2
min reading time
The European Union Cybersecurity Certification (EUCC) is a new scheme for certifying information and computer technology products in Europe; it is an update from the previous existing SOG-IS MRA.
EUCC is a Common Criteria-based certification scheme that uses the internationally acclaimed, proven methods used in Common Criteria with additional concepts to provide a modern and flexible solution to stakeholders such as patch management for certified products.
Common Criteria (CC) refers to an international set of standards and guidelines used in evaluating security products and systems. Common Criteria was initially developed to ensure technology products met specific security standards and government regulations. Assurances are separated by metrics concerning overall effectiveness and correctness.
Common Criteria helps ensure higher product standards while also protecting against pressing cybersecurity concerns, including data breaches, information leaks, and privacy concerns.
Once technology products are inspected by experts and have been sufficiently assessed, they receive a recognized Common Criteria Certification.
Understanding the core concepts and rationale behind Common Criteria is crucial for understanding internationally uniform cybersecurity protocols and interpreting the new EUCC scheme.
The EUCC scheme draws from the same central components of Common Criteria, applying them to technology products within the European Union. EUCC adds additional requirements on top of existing Common Criteria and Cybersecurity Evaluation Methodology (CEM) practices.
New requirements to cybersecurity certifications include additional monitoring and handling of compliances, more transparent and publicly available vulnerability information, and offering increased support to consumers such as patch management for certified products.
Implementation
Implementation of the EUCC scheme began at the end of 2020. Certification schemes under SOGIS-MRA can EUCC is scheduled to be fully operational at the beginning of 2022, possibly converting existing assessments and certifications to match the new EUCC scheme.
Application
EUCC is applied to ICT products which:
embeds a meaningful set of security functional requirements as described by Common Criteria Part 2
aims to achieve ‘substantial’ or ‘high’ level of assurance for the CSA covered by EUCC.
Improvements and Comparisons
EUCC represents some improvements over existing schemes.
Pros include an increased emphasis on:
Some cons to this include:
EUCC Moving Forward
The new EUCC scheme will change some cybersecurity protocols regarding product certification throughout Europe, but still draws on many of the same core concepts as the Common Criteria. It marks a departure from the previous SOG-IS MRA.
For the time being, both methods will be held to a high standard when assessing and evaluating the cybersecurity protocols of ICT products.
The European Commission has initiated a public consultation between 3rd October to 31. October 2023. on the draft implementing regulation that establishes the European Common Criteria-based cybersecurity certification scheme (EUCC) for information and communication technologies (ICT) products. The received feedback and the draft of the Commission Implementing Regulation is available on the European Commission's website. The final regulation is expected in Q4 2023 and is planned to become applicable 12 months after it enters into force. Once applicable, national cybersecurity certification schemes and related procedures covered by the EUCC will cease to have effect, specifically, those applying evaluation standards covered by the Common Criteria.
Learn everything you need to know for a successful Common Criteria evaluation project. Save costs and efforts with your checklist.
This downloadable infographics introduces the Common Criteria Evaluation process to you. Explore now for free.
Read and learn more about the Radio Equipment Directive (RED), download our free material now.
In today's digital landscape, where cybersecurity threats loom large, and trust is paramount, Common Criteria certification emerges as a beacon of assurance. This globally recognized standard sets the bar for IT product security, instilling confidence in customers, stakeholders, and regulatory bodies. Beyond mere validation, it serves as a shield against potential risks, fortifying organizations' defenses and fostering a culture of safety in the digital realm.
9
min reading time
In the continually evolving cybersecurity landscape, ensuring the safety and reliability of Information and Communication Technology (ICT) products has become more crucial than ever. The European Common Criteria-based Cybersecurity Certification Scheme (EUCC) is a groundbreaking and indispensable scheme to meet this pressing need. Enacted within the Cybersecurity Act certification framework, the new scheme is a pioneering initiative to establish a unified certification framework for a diverse range of ICT products. This ambitious endeavor heralds a transformative era in cybersecurity practices throughout the European Union.
8
min reading time
In the cybersecurity landscape, the Common Criteria Evaluation Assurance Level (EAL) is a critical factor in determining the security posture of a product. The EAL chosen for a product can significantly impact its security measures, evaluation processes, and user trust. This article delves into the importance of selecting the right EAL and the consequences of misjudgment and provides a step-by-step guide to aid in this crucial decision-making process.
5
min reading time