The European Commission formally adopted the European Cybersecurity Certification Scheme, marking the EU's inaugural cyber scheme for certifying Information and Communication Technology (ICT) products. Aligned with the goals of the EU's Cybersecurity Act, the European Cybersecurity Certification Scheme on Common Criteria (EUCC) outlines a set of regulations aimed at ensuring reliability throughout the life cycle of ICT products.
ICT products encompass electronically accessed, processed, stored, transferred, or obtained digital information, encompassing a range of items from wireless and smart devices to technological components like chips, smart cards, hardware, and software.
Common criteria laboratories, which are ICT security certification facilities, play a crucial role in assessing the security of ICT products using an authorised and standardised methodology. Europe houses half of the global common criteria laboratories, issuing over 60% of the 350 common criteria certificates awarded annually within the EU, according to the European Union Agency for Cybersecurity (ENISA).
A Commission spokesperson stressed that the primary objective of the EUCC framework is to enhance the cybersecurity standards of ICT products, services, and processes in the EU market. This is achieved by establishing a comprehensive set of rules, technical requirements, standards, and procedures to be uniformly applied across the Union.
The initial phase of EUCC implementation, spanning approximately one year, will concentrate on establishing public and private Conformity Assessment Bodies (CABs). Member states within the EU are granted the opportunity to operate public and private CABs under this scheme.
In a broader context, adopting the scheme opens up opportunities for public procurement across the Union, as certification falls under the Treaty. ENISA is concurrently working on two additional cybersecurity certification schemes, addressing cloud services and 5G security, with feasibility studies underway for projects related to AI cybersecurity certification and a certification strategy for eIDAS.
The EUCC falls under the EU cybersecurity certification framework established by the 2019 Cybersecurity Act. An amendment proposed in April of the previous year expanded the scope to include Managed Security Services within this framework. These services, involved in performing or supporting customer cybersecurity risk management activities, are increasingly crucial in the EU's efforts to prevent and mitigate cybersecurity incidents.
The implementation of EUCC is based on the SOG-IS Common Criteria evaluation framework, which is currently used in 17 EU states. The goal is to harmonise national certification schemes under the SOG-IS agreement, ultimately replacing it. The EUCC aims to introduce a more expedited and efficient certification mechanism, enabling businesses across the EU to compete on national, EU, and global stages.
In addition to harmonising national certification arrangements, the EUCC is designed to complement existing regulations such as the Cyber Resilience Act and the revised Network and Information Security Directive (NIS2). For organisations deemed essential or vital to societal functioning, mandatory certification under schemes like EUCC may be considered.