The EUCC Scheme: North American Perspective (Q&A Session)

Who Needs EUCC Certification?

EUCC certification is not mandatory by itself but may be required by other regulations such as the Cyber Resilience Act. Vendors previously needing SOG-IS certification will likely need EUCC certification. Additionally, marketing and sales considerations may drive the need for EUCC certification to stay competitive. 

Recognition of CCRA Certificates by Member States

Member States can individually decide to recognize CCRA certificates for a transition period of up to five years. However, this decision is up to each Member State and may vary. 

Transitioning from NIAP to EUCC

In the absence of mutual recognition agreements, vendors may need to obtain separate certificates for NIAP and EUCC. However, much of the evaluation work can be reused, and larger labs with multiple locations can facilitate this process efficiently. 

Differences Between NIAP and EUCC Evaluations

While the core standard remains the same, EUCC introduces new obligations such as vulnerability handling and reporting. Additionally, the EUCC certificate will include specific assurance levels like AVA_VAN.1. 

Vulnerability Reporting Requirements

Vendors must have vulnerability handling procedures in place and report vulnerabilities to the ITSEF and certification body. The specifics of the reporting process are still being defined, but it will include timelines for notification and remediation. 

State-of-the-Art Documents

State-of-the-art documents are mandatory and provide guidance on evaluation processes. These documents are dynamically updated and must be followed during evaluations. 
 
This Q&A session provided valuable insights into the EUCC scheme, helping vendors understand the requirements and processes involved. Stay tuned for more updates and detailed guidance as the EUCC scheme continues to evolve.

Watch the full video: