantial Ongoing

/Laboratories/cn/Category-Services/1.TESTING-SERVICES/Cybersecurity-Evaluations/By-Standard-Schemes/EUCC-Certification

GET A QUOTE

RELATED SERVICES TO EUCC Certification

Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). Click HERE for more information. You can accept all cookies by pressing the "Accept" button or configure or reject their use by clicking here.

Cookie settings panel