2
min reading time
The European Union Cybersecurity Certification (EUCC) is a new scheme for certifying information and computer technology products in Europe; it is an update from the previous existing SOG-IS MRA.
EUCC is a Common Criteria-based certification scheme that uses the internationally acclaimed, proven methods used in Common Criteria with additional concepts to provide a modern and flexible solution to stakeholders such as patch management for certified products.
Common Criteria (CC) refers to an international set of standards and guidelines used in evaluating security products and systems. Common Criteria was initially developed to ensure technology products met specific security standards and government regulations. Assurances are separated by metrics concerning overall effectiveness and correctness.
Common Criteria helps ensure higher product standards while also protecting against pressing cybersecurity concerns, including data breaches, information leaks, and privacy concerns.
Once technology products are inspected by experts and have been sufficiently assessed, they receive a recognized Common Criteria Certification.
Understanding the core concepts and rationale behind Common Criteria is crucial for understanding internationally uniform cybersecurity protocols and interpreting the new EUCC scheme.
The EUCC scheme draws from the same central components of Common Criteria, applying them to technology products within the European Union. EUCC adds additional requirements on top of existing Common Criteria and Cybersecurity Evaluation Methodology (CEM) practices.
New requirements to cybersecurity certifications include additional monitoring and handling of compliances, more transparent and publicly available vulnerability information, and offering increased support to consumers such as patch management for certified products.
Implementation
Implementation of the EUCC scheme began at the end of 2020. Certification schemes under SOGIS-MRA can EUCC is scheduled to be fully operational at the beginning of 2022, possibly converting existing assessments and certifications to match the new EUCC scheme.
Application
EUCC is applied to ICT products which:
embeds a meaningful set of security functional requirements as described by Common Criteria Part 2
aims to achieve ‘substantial’ or ‘high’ level of assurance for the CSA covered by EUCC.
Improvements and Comparisons
EUCC represents some improvements over existing schemes.
Pros include an increased emphasis on:
Some cons to this include:
EUCC Moving Forward
The new EUCC scheme will change some cybersecurity protocols regarding product certification throughout Europe, but still draws on many of the same core concepts as the Common Criteria. It marks a departure from the previous SOG-IS MRA.
For the time being, both methods will be held to a high standard when assessing and evaluating the cybersecurity protocols of ICT products. The value and implications for vendors and consumers will be clear once the rollout is completed by the end of 2022.
Our new article will provide you with valuable information if you are considering getting your IT security product or technology CC Certified, or if you are interested to know more about the Common Criteria evaluation process.
6
min reading time
In parallel with the explosive development of digitalization and online work, worrisome statistics regarding cyberattacks are expanding yearly. The outbreak of the pandemic in 2020 significantly increased the wireless security risk and contributed even more to the success of cybercriminals, as many companies had to switch to the home office or hybrid work model almost overnight without any preparation.
6
min reading time