Guide to EAL Levels: What EAL2, EAL4, and EAL5+ Actually Mean

Evaluation Assurance Levels - EAL1 through EAL7 - are one of the most visible aspects of Common Criteria certification. They appear in procurement requirements, vendor marketing materials, and compliance checklists. But they are also one of the most misunderstood.

This guide explains what each EAL level actually requires, what the practical differences are, and how to interpret EAL in procurement and compliance decisions.

What EAL measures (and what it does not)

An EAL indicates how thoroughly a product was evaluated, not how secure it is.

A product certified at EAL4 is not “more secure” than one at EAL2. It means the evaluation was more rigorous - more documentation was reviewed, more testing was performed, and more evidence was examined. A simple product evaluated at EAL4 and a complex product evaluated at EAL2 may offer equivalent real-world security for their respective use cases.

This distinction matters because procurement teams sometimes treat EAL as a linear security score, which leads to requirements like “must be EAL4 or higher” without considering whether the higher assurance level is relevant to the threat model.

The seven levels

EAL1Functionally tested

EAL2Structurally tested

EAL3Methodically tested

EAL4Source code reviewed

EAL5Semiformal design

EAL6Semiformal verified

EAL7Formally verified

EAL1 - Functionally tested

The lowest level. The evaluator confirms that the product functions as described in its documentation. No source code review, no design analysis, no vulnerability testing beyond what the documentation describes.

When it is used: Rarely in practice. EAL1 provides minimal assurance and is typically only seen in evaluations where any CC certificate is needed but cost must be minimized.

EAL2 - Structurally tested

The evaluator reviews the product’s high-level design, tests its security functions, and performs basic vulnerability analysis. The vendor must provide functional specifications, a high-level design document, and evidence of testing.

When it is used: Common for commercial products. EAL2 is the most frequently targeted level globally because it provides meaningful assurance without requiring source code access. Many CCRA schemes issue the majority of their certificates at EAL2.

EAL3 - Methodically tested and checked

Adds more structured testing and requires evidence that the development environment has basic security controls. The vendor must demonstrate that the product was developed using sound engineering practices.

When it is used: Less common than EAL2 or EAL4. EAL3 exists as a middle ground but is often skipped - vendors either stop at EAL2 or invest in EAL4.

EAL4 - Methodically designed, tested, and reviewed

The evaluator performs a source code review (or hardware design review), conducts independent vulnerability testing, and requires a detailed low-level design. The development environment must have documented security controls.

When it is used: This is the highest level commonly targeted for commercial products. EAL4 is widely considered the practical ceiling for products that are not designed specifically for government or military use. Smart cards, payment terminals, and government network devices frequently target EAL4 or EAL4+.

EAL5 - Semiformally designed and tested

Introduces semiformal methods - the security design must be expressed using a structured notation (not just prose). The evaluator performs more extensive covert channel analysis and the development environment must have strong configuration management.

When it is used: Primarily for products with high security requirements - smart card operating systems, high-assurance operating systems, and security-critical embedded systems. EAL5 evaluations are significantly more expensive and time-consuming than EAL4.

EAL6 - Semiformally verified design and tested

Requires a semiformal proof that the implementation corresponds to the formal security model. Adds structured vulnerability analysis and requires evidence of a structured development process with strong security controls.

When it is used: Very rare. Typically reserved for products used in high-security government applications or products that form part of critical national infrastructure.

EAL7 - Formally verified design and tested

The highest level. Requires formal (mathematical) methods to verify the security design. The evaluator must receive the complete implementation representation and verify it against a formal security model.

When it is used: Extremely rare. Only a handful of products worldwide have achieved EAL7. The cost and timeline are prohibitive for nearly all commercial products.

EAL augmentation (the ”+” notation)

You will often see certifications described as “EAL4+” or “EAL2+”. The + indicates that the evaluation included augmented assurance components - additional requirements beyond the base EAL level.

For example, EAL4+ ALC_DVS.2 means the product was evaluated at EAL4 with an additional requirement for development security controls at a higher level than EAL4 normally requires.

Common augmentations include:

• AVA_VAN.5 - Enhanced vulnerability analysis (going beyond the base level’s testing)
• ALC_DVS.2 - Stronger development security controls
• ALC_FLR.2/3 - Flaw remediation procedures

Augmentation is important because it allows vendors to strengthen specific areas without committing to a full higher EAL. A product at EAL4+ with enhanced vulnerability analysis may provide more relevant assurance for a specific threat model than a base EAL5 without augmentation.

Which EAL do I need?

The answer depends on your context:

Government procurement with specific requirements. If the procurement mandate or Protection Profile specifies an EAL level, use that. Many NIAP-approved Protection Profiles effectively require specific assurance activities that correspond to particular EAL ranges, even when they do not name an EAL directly.

Risk-based selection. Match the EAL to the threat environment. Products handling classified data or operating in adversarial environments warrant higher assurance. Products used in low-risk commercial environments may be adequately served by EAL2.

Practical ceiling. For most commercial procurement decisions, the relevant comparison is between EAL2 and EAL4 products. Below EAL2 offers limited assurance; above EAL4 involves exponentially increasing cost and timeline for incrementally increasing assurance.

Do not over-specify. Requiring EAL4 when EAL2 would suffice limits your vendor options and increases cost without proportional security benefit. Focus on what the evaluation actually tested - the Security Target scope and Protection Profile conformance - rather than the EAL number alone.

EAL distribution in practice

• EAL2 accounts for the largest share of active CC certificates globally
• EAL4 and EAL4+ is the second most common, particularly strong in smart card and payment terminal certifications (BSI and ANSSI issue many at this level)
• EAL5+ is primarily seen in smart card OS and secure microcontroller certifications from European schemes
• EAL1, EAL3, EAL6, and EAL7 are comparatively rare

Tracking EAL levels across schemes

NenkinTracker tracks EAL levels alongside all other certification metadata across CCRA member schemes. You can filter and compare products by assurance level, see how EAL distributions differ between schemes like BSI, ANSSI, and NIAP, and get alerted when certifications change.

Start tracking for free to see the current EAL landscape across all Common Criteria schemes.

See also

• Evaluation Assurance Levels (EAL) — compact reference for EAL1–EAL7 requirements.
• What is Common Criteria? — how EAL fits into the CC framework overall.
• Protection Profiles (PP) — pairing an EAL with a PP gives a complete evaluation target.
• Common Criteria Certification Process Explained — how EAL choice shapes timeline and cost.

Continue reading

Apr 10, 2026

Common Criteria Certification Process Explained

A step-by-step guide to how Common Criteria certification works - from preparation to certificate issuance, including timelines, costs, and key participants.

certificationcommon-criteriaprocessguide

Apr 14, 2026

Common Criteria vs FIPS 140-3: What's the Difference?

Common Criteria and FIPS 140-3 are both IT security evaluation standards, but they serve different purposes. Learn when each applies and how they compare.

comparisonfipscommon-criteriacompliance

Apr 8, 2026

EUCC: What the EU Cybersecurity Certification Scheme Means for Common Criteria

The EUCC brings Common Criteria-based certification under the EU Cybersecurity Act. Learn what changes, who is affected, and what it means for existing CC certificates.

eucceuregulationcommon-criteriacertification