2
min reading time
The European Union Cybersecurity Certification (EUCC) is a new scheme for certifying information and computer technology products in Europe; it is an update from the previous existing SOG-IS MRA.
EUCC is a Common Criteria-based certification scheme that uses the internationally acclaimed, proven methods used in Common Criteria with additional concepts to provide a modern and flexible solution to stakeholders such as patch management for certified products.
Common Criteria (CC) refers to an international set of standards and guidelines used in evaluating security products and systems. Common Criteria was initially developed to ensure technology products met specific security standards and government regulations. Assurances are separated by metrics concerning overall effectiveness and correctness.
Common Criteria helps ensure higher product standards while also protecting against pressing cybersecurity concerns, including data breaches, information leaks, and privacy concerns.
Once technology products are inspected by experts and have been sufficiently assessed, they receive a recognized Common Criteria Certification.
Understanding the core concepts and rationale behind Common Criteria is crucial for understanding internationally uniform cybersecurity protocols and interpreting the new EUCC scheme.
The EUCC scheme draws from the same central components of Common Criteria, applying them to technology products within the European Union. EUCC adds additional requirements on top of existing Common Criteria and Cybersecurity Evaluation Methodology (CEM) practices.
New requirements to cybersecurity certifications include additional monitoring and handling of compliances, more transparent and publicly available vulnerability information, and offering increased support to consumers such as patch management for certified products.
Implementation
Implementation of the EUCC scheme began at the end of 2020. Certification schemes under SOGIS-MRA can EUCC is scheduled to be fully operational at the beginning of 2022, possibly converting existing assessments and certifications to match the new EUCC scheme.
Application
EUCC is applied to ICT products which:
embeds a meaningful set of security functional requirements as described by Common Criteria Part 2
aims to achieve ‘substantial’ or ‘high’ level of assurance for the CSA covered by EUCC.
Improvements and Comparisons
EUCC represents some improvements over existing schemes.
Pros include an increased emphasis on:
Some cons to this include:
EUCC Moving Forward
The new EUCC scheme will change some cybersecurity protocols regarding product certification throughout Europe, but still draws on many of the same core concepts as the Common Criteria. It marks a departure from the previous SOG-IS MRA.
For the time being, both methods will be held to a high standard when assessing and evaluating the cybersecurity protocols of ICT products.
The European Commission has initiated a public consultation between 3rd October to 31. October 2023. on the draft implementing regulation that establishes the European Common Criteria-based cybersecurity certification scheme (EUCC) for information and communication technologies (ICT) products. The received feedback and the draft of the Commission Implementing Regulation is available on the European Commission's website. The final regulation is expected in Q4 2023 and is planned to become applicable 12 months after it enters into force. Once applicable, national cybersecurity certification schemes and related procedures covered by the EUCC will cease to have effect, specifically, those applying evaluation standards covered by the Common Criteria.
Learn everything you need to know for a successful Common Criteria evaluation project. Save costs and efforts with your checklist.
This downloadable infographics introduces the Common Criteria Evaluation process to you. Explore now for free.
Read and learn more about the Radio Equipment Directive (RED), download our free material now.
In cybersecurity, the Common Criteria (CC) is a cornerstone that provides a standardized framework for evaluating the security capabilities of eligible IT products. It is a vital tool for manufacturers seeking to assess the effectiveness and reliability of security solutions in the face of evolving threats. However, as technology advances at an unprecedented pace, the challenges faced by IT security professionals continue to grow. The new version of the CC (CC:2022 Revision 1) was published in November 2022.
9
min reading time
The Common Criteria certification stands as a cornerstone in cybersecurity, offering an internationally recognized benchmark for assessing the security attributes of eligible IT products. Recently, significant shifts have been noted in the landscape of Common Criteria, particularly in the transition from SOG-IS to EUCC. This transition, anticipated to have a profound impact, highlights the evolution of the certification scheme within the European Union.
7
min reading time
In today's digital landscape, where cybersecurity threats loom large, and trust is paramount, Common Criteria certification emerges as a beacon of assurance. This globally recognized standard sets the bar for IT product security, instilling confidence in customers, stakeholders, and regulatory bodies. Beyond mere validation, it serves as a shield against potential risks, fortifying organizations' defenses and fostering a culture of safety in the digital realm.
9
min reading time