Adoption of the EU Cybersecurity Certification Scheme on Common Criteria


The European Commission has adopted the implementing regulation concerning the EU Cybersecurity Certification Scheme on Common Criteria (EUCC). It is the first approved scheme under Regulation (EU) 2019/881 (Cybersecurity Act).

This regulation specifies the roles, rules, obligations, and structure of the European Common Criteria-based cybersecurity certification scheme by the European cybersecurity certification framework outlined in the Cybersecurity Act.

The implementing regulation refers to documents known as State-of-the-Art (SoA). There will be – inter alia – three SoA documents regarding:

  •  Accreditation of ITSEFs (Information Technology Security Evaluation Facility),
  •  Accreditation of Certification Bodies (CBs), and
  •  Authorisation of CBs and ITSEFs.

The European Union Agency for Cybersecurity (ENISA) is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products (Information Communications Technology), services, and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.

For more information about the adopted EUCC scheme and the SoA documents, you can see HERE