Common Criteria vs EUCC: A Migration Guide for Vendors and Buyers

The EU Cybersecurity Certification scheme for Common Criteria - EUCC - is the EU’s first regulatory cybersecurity certification scheme adopted under the Cybersecurity Act. It uses Common Criteria (ISO/IEC 15408) as its evaluation methodology, but it sits inside the EU regulatory framework rather than the international voluntary CCRA arrangement. For EU member states, EUCC is the successor to SOG-IS for high-assurance Common Criteria certifications.

If you are a vendor with existing CCRA or SOG-IS certificates, or a buyer whose procurement framework references either, you need to plan for the transition. This guide walks through the key questions and what to do about each.

Note: Migration mechanics are still being refined by ENISA, the European Cybersecurity Certification Group, and the participating national certification authorities. Treat this guide as orientation; consult your scheme contact for the current operational details.

What is changing

The shift from SOG-IS or national CCRA certification to EUCC affects three layers:

1. The legal basis

• CCRA is a voluntary multilateral arrangement among national schemes, most recently revised in 2014. Membership is voluntary and certificates are recognised within stated assurance limits.
• EUCC is a regulatory scheme operated under the EU Cybersecurity Act (Regulation (EU) 2019/881) and Implementing Regulation (EU) 2024/482. EU sectoral regulation can require EUCC certification as a legal prerequisite.

The practical implication: an EUCC certificate carries regulatory weight inside the EU that a CCRA certificate alone does not.

2. The recognition perimeter

• SOG-IS provided mutual recognition for high-assurance evaluations among participating European nations. SOG-IS is winding down for EU member states as EUCC takes over.
• EUCC provides mutual recognition across EU member states under the Cybersecurity Act framework.
• CCRA continues as the international recognition arrangement for participating non-EU nations, plus Australia, New Zealand, Norway, and others. EU national schemes remain CCRA members; certificates issued under those schemes can carry both EUCC and CCRA recognition where applicable.

For a vendor, this means the geography of recognition changes: EU markets shift toward EUCC; non-EU markets continue under CCRA national schemes.

3. The operational rules

EUCC adds EU-specific procedures on top of standard Common Criteria for:

• Vulnerability handling - certificate holders have explicit obligations on vulnerability management and patch dissemination.
• Maintenance and conformity reporting - structured around EU regulatory cadence.
• Authority and supervision - national certification authorities operate under ENISA coordination and the European Cybersecurity Certification Group.

The underlying ISO/IEC 15408 evaluation methodology is unchanged. EUCC adds the regulatory wrapping; the technical work the lab performs is the same Common Criteria evaluation.

What stays the same

Many things do not change with the move to EUCC:

• The standard - ISO/IEC 15408 (Common Criteria) and ISO/IEC 18045 (CEM).
• The structure of evaluation evidence - Security Targets, Protection Profiles, Certification Reports, TOE descriptions.
• The role of the lab - accredited ITSEFs continue to perform the technical evaluation work.
• The role of the national authority - existing CCRA national authorities operate as national certification authorities under EUCC.
• The Common Criteria Portal - continues as a registry for international CCRA-recognised certifications. EUCC certificates have their own registry under ENISA.

For a vendor mid-evaluation, the framework label may change but the evaluation itself does not need to be redone from scratch.

Migration paths for existing certificates

There are three main scenarios. Treat the specific procedures here as guidance; the operative rules are set by ENISA and the national certification authorities and may evolve.

Scenario 1: Existing SOG-IS certificate

SOG-IS certificates are eligible for transition into EUCC under defined procedures. The vendor coordinates with the issuing national authority. The exact transition path depends on the certificate’s assurance level, the underlying Protection Profile, and the SOG-IS technical domain.

For high-assurance smart card and secure element certifications, an explicit transition mechanism exists so that SOG-IS recognition can flow into EUCC without a fresh evaluation, subject to the issuing authority’s review.

Scenario 2: Existing CCRA certificate from a non-EU scheme

A CCRA certificate issued by a non-EU scheme is not automatically an EUCC certificate. EU buyers that require EUCC will need an EUCC certificate; the existing CCRA certificate continues to support CCRA recognition in non-EU markets.

The path forward typically involves either a fresh EUCC evaluation through an EU national certification authority, or a structured re-recognition procedure where the underlying evaluation evidence is reused.

Scenario 3: Existing CCRA certificate from an EU national scheme

For EU national schemes that are also CCRA members (BSI, ANSSI, OCSI, and others), existing certificates may transition into EUCC under procedures defined by the issuing authority. The certificate continues to be valid in non-EU CCRA markets and gains EUCC recognition for EU regulatory contexts.

The migration mechanics are scheme-specific. The issuing scheme is the operative source of truth.

Decisions for vendors

If you sell into EU markets, three decisions need attention.

Decision 1: What is your target market mix?

• EU regulated procurement and EU sectoral compliance: EUCC will increasingly be a prerequisite. Plan for EUCC certification or transition.
• Non-EU government procurement and international markets: CCRA national-scheme certification continues to apply. Maintain those certifications.
• Both: A combined approach is normal. Budget for the dual-track work, and pick a primary scheme to anchor the work.

Decision 2: Which national certification authority leads?

EUCC certifications are issued by an EU national certification authority. The choice influences:

• Lab availability - some labs are accredited under specific national authorities.
• Familiarity with your product category - some authorities have deeper history in specific domains (smart cards, network devices, OS).
• Relationship and language - if you have an existing relationship with a CCRA national scheme that is also operating as a national certification authority under EUCC, continuity matters.

Decision 3: How do you handle vulnerability and maintenance obligations?

EUCC’s explicit obligations on vulnerability management and patch dissemination are a step up from typical CCRA practice. Vendors should confirm internally that the processes exist to meet those obligations: PSIRT capability, customer notification procedures, patch release tracking, and conformity reporting.

Decisions for buyers

If you are writing procurement requirements that touch Common Criteria, three things to check.

1. Does your sectoral regulation explicitly cite EUCC? If yes, EUCC certificates are required. CCRA-only certificates are not a substitute inside that regulatory framework.
2. Are you procuring from inside or outside the EU? EU-internal procurement is increasingly EUCC-aligned. Procurement from non-EU suppliers may rely on CCRA national-scheme certificates that gain EUCC recognition through transition procedures.
3. What is the validity horizon? Existing SOG-IS certificates remain in force during the transition window. Procurement should accept SOG-IS-era certificates with active SOG-IS recognition while the EUCC transition completes; reject those whose recognition has lapsed.

Watching the transition

The EUCC transition is moving in stages. Vendors and buyers should watch for:

• ENISA publications on operational rules, transition procedures, and EUCC registry.
• National certification authority guidance on per-domain transition (smart card, network devices, etc.).
• EU sectoral regulation updates that cite EUCC as a compliance route, particularly for radio equipment, NIS2-relevant products, and AI Act-relevant components.

NenkinTracker tracks both EUCC and CCRA certifications, links related certificates across schemes where the link is published, and surfaces transition signals in the EUCC scheme overview and the recent EUCC certifications feed.

See also

• What is Common Criteria? - the underlying standard both frameworks share.
• EUCC vs CCRA reference - the structural comparison in shorter form.
• EUCC scheme entry - the EU-specific scheme details.
• EUCC: EU Cybersecurity Certification - earlier post on the EU regulatory motivation.
• Common Criteria certification process - how a CC evaluation works in practice.

Continue reading

May 6, 2026

CAB and Lab Independence in Common Criteria: When the Separation Matters Most

Why independence between the evaluation lab (ITSEF) and certification body matters in Common Criteria and EUCC, and how to apply ISO 31000-style risk assessment to combined lab/CB structures at substantial versus high assurance.

common-criteriaeuccealprocurementguide

May 5, 2026

Anatomy of an EUCC Certificate: A Walkthrough of EUCC-3095-2026-01

An EUCC certificate from April 2026, taken apart piece by piece. Cert ID structure, NCCA versus CAB, the document set, EAL choice, and what is distinctive about EUCC compared with classical CCRA certificates.

eucccommon-criteriacertificate-walkthroughguide

May 5, 2026

April 2026 in Common Criteria: 31 New Certifications Across Five Schemes

A monthly recap of what got certified, who shipped it, and what we noticed in the document trail. Plus year-to-date context on a busy first four months of 2026.

common-criteriamonthly-recapindustry-newsccra