April 2026 in Common Criteria: 31 New Certifications Across Five Schemes

April 2026 was a quiet-to-moderate month in Common Criteria and adjacent schemes. We logged 31 new certifications across five of the seven schemes we track, dominated as usual by smart card and chip work on the CCRA side, with a small but interesting trickle on EUCC and growing PSA Certified activity in the IoT space. This is the first of what will become a monthly recap series. The intent is to make it easier to see the certification landscape in motion, instead of as a static catalog.

Five-year context

A single month is too short a window to read a trend - especially with monthly N in the low tens for most schemes. To anchor April 2026 against history, here is the same month in each of the previous four years, and the year-to-date through end-of-April for each year.

Two things to read out of these. One, April 2026’s CCRA cadence (19) is the slowest April in the five-year window, but that follows a February pull-forward of 124 issuances - so the year is still ahead on aggregate. Two, EUCC and ESA have transitioned from “essentially zero” to meaningful flow over 2025-2026, consistent with the broader regulatory shift in the EU. With the cadence still in low double digits per scheme, individual months will swing 50 percent or more on publication clustering alone - one slow April should not be over-read.

The numbers

Scheme	April issuances
CCRA	19
ESA	5
PSA	4
EUCC	2
SESIP	1
MIFARE	0
EMVCo	0

Top vendors by April cert count: STMicroelectronics (9), Nuvoton Technology (4), Samsung Electronics (2). Most of the rest were one-shots from a long tail of vendors.

What dominated: smart card silicon at high assurance

The biggest single thread in April was secure-element and cryptographic-library work from STMicroelectronics, with five separate CCRA certifications around the NesLib cryptographic library family on ST31N600 and ST33K1M5 series chips (EAL5+, ALC_DVS.2, ALC_FLR.2, AVA_VAN.5). Two more STMicro entries covered the ST33J2M0 secure element with the same EAL5+ profile. Samsung Electronics shipped two CCRA certifications for the S3FT9MH and S3FT9MF chip families at EAL5+ with the augmented SAR set typical for smart card products.

This is the bread and butter of CCRA: chip and crypto-library certifications at EAL5+ with augmented vulnerability analysis (AVA_VAN.5), used downstream by anyone building payment cards, eIDs, passports, or eUICCs.

TPM activity from Nuvoton

Nuvoton Technology contributed four certifications for the NPCT7xx TPM 2.0 family, all at EAL4+ with ALC_DVS.2, ALC_FLR.1, and AVA_VAN.4. These are configuration-version variants (1.1.5.5, 1.3.5.5, 1.4.5.5, 1.5.5.5) of the same underlying TPM, recertified separately. EAL4+ is the typical landing spot for TPM modules: high enough to be procurement-credible, low enough to be commercially practical at volume.

Two EUCC issuances worth flagging

EUCC remains a slow ramp. April delivered two new certificates, both worth a closer look:

• Kernkonzept GmbH, L4Re Secure Separation Kernel CC 1.0.2 (EUCC-3087-2026-04-0003, issued 2026-04-16). A secure separation kernel is a security-critical primitive for partitioned systems; an EUCC issuance for one is a useful data point for anyone tracking high-assurance OS components in the EU framework.
• DISTROMEL, S.A., Distromel Waste Container Identification System (EUCC-3095-2026-01, issued 2026-04-28). A Spanish vendor of waste-management infrastructure took an EUCC cert for an IoT product. Less typical for the scheme. We have written a separate walkthrough of this certificate in Anatomy of an EUCC Certificate.

Combined, EUCC year-to-date sits at 12 issuances. The scheme is real and operational, but the volume is still an order of magnitude below CCRA.

PSA, ESA, and the rest

PSA Certified continues its quiet but steady IoT-focused output: four April certifications including Safetrust (IoT sensor), MAKSA LTD (MKC44 series), GigaDevice (GD32F5HC microcontroller series), and Globaltronics (GE101/GE301 smart electricity meter family).

ESA contributed five certifications, all from Chinese semiconductor and smart card vendors (Eastcompeace EPT 3371U, Beijing Huahong HHSGG1620I, Withheld vendor, CEC Huada CIU98M50, Megahunt MH1701). The ESA scheme remains heavily concentrated in Chinese-domestic security IC work.

CCRA also picked up a few notable non-chip entries this month: Belkin KVM switches (F1DN102KVM family), Juniper SRX300/320/340/345/etc. on Junos OS 24.4R1, an HPE Juniper QFX5120-48YM switch, RathonTech’s Rathon-SSO single sign-on, and Cogito Group’s Jellyfish Certificate Authority v7.0.

On the maintenance side

Beyond fresh issuances, April also brought five reviewed post-issuance document changes across the schemes we monitor. We covered the spectrum of what those look like in a separate post: see What Actually Changes After a Product Is Certified. Highlights this month included a Security Target update referencing a NIT technical decision (TD0990 around CTR_DRBG), a clarification on page 13 of a certification report concerning IC delivery, and a guidance-document addition for an evaluated cryptographic library.

Year so far in one paragraph

Through 4 May 2026, our catalog records 243 certifications issued in calendar year 2026, distributed: CCRA 182, PSA 28, ESA 14, EUCC 12, SESIP 6, MIFARE 1. The monthly cadence has not been smooth: January saw 64, February jumped to 124 (a publication cluster on the CCRA portal), March dropped to 22, and April recovered to 31. The spike seen in February were also likely influenced by the sunset the European national certification schemes as EUCC began taking over under the EU Cybersecurity Act. We will dig into the year-to-date numbers more carefully in Common Criteria in 2026 So Far.

What we are watching in May

A handful of things on our radar going into May:

• Whether the CCRA February-publication pattern repeats, or whether March-April’s slower pace becomes the new baseline
• EUCC issuance velocity: 12 in four months is not enough to read a trend
• Any first MIFARE certifications of 2026 (just one issuance YTD, against an installed base of 111 catalogued)
• Movement on EAL6+ and EAL7 work, which has been thin so far this year (10 and 3 respectively across all of 2026)

See also

• Common Criteria in 2026 So Far - deeper year-to-date analysis with EAL distribution and top vendors.
• What Actually Changes After a Product Is Certified - the spectrum of post-issuance document changes we observe.
• Anatomy of an EUCC Certificate - walking through the Distromel EUCC cert end to end.
• Common Criteria Certification Process Explained - background on how a certificate gets issued in the first place.

Continue reading

May 5, 2026

Common Criteria in 2026 So Far: 243 Certifications, Heavy on Smart Card Silicon

Where the first four months of 2026 went in Common Criteria and adjacent schemes - issuance volume by month and scheme, top vendors, EAL distribution, and what the data tells us.

common-criteriayear-in-reviewindustry-newsstatistics

Apr 29, 2026

Common Criteria vs EUCC: A Migration Guide for Vendors and Buyers

EUCC is the EU's regulatory Common Criteria scheme replacing SOG-IS. What changes, what stays the same, and how vendors and buyers should plan the transition.

euccccracommon-criteriamigrationregulatory

May 6, 2026

CAB and Lab Independence in Common Criteria: When the Separation Matters Most

Why independence between the evaluation lab (ITSEF) and certification body matters in Common Criteria and EUCC, and how to apply ISO 31000-style risk assessment to combined lab/CB structures at substantial versus high assurance.

common-criteriaeuccealprocurementguide