EUCC: A New Cybersecurity Scheme for Evaluating and Certifying Products in Europe

In January 2024, the EUCC drafted by the European Union Agency for Cybersecurity (ENISA) was adopted as the first scheme within the EU cybersecurity certification framework. The scheme is anticipated to set a precedent for upcoming developments. Despinte is an integral part of EU law, and the implementing act for the cybersecurity certification framework is voluntary. Over time, the new scheme is poised to supersede the national certification schemes previously governed by the SOG-IS agreement.

‍

1. Understanding EUCC

The European Union Cybersecurity Certification, drafted by ENISA (European Union Agency for Cybersecurity), is a monumental leap forward in certifying Information and Communication Technology (ICT) products within the European landscape and at the EU level. 

Conceived under the Cybersecurity Act, enacted in 2019, this groundbreaking scheme is designed to revolutionize the cybersecurity certification process for a wide spectrum of ICT products, covering hardware, software, and services. The overarching goal is to establish a comprehensive and unified framework that enhances cybersecurity standards, creates a safer digital environment for consumers, and fosters smoother trade across the European Union.

Under the new scheme, self-assessment is explicitly prohibited. Only third-party conformity assessments by  ITSEF (Information Technology Security Evaluation Facilities), in other words - testing laboratories and certification bodies are allowed. To achieve this, a robust framework is introduced based on the time-proven Common Criteria framework already used by the majority of the EU Member States. The Scheme features seven Evaluation Assurance Levels (EAL) that align with established international standards. 

It is built upon a thorough catalog of security functional and security assurance requirements outlined in the Common Criteria for ICT Security Evaluation, as detailed in ISO standard EN ISO/IEC 15408. Additionally, it adheres to the Common Methodology for ICT Evaluation, as specified in ISO standard EN ISO/IEC 18045.

The Cybersecurity Act

The genesis of the EUCC lies in the Cybersecurity Act, a legislative milestone that laid the groundwork for a harmonized certification process. This framework encompasses ICT products, services, and processes integral to the cybersecurity landscape. 

As the first scheme developed by ENISA under the Cybersecurity Act certification framework, the scheme sets the stage for a standardized and efficient approach to certifying the ever-expanding array of digital products and services.

‍

Addressing Cybersecurity Challenges

The impetus behind the creation of the EUCC was the recognition of escalating cybersecurity threats and the inadequacies of a fragmented certification landscape within the EU. 

Before the introduction of the European Union Cybersecurity Certification, various European countries operated with their own Common Criteria evaluation certification schemes under SOG-IS. Following these schemes, several challenges have emerged over the last few years that have given rise to the EUCC.

Transformative Impact

With the advent of the new scheme, a transformative shift occurs. The scheme introduces a single, coherent certification framework that spans the entirety of the European Union. 

This harmonization promises that cybersecurity standards, testing methods, and certification schemes are consistent and equivalent throughout the EU.  By streamlining trade, the European Union Cybersecurity Certification reduces the complexities manufacturers face and ensures that consumers are presented with products that adhere to rigorous safety standards.

Significance of Harmonization

The significance of this harmonization cannot be overstated. It addresses the inefficiencies of the previous disjointed approach and sets a precedent for a more secure and interconnected digital landscape. The new scheme becomes a cornerstone in fortifying the European Union against the ever-evolving and increasingly sophisticated cybersecurity threats.

Beyond a mere certification, the scheme establishes a distinct mark and label for certified ICT products, emphasizing their trustworthiness. This strategic approach empowers users, enabling them to make well-informed choices based on the product's certification status.

Notably, the EUCC certificate, serving as a testament to the product's reliability, is issued with a maximum validity of five years. Nevertheless, the extension is flexible and subject to national cybersecurity certification authority approval.

‍

2. Comparison between EUCC and Common Criteria

The scheme stands on the sturdy foundation of Common Criteria, absorbing its fundamental principles and methodologies.

It is crucial to recognize that while the scheme draws inspiration from the Common Criteria, it transcends being a mere replication. Instead, it represents a strategic evolution that addresses the nuanced needs and challenges of cybersecurity within the European Union.

Monitoring Non-Conformity and Non-Compliance

One of the distinctive features introduced by the European Union Cybersecurity Certification  is its vigilant approach to monitoring non-conformity and non-compliance. In contrast to traditional certification schemes that conclude their assessment upon approval, the EUCC maintains an active stance post-certification. 

This means that the scheme incorporates mechanisms to ensure that certified products continue to align with the certification requirements even after approval has been granted. The scheme's commitment to ongoing scrutiny sets it apart from conventional approaches, fostering a dynamic and sustained level of cybersecurity in the ever-changing digital landscape. This proactive stance ensures that certified products uphold their cybersecurity integrity beyond the initial certification, contributing to a more resilient digital environment.

Dynamic Adaptability through Vulnerability Management

In response to the ever-evolving threat landscape, the EUCC takes a proactive step by introducing vulnerability management policies. This strategic addition enhances the scheme's ability to adapt swiftly to emerging threats and vulnerabilities.

The EUCC positions itself as a dynamic and responsive certification framework by integrating forward-looking practices. In the dynamic realm of cybersecurity, where new threats can emerge rapidly, the EUCC's emphasis on vulnerability management ensures that the certified product remains secure and the product’s compliance is not just a snapshot..

This focus on dynamic adaptability is essential for addressing the continuously changing nature of cyber threats, setting the scheme apart as a certification scheme that prioritizes ongoing security.

Integration of Proven Practices: SOG-IS Certification Arrangement

The evolution of the EUCC extends further by integrating proven practices from the Senior Officials Group Information Systems (SOG-IS) certification arrangement. This multilateral agreement among European countries fosters the mutual recognition of IT security certificates. By incorporating these established practices, the scheme goes beyond internal innovation, building upon existing frameworks. 

This integration promotes interoperability and cooperation among European nations in cybersecurity certification. Leveraging the wealth of experience embedded in the SOG-IS certification arrangement, the EUCC establishes itself as a certification scheme that not only evolves with the times but also draws strength from collaborative and proven practices. 

This integration is a testament to the EUCC's commitment to meet contemporary cybersecurity challenges and align with the collective expertise of European nations in securing digital landscapes.

‍

3. Impact of EUCC

The impact of the EUCC resonates profoundly, particularly in its transformative influence on the certification of security measures for a diverse range of Information and Communication Technology (ICT) products. 

This broad spectrum includes chips, routers, cryptography modules, and software. The EUCC's unified certification scheme stands as a robust assurance mechanism, guaranteeing that these products adhere to a standardized level of cybersecurity. This, in turn, instills confidence in consumers regarding the safety and reliability of the digital products they utilize.

Strengthening Cybersecurity in Critical Infrastructures

The impact of the European Union Cybersecurity Certification extends far beyond the certification of individual ICT products, reaching critical infrastructures such as energy, transport, and healthcare. 

These sectors, vital for the functioning of modern societies, rely heavily on a complex network of ICT products. By mandating that these products undergo certification under the EUCC, the scheme significantly contributes to elevating the overall cybersecurity resilience of these essential infrastructures. 

The strategic alignment of the EUCC with critical sectors is pivotal, fortifying the robustness and resilience of essential systems against potential cyber threats. This broad-reaching impact positions the EUCC as a key player in enhancing the security posture of critical infrastructures that underpin societal functionality.

Strategic Alignment with NIS2 Directive

The scheme's impact is accentuated by its seamless alignment with the Network and Information Systems Security (NIS2) directive, a crucial initiative within the European Union. The NIS2 directive, aimed at enhancing the cybersecurity of network and information systems across the EU, finds a natural ally in the EUCC. 

This alignment ensures that the certification standards set by the EUCC complement and contribute to the overarching objectives of the NIS2 directive. By working in tandem, these initiatives create a comprehensive and harmonized approach to fortifying the digital defenses of the European Union. The synergistic relationship between the EUCC and the NIS2 directive enhances the effectiveness of both, reinforcing the EU's commitment to a secure and resilient digital landscape.

Support for the Planned Cyber Resilience Act

In addition to its alignment with the NIS2 directive, the scheme plays a pivotal role in supporting the implementation of the planned Cyber Resilience Act. This legislative initiative, anticipated to be a cornerstone in enhancing the EU's cyber resilience, finds a compatible partner in the EUCC. 

The scheme's compatibility with these strategic directives underscores its significance and positions it as an integral component in the broader strategy to fortify the digital defenses of the European Union. The scheme’s support for the Cyber Resilience Act creates a unified front in pursuing cybersecurity excellence, emphasizing a cohesive and comprehensive strategy encompassing certification, regulatory alignment, and legislative initiatives.

Summary

The European Common Criteria-based cybersecurity certification scheme n marks a pivotal advancement in cybersecurity certification. By building upon the foundation of the Common Criteria, the scheme introduces a unified and robust certification scheme for ICT products in Europe. This encompasses various products, including chips, routers, cryptography modules, and software. The scheme's introduction signifies a significant milestone, promising a safer and more secure digital landscape within Europe.

The scheme's commitment to ongoing scrutiny, integration of vulnerability management policies, and alignment with key directives such as NIS2 and the Cyber Resilience Act positions it as a linchpin in fortifying the European Union against the evolving threat landscape. As the EUCC takes center stage, it gives assurance of a standardized and elevated cybersecurity paradigm, shaping the future of digital safety in Europe.

As an agile cybersecurity lab, CCLab provides assessment and advisory services to organizations planning to get their products certified. Employing agile methodologies in consultation and pre-evaluation phases enables clients to navigate challenges, avoid unexpected expenses, and optimize the certification process.