Kjartan Kvassness Jæger 5 min read Common Criteria in 2026 So Far: 243 Certifications, Heavy on Smart Card Silicon
Four months into 2026, the certification picture is clear enough to draw some conclusions. We are tracking 243 new certifications issued between 1 January and 4 May 2026, across the seven schemes we monitor. This post breaks them down by scheme, month, EAL package, and vendor, and notes a few patterns that are worth flagging.
Volume by month: not as steady as you might expect
| Month | Issuances |
|---|---|
| January | 64 |
| February | 124 |
| March | 22 |
| April | 31 |
| May (through 4 May) | 2 |
February dwarfed every other month. The cluster was driven primarily by the CCRA portal publishing a large batch of certifications dated within a tight window: the issuance dates are spread, but the publication cycle is bursty. This is a known characteristic of the CCRA workflow. Subsequent months returned to a more typical 20-30 issuances per month range.
The takeaway for anyone trying to read CC-issuance trend data: do not over-fit to a single month. The publication cadence introduces noise that the underlying evaluation pipeline does not.
Volume by scheme
| Scheme | YTD issuances | Catalog total |
|---|---|---|
| CCRA | 182 | 1,888 |
| PSA | 28 | 267 |
| ESA | 14 | 58 |
| EUCC | 12 | 29 |
| SESIP | 6 | 91 |
| MIFARE | 1 | 111 |
| EMVCo | 0 | 0 |
CCRA carries 75 percent of YTD volume, consistent with its catalog dominance. PSA Certified’s 28 issuances represent a continued steady pace from the IoT platform side. EUCC’s 12 issuances doubled its catalog in four months, but the absolute number remains small enough that it is too early to call EUCC “operational at scale.” SESIP at 6 is slower than its catalog history would imply.
EAL distribution
Of the 243 YTD certifications, the EAL package distribution is:
| Package | Count |
|---|---|
| EAL1 | 2 |
| EAL2 | 14 |
| EAL2+ | 10 |
| EAL3+ | 10 |
| EAL4 | 2 |
| EAL4+ | 39 |
| EAL5 | 4 |
| EAL5+ | 48 |
| EAL6+ | 10 |
| EAL7 | 2 |
| EAL7+ | 1 |
| No EAL listed | 101 |
A few observations:
- The largest single bucket is “no EAL listed” (101). This is mostly PSA Certified, SESIP, and ESA entries, where the assurance language is scheme-specific rather than a CC EAL package. NIAP-style PP-conformance evaluations on CCRA also land here when the certificate does not declare an EAL.
- Among CC-style EAL packages, EAL5+ is the most common landing spot (48 issuances), followed closely by EAL4+ (39). This reflects the smart card and TPM-heavy mix of CCRA work.
- EAL6+ shows up 10 times YTD, mostly in high-assurance secure-element and cryptographic-library work. EAL7 and EAL7+ together: just 3 issuances. This is normal; EAL7 evaluations are rare every year.
Top vendors year to date
| Issuances | Vendor |
|---|---|
| 14 | STMicroelectronics |
| 14 | THALES DIS FRANCE SA |
| 12 | NXP Semiconductors Germany GmbH |
| 10 | Samsung Electronics Co. Ltd. |
| 10 | Infineon Technologies AG |
| 8 | KYOCERA Document Solutions Inc. |
| 7 | Nuvoton Technology |
| 7 | Novatek Microelectronics Corporation |
| 5 | NXP Semiconductors Netherlands N.V. |
| 5 | IN SMART IDENTITY FRANCE |
The top of the list is exactly what you would expect: the major secure-element and chip vendors, with Thales DIS France there for ID, payment, and eUICC product work, and Kyocera there for printer (HCD) certifications. Note that NXP appears as two distinct vendor entries (Germany GmbH and Netherlands N.V.), which together account for 17 issuances and would top the list if combined.
The YTD ranking is broadly consistent with the all-time ranking: STMicro (138 all-time), NXP Semiconductors (112), Infineon (104), Samsung (103), Thales (100). The same five vendors have produced more than 25 percent of all 2,444 catalogued certifications.
What the data is telling us
A few patterns worth pulling out:
- CC remains a chip-and-card industry first, everything else second. The top vendors, the most common EAL packages, and the dominant Protection Profiles all point to the same conclusion: silicon and smart card products are the modal CC certificate. General-purpose IT (network devices, OS, applications) is a real but smaller share.
- EUCC is real but small. 12 issuances in four months is enough to confirm the scheme is operating end to end (NCCAs, CABs, ENISA registry, document publication), but not enough to draw any quantitative conclusion about adoption pace yet. Worth watching.
- The non-CC schemes are not exotica. PSA’s 28 YTD and ESA’s 14 add real volume. SESIP, MIFARE, and EMVCo round out a landscape that anyone building or procuring connected products should be aware of. We have a separate wiki entry on these in Beyond Common Criteria: SESIP, PSA, ESA, EMVCo, and MIFARE.
- Publication cadence is not evaluation cadence. February’s 124-issuance spike does not mean the labs got 4x faster; it means the portal flushed a backlog. Treat monthly counts as noisy.
What we will be looking for next
We will publish a six-month checkpoint after June, with an extra column once May and June close. The interesting questions for that next post:
- Does the February pattern repeat (mid-year publication burst), or has it already happened for 2026?
- Does EUCC pass 25 issuances in a single half-year for the first time?
- Does any single vendor cross 25 YTD on its own?
See also
- April 2026 in Common Criteria - the per-month detail behind these YTD numbers.
- The Most-Used Protection Profiles - which PPs the bulk of these certifications conform to.
- Beyond Common Criteria: SESIP, PSA, ESA, EMVCo, and MIFARE - what the non-CC schemes are and how they fit in.
- Common Criteria Schemes by Country - country-level breakdown of the CCRA scheme bodies represented above.