Common Criteria Schemes by Country: BSI, ANSSI, NIAP, and Others
Common Criteria certifications are issued by national scheme bodies around the world. While all schemes evaluate against the same standard (ISO/IEC 15408) using the same methodology (CEM), they differ in size, focus, administrative processes, and the types of products they commonly certify.
This guide covers the major CC schemes, what makes each one distinctive, and how they participate in mutual recognition through the CCRA.
CCRA membership
The Common Criteria Recognition Arrangement has two types of members:
- Certificate Authorizing members can both issue and consume CC certificates. These are nations with active evaluation schemes.
- Certificate Consuming members accept certificates from authorizing nations but do not run their own evaluation scheme.
As of 2024, 31 nations participate in the CCRA. The certificate-authorizing members operate the schemes described below.
Major certificate-authorizing schemes
BSI - Germany
Bundesamt für Sicherheit in der Informationstechnik
BSI is one of the two largest CC schemes globally by volume of certificates issued. It is particularly strong in smart card, secure microcontroller, and hardware security module (HSM) certifications.
Key characteristics:
- Certifies at all EAL levels, with significant activity at EAL4+ and EAL5+ for smart card platforms
- Home scheme for major European chip manufacturers (Infineon, NXP) and smart card vendors (Giesecke+Devrient, IDEMIA)
- Operates under German IT security law and is part of the Federal Ministry of the Interior
- Known for thorough technical evaluations, particularly in the hardware security domain
- Publishes certifications and certification reports on the BSI website and the CC Portal
Common product types: Smart cards, secure elements, HSMs, operating systems, network devices, payment terminals
ANSSI - France
Agence nationale de la sécurité des systèmes d’information
ANSSI operates the French CC scheme and is a major certifier, particularly for defense, government, and high-assurance products.
Key characteristics:
- Strong tradition in formal methods and higher-EAL evaluations
- Certifies products for French government and defense use
- Qualification alongside certification - ANSSI maintains a “qualified products” list (Produits Qualifiés) for products that meet additional French government security requirements beyond CC
- Active participant in EUCC development as the French NCCA
- Publishes certifications on the ANSSI website (Certifications de Sécurité)
Common product types: Encryption products, secure communications, smart cards, firewalls, operating systems, government IT infrastructure
NIAP - United States
National Information Assurance Partnership
NIAP operates the US CC scheme and has taken a distinctive approach: since 2014, NIAP has required all evaluations to conform to approved Protection Profiles rather than allowing vendor-defined EAL targets.
Key characteristics:
- PP-based evaluations only - vendors must conform to a NIAP-approved Protection Profile; standalone EAL evaluations are not accepted
- Maintains an extensive library of collaborative Protection Profiles (cPPs) and NIAP PPs covering product categories from firewalls to mobile devices
- Products Compliant List (PCL) - the official list of NIAP-validated products, often referenced in US government procurement
- Evaluations performed by NIAP-accredited Common Criteria Testing Laboratories (CCTLs) in the US
- Strong alignment with US government procurement requirements (DoD, federal civilian agencies)
Common product types: Network devices (firewalls, VPN gateways, routers), operating systems, mobile devices, application software, virtualization platforms
CCCS - Canada
Canadian Centre for Cyber Security
CCCS (formerly CSE - Communications Security Establishment) operates Canada’s CC scheme, closely aligned with NIAP’s PP-based approach.
Key characteristics:
- Participates in CMVP (Cryptographic Module Validation Program) alongside NIST for FIPS 140 validations
- PP-based evaluations aligned with NIAP’s approach
- Smaller volume than BSI or ANSSI but produces high-quality evaluations
- Evaluations performed by accredited Canadian evaluation facilities
OCSI - Italy
Organismo di Certificazione della Sicurezza Informatica
OCSI operates the Italian CC scheme, active in digital identity, electronic signature, and payment product certifications.
Key characteristics:
- Certifies products for Italian and EU government use
- Strong in electronic identity (eID) and digital signature products
- Active participant in EUCC as the Italian NCCA
- Growing volume of certifications in recent years
CCN - Spain
Centro Criptológico Nacional
CCN operates the Spanish CC scheme, focused on products for Spanish government and defense use.
Key characteristics:
- Maintains the STIC (Sistemas de las Tecnologías de la Información y las Comunicaciones) catalog of certified products
- Strong focus on encryption and secure communications for government
- Evaluations conducted by Spanish accredited labs
NSCIB - Netherlands
Netherlands Scheme for Certification in the area of IT Security
NSCIB is a well-regarded European scheme with significant smart card and payment terminal certification activity.
Key characteristics:
- Home scheme for NXP Semiconductors and several major smart card evaluation labs
- Operated by TUV Rheinland Nederland
- Strong in smart card, secure element, and payment device certifications
JISEC - Japan
Japan Information Technology Security Evaluation and Certification Scheme
JISEC operates the Japanese CC scheme, managed by IPA (Information-technology Promotion Agency).
Key characteristics:
- Certifies products for Japanese government procurement
- Cooperates with Asian CCRA members
- Publishes certifications in both Japanese and English
Other notable schemes
| Country | Scheme | Notable focus |
|---|---|---|
| South Korea | KECS | Government IT, encryption products |
| Australia | ASD | Defense and government products |
| India | STQC | Growing scheme, government IT |
| Sweden | FMV | Defense-focused |
| Norway | SERTIT | Government and defense |
| Singapore | CSA | Regional hub for Asian evaluations |
| Malaysia | CyberSecurity Malaysia | Regional evaluations |
| Turkey | TSE | Growing scheme |
How schemes differ in practice
Evaluation focus
BSI and ANSSI are known for deep technical evaluations, particularly at higher EAL levels. NIAP focuses on practical, threat-relevant testing through Protection Profiles. Some smaller schemes may rely more heavily on the evaluation lab’s expertise.
Timeline
Processing times vary. BSI and ANSSI typically process certifications within weeks of evaluation completion. Other schemes may have longer administrative queues. NIAP has historically been relatively fast for PP-based evaluations.
Cost
Evaluation costs are primarily driven by lab fees, which vary by country and lab. Administrative fees charged by scheme bodies also vary - some schemes charge nominal fees, while others have significant certification fees.
Language
Most schemes accept documentation in English, but some may prefer or require documentation in the national language. BSI accepts German and English; ANSSI typically requires French for higher-assurance evaluations.
Tracking certifications across schemes
Monitoring the full CC certification landscape means tracking certificates from all of these schemes simultaneously. Each scheme publishes certifications on their own website, in their own format, and often with different metadata structures.
NenkinTracker aggregates certification data from all major CCRA member schemes into a unified view. Instead of checking BSI, ANSSI, NIAP, and other scheme websites individually, you get one dashboard with change detection and alerts.
Start tracking for free to see certifications across all schemes in one place.
See also
- Certification Schemes Overview — quick reference for the schemes covered here.
- What is Common Criteria? — the shared ISO/IEC 15408 framework all schemes evaluate against.
- EUCC: What the EU Cybersecurity Certification Scheme Means for Common Criteria — how EU-level certification sits alongside national schemes.
- Common Criteria vs FIPS 140-3: What’s the Difference? — how CC relates to the other main evaluation standard.