This Q&A article on EUCC is based on an interview with Javier Tallón (Director at jtsec, an Applus+ company) during the Applus+ Laboratories webinar on the EUCC scheme, held in October 2024. Jose Manuel Pulido (Consulting Manager at jtsec, an Applus+ company) answered the questions related to the CRA. The interview was conducted by Jose Francisco Ruiz (Cybersecurity Business Unit Director at Applus+ Laboratories).
Q: Why is everything (EUCC/CSA/CRA rollout) so complex after five years of development?
A: Javier Tallón: The complexity arises from several factors. Firstly, this is the first scheme under the Cybersecurity Act, and there was no prior experience on how to develop such schemes. The development process also coincided with the COVID-19 pandemic, which added to the challenges. Additionally, the introduction of the Cyber Resilience Act (CRA) required the scheme to be compliant with new regulations. Despite these challenges, everyone involved, from the European Commission to ENISA and the members of the Ad Hoc Working Group, aimed to maintain a high standard of quality. Transitioning from extensive technical documents to a concise legal text was a significant challenge, and many details were inevitably left out. The burden of further developing the scheme now lies with the EsEm subgroup on EUCC maintenance, which may have fewer resources and may be revisiting discussions from years ago.
Q: Will previously Common Criteria certified products be recognized under the EUCC scheme?
A: Javier Tallón: Certificates will remain valid until their expiration date, and Member States are allowed to recognize certificates issued by third countries. During the Ad Hoc Working Group discussions, there was a guide for conversion planned, but it has not been published yet. Technically, converting certifications should not be a big deal since both schemes are based on Common Criteria. However, the lack of a published guidance document has created uncertainty in the market.
Q: How is the EUCC scheme addressing emerging technologies like cloud services or IoT?
A: Javier Tallón: The EUCC scheme is technology agnostic and can certify any product that can be uniquely identified. IoT products are not a problem, but cloud computing presents more challenges due to its complexity. While the EUCC scheme can be applied to cloud products, it may not always be the best fit. Other schemes like EUCS, which is specifically about cloud services, might be more appropriate. The key is to be flexible and find ways to use these schemes in combination.
Q: What is the status of mutual recognition agreements?
A: Javier Tallón: Mutual recognition agreements are more of a political issue than a technical one. There are misalignments on many levels, and while the European Commission is trying to establish such agreements, the current CCRA proposal is not acceptable from a legal standpoint. Technically, 80% of the work is the same since both schemes are based on Common Criteria. Big labs like A+ can issue both EUCC and NIAP certificates for the same product, provided they have the necessary authorizations.
Q: What is the status of site certificates and their reuse under the EUCC scheme?
A: Javier Tallón: Under the EUCC scheme, the issuance of new site certificates is not allowed according to current regulations. However, there are options for reusing existing site certificates, such as using STAR reports or following the ALC reuse methodology published by the French scheme, which might become a state-of-the-art document in the future. There is an expectation that technical aspects will be adjusted to align with legislative requirements, ensuring the feasibility of reusing effort.
Q: How will the CRA impact the payment industry, including smart cards and terminals?
A: Jose Manuel Pulido: Credit cards, which are essentially smart cards, will have their security IC platforms and operating systems certified under EUCC. However, the payment applications on these cards are not currently obligated to undergo Common Criteria or EUCC evaluations, therefore it might be required to use other assessment methods to demonstrate the CRA conformity of this application. For payment terminals like point-of-interaction devices, they are expected to be certified under EUCC using the relevant protection profiles. The back-end parts of the payment industry, which may be considered remote data processing solutions, will need further clarification on their compliance requirements.
Q: What is the CRA product category for mobile devices?
A: Jose Manuel Pulido: Mobile devices do not fall into the critical or important categories; they are considered default products. However, individual components like the operating system may fall into the important category and need to comply with CRA requirements. The full product, such as a smartphone or tablet, is not currently included in the critical or important categories.
Q: Is free software used to develop or configure a chip subject to the CRA?
A: Jose Manuel Pulido: If the open-source code is used in a commercial product, it counts as part of the product that needs to comply with CRA requirements. Pure open-source projects have a more complex status, but generally, if they are part of a commercial transaction, they need to comply.
Q: Will CRA critical and important class 1 and 2 products be required to certify under EUCC high even though there are no state-of-the-art documents?
A: Jose Manuel Pulido: There is no mandatory requirement for any EUCC certification under the CRA. The regulation may evolve with future implementing acts, but as of now, critical products are the primary candidates for mandatory certification. The requirement for high-level certification under EUCC for critical and important class 1 and 2 products will depend on how the regulation and delegated acts develop in the future.
Q: What is the main challenge ahead for the EUCC scheme to be operational?
A: Javier Tallón: The main short-term challenge is to avoid disrupting the market. It's crucial to ensure that the transition to the EUCC scheme does not break existing processes. In the mid-term, the focus should be on reaching the final user and providing real value. It's important to see if European citizens will choose products certified under the EUCC scheme over others.
Watch the full video
Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.
They allow the operation of the website, loading media content and its security. See the cookies we store in our Cookies Policy.
They allow us to know how you interact with the website, the number of visits in the different sections and to create statistics to improve our business practices. See the cookies we store in our Cookies Policy.