This article is based on Nuria Carrió (Cybersecurity Certification Technical Manager at Applus+ Laboratories) presentation during the EUCC scheme webinar organized by Applus+ Laboratories in October 2024.
The EUCC (European Common Criteria-based Cybersecurity Certification) scheme, developed under the Cybersecurity Act (CSA), aims to harmonize cybersecurity certification across Europe. This article delves into the key aspects of the EUCC scheme, its differences from previous CCRA/SOGIS scheme, and its implications for manufacturers and stakeholders.
Scope and Continuity
The EUCC scheme applies to all ICT products and protection profiles, maintaining the same scope as the previous common criteria schemes (CCRA and SOG-IS). The core evaluation methodology remains based on common criteria, with the 2022 version integrated into the EUCC process. The scheme continues to operate under a third-party assessment scenario, involving certification bodies (CBs) and evaluation facilities (ITSEFs). Notably, the EUCC allows for private CBs, expanding beyond the previously public-only CBs.
Stakeholders and Timelines
Key stakeholders in the EUCC scheme include national accreditation bodies, National Cybersecurity Certification Authorities (NCCAs), CBs, and ITSEFs. The NCCAs play a crucial role in supervising and authorizing high assurance levels. The EUCC scheme entered into force in February 2024, with a one-year coexistence period with national common criteria schemes. By February 2025, all new evaluations must adhere to the EUCC scheme, and ongoing evaluations must conclude by February 2026.
New Obligations and Requirements
Manufacturers should provide the intended usage and a risk analysis of their products, ensuring the suitability of the selected assurance level. The EUCC scheme introduces specific obligations, including general commitments, supplementary security information availability, and monitoring activities. Manufacturers must inform about vulnerabilities and irregularities, with a 30-day remedial action period for non-compliance.
State-of-the-Art Documents and Mutual Recognition
The EUCC scheme relies on state-of-the-art documents for evaluation methods, tools, and security requirements as well as requirements relevant for the certification. These documents are mandatory and include accreditation and technical domains for smart cards and hardware security boxes requirements. While there is no mutual recognition third party countries, non-EU countries can recognize EUCC certifications if they meet specific criteria. Efforts are ongoing to harmonize changes and establish new recognition agreements.
Protection Profiles and Assurance Levels
Protection profiles under the EUCC scheme must be certified by public bodies and endorsed by the European Cybersecurity Certification Group. The scheme supports high assurance levels (EAL4 and EAL5) for critical ICT products, with specific scenarios outlined for their application. The EUCC also mandates a vulnerability handling process for assurance continuity, requiring manufacturers to monitor and manage vulnerabilities effectively.
Patch Management and Marking
The EUCC scheme includes provisions for patch management, allowing manufacturers to update products in the field. The process involves developing and releasing patches, establishing technical mechanisms for adoption, and evaluating their effectiveness. While affixing the EUCC mark is voluntary, manufacturers must follow specific rules if they choose to do so.
Future Developments and Challenges
The EUCC scheme is a work in progress, with ongoing efforts to maintain and update state-of-the-art documents. Guidance on monitoring processes, site recognition, and the interplay with other regulations like the Cyber Resilience Act (CRA) is needed. The scheme aims to avoid market disruption and ensure a smooth transition for manufacturers and stakeholders.
In conclusion, the EUCC scheme represents a significant step towards harmonizing cybersecurity certification in Europe. By addressing new obligations, maintaining state-of-the-art standards, and fostering mutual recognition, the EUCC aims to provide a robust framework for ICT product certification, ensuring a consistent level of ICT product’s cybersecurity across the region.
Watch the full video here:
Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.
They allow the operation of the website, loading media content and its security. See the cookies we store in our Cookies Policy.
They allow us to know how you interact with the website, the number of visits in the different sections and to create statistics to improve our business practices. See the cookies we store in our Cookies Policy.