Understanding EUCC Assurance Levels: What “Substantial” and “High” Really Mean for ICT Security

The Shift to Risk-Based Certification

Under the traditional Common Criteria framework, certification was often treated as a linear ladder. EAL5 was "better" than EAL4.

The EUCC changes the focus. It aligns directly with the EU Cybersecurity Act (CSA), classifying products based on the risk associated with their intended use.

This means your certification strategy must now start with a risk profile, not just a target number.

• Substantial: Designed for products where security incidents could cause moderate damage or disruption.
• High: Reserved for critical products where a breach could have catastrophic consequences, requiring resistance to state-of-the-art attacks.

Crucially, achieving these levels grants you a "presumption of conformity" with upcoming regulations. As we explored in Cyber Resilience Act & EUCC Explained: Key Differences, Overlaps and Compliance Pathways, this alignment is key for long-term market access under the Cyber Resilience Act (CRA).

Decoding "Substantial" Assurance (EAL1 - EAL3)

If your product targets general commercial use, "Substantial" is likely your new baseline.

This category maps to Evaluation Assurance Levels EAL1 through EAL3. But the EAL number is only half the story. The real driver here is AVA_VAN (Vulnerability Analysis).

For Substantial assurance, you must meet AVA_VAN.1 or AVA_VAN.2.

What this means for your engineering team:

• Focus: You must prove the absence of publicly known vulnerabilities.
• Attack Potential: The evaluation tests if your product can withstand attackers with limited skills and resources.
• Testing Depth: The lab performs a vulnerability survey and basic independent testing. They are not trying to break your device with military-grade exploits.

This level effectively filters out "low-hanging fruit" vulnerabilities. It proves your door is locked, but it doesn't guarantee the lock is pick-proof against a professional thief.

Decoding "High" Assurance (EAL4 - EAL7)

This is where the game changes.

"High" assurance is not just "Substantial Plus." It requires a completely different rigorous approach to design and testing.

This category maps to EAL4 through EAL7. The critical difference lies in the vulnerability analysis, which must reach AVA_VAN.3, AVA_VAN.4, or AVA_VAN.5.

The "High" Assurance Reality Check:

• Adversary Profile: You are now defending against attackers with significant (Moderate) to expert (High) skills and resources.
• Penetration Testing: The lab will perform advanced penetration testing. They will attempt to break your security using bespoke tools and complex attack vectors.
• White-Box Access: For levels like EAL5 (AVA_VAN.5), you often must provide full source code and hardware logic transparency to the evaluators.

If you are building smartcards, hardware security modules (HSMs), or critical network components, "High" is not optional. It is the entry ticket. This mirrors the strict requirements seen in the digital identity sector, as discussed in EUCC Behind eIDAS 2.0, where devices like Qualified Signature Creation Devices (QSCDs) mandate high-assurance evaluations to guarantee legal validity.

The New "Hidden" Requirement: Lifecycle & Patching

There is a trap in the EUCC that many manufacturers miss.

In the old world, you certified a product version and walked away. Under EUCC, particularly for Substantial and High levels, you must demonstrate continuous vulnerability management.

You cannot just pass the test once. You must have a process to:

1. Monitor for new vulnerabilities continuously.
2. Patch issues within strict timeframes (e.g., critical issues often require analysis within tight deadlines).
3. Disclose vulnerabilities to users responsibly.

If you fail to maintain this lifecycle security, your certificate can be revoked. The "fire and forget" era of certification is over.

Checklist: Which Level Do You Need?

Choosing between Substantial and High defines your budget and timeline. Use this quick check:

• Risk Profile: Is your product a target for state-sponsored actors or organized crime? (Go High).
• Market Requirement: Does your customer (e.g., government, critical infrastructure) mandate resistance to "state-of-the-art" attacks? (Go High).
• Technical Domain: Is your product a secure element, smartcard, or payment terminal? (Go High).
• Hidden Safety Risks: Does your product have AI components that trigger safety regulations? See The Hidden Risks of AI Toys: Navigating the Regulatory Gap to check if you are inadvertently in a high-risk category.
• General Use: Is it a standard commercial IoT device or enterprise software? (Substantial is likely sufficient).

How CCLab Navigates the EUCC Maze

Misinterpreting these levels is expensive. We see developers aim for EAL5 when EAL4+ is sufficient, or target "Substantial" without realizing their specialized device requires "High" level domain testing.

CCLab acts as your navigator through this transition.

• Scope Definition: We help you map your product features to the correct EUCC category and EAL level, ensuring you don't over-spend or under-deliver.
• Gap Analysis: We assess your current vulnerability management processes against the new EUCC lifecycle rules.
• Accredited Evaluation: As an accredited lab for both OCSI and TrustCB, we conduct the official testing required for both Substantial and High assurance.

We ensure your documentation isn't just a paperwork exercise but a valid proof of security that stands up to EU scrutiny.

Summary

The transition to EUCC is not just a regulatory update. It is a market reset.

"Substantial" proves you have covered the basics against common threats. "High" proves you are ready for the frontline of cyber warfare.

Understanding the difference, and specifically the AVA_VAN requirements, is the only way to build a certification strategy that works.

The takeaway: Do not guess your assurance level. Align your EAL and vulnerability analysis strategy with your market's risk profile today to secure your place in the European market tomorrow.

Need a visual overview?Download our EUCC Study 2026 for the most up-to-date information on the new scheme.