EUCC: What the EU Cybersecurity Certification Scheme Means for Common Criteria

The European Union Common Criteria-based Cybersecurity Certification Scheme (EUCC) is a new certification framework under the EU Cybersecurity Act (Regulation 2019/881). It represents the most significant structural change to Common Criteria certification in Europe since the CCRA was established.

For teams working with Common Criteria certified products - whether in procurement, compliance, or product security - the EUCC introduces changes to how certificates are issued, recognized, and maintained within the EU.

What is the EUCC?

The EUCC is the first EU-wide cybersecurity certification scheme adopted under the Cybersecurity Act. It is built on Common Criteria (ISO/IEC 15408) and the Common Evaluation Methodology (CEM), but wraps them in an EU regulatory framework that standardizes processes, governance, and recognition across all EU member states.

The scheme was formally adopted as Commission Implementing Regulation (EU) 2024/482 and applies to ICT products (hardware, software, and combined products).

Why the EUCC matters

Before the EUCC, Common Criteria certification in Europe was handled by national schemes - BSI in Germany, ANSSI in France, OCSI in Italy, NSCIB in the Netherlands, and others. Each scheme had its own processes, timelines, and administrative requirements, even though they all evaluated against the same ISO 15408 standard.

The EUCC aims to:

1. Unify the European CC landscape - One regulatory framework replaces the patchwork of national scheme practices
2. Ensure EU-wide recognition - EUCC certificates are valid across all EU member states without additional national requirements
3. Align with EU cybersecurity policy - The scheme integrates with other EU regulations like the Cyber Resilience Act (CRA) and NIS2 Directive
4. Standardize governance - National Cybersecurity Certification Authorities (NCCAs) operate under harmonized rules

Two assurance levels

The EUCC defines two assurance levels, mapped from Common Criteria:

Substantial

Maps to: EAL1-EAL4

• Certificates issued by accredited CABs (labs)
• NCCA oversight, not direct issuance
• Target for most commercial products

High

Maps to: EAL4+ and above

• Requires NCCA to issue or approve
• Protection Profile conformance expected
• Government, critical infrastructure, HSMs

”Substantial” level

• Corresponds to CC evaluation at EAL1-EAL4 (or equivalent)
• Certificates are issued by conformity assessment bodies (CABs) - essentially accredited evaluation labs
• The NCCA in each member state oversees the CABs but does not issue certificates directly at this level
• Most commercial products will target this level

”High” level

• Corresponds to CC evaluation at EAL4+ and above (with specific augmentations)
• Certificates at this level require NCCA involvement - the national authority must either issue or approve the certificate
• Intended for products with higher security requirements, government use, or critical infrastructure
• Protection Profile conformance is generally expected at this level

What changes from existing CC practice

Certificate issuance

Under existing CCRA practice, certificates are issued by national scheme bodies (BSI, ANSSI, etc.). Under the EUCC, “substantial” level certificates can be issued directly by accredited CABs (evaluation labs), without the national scheme body acting as certificate issuer. “High” level certificates still require NCCA involvement.

Validity period

EUCC certificates have a maximum validity of 5 years. After that, they must be renewed or they expire. This is more prescriptive than some existing national schemes, which may allow certificates to remain active indefinitely if maintained.

Vulnerability disclosure

The EUCC requires certificate holders to have processes for handling vulnerability reports related to certified products. If a significant vulnerability is discovered, the certificate may be suspended or withdrawn.

Marking

Products with EUCC certificates may carry an EU cybersecurity certification mark, indicating the assurance level achieved. This provides visual recognition for procurement teams.

Monitoring

NCCAs must perform ongoing compliance monitoring - not just certify-and-forget. This includes market surveillance and the ability to challenge or revoke certificates.

Impact on existing CC certificates

Existing Common Criteria certificates issued by national schemes remain valid. The EUCC does not retroactively invalidate BSI, ANSSI, or other national certificates.

However:

• New evaluations conducted under the EUCC framework will follow EUCC rules for issuance, maintenance, and validity
• National schemes may continue to operate in parallel for products that do not need EU-wide EUCC certification
• Over time, procurement requirements within the EU may increasingly reference EUCC certificates specifically, rather than generic CC certificates

Who is affected

Vendors seeking certification

If you sell IT products in the EU and your customers require CC certification, you will increasingly need to consider the EUCC pathway. This is especially true if your products fall under other EU regulations (Cyber Resilience Act, NIS2) that may mandate or reference EUCC certification.

Procurement teams

EU government procurement will likely shift toward requiring EUCC certificates. Understanding the difference between “substantial” and “high” assurance levels - and how they map to existing EAL levels - will be important for writing accurate procurement requirements.

Evaluation labs

ITSEFs operating in the EU must be accredited as CABs under the EUCC to issue “substantial” level certificates. This adds new accreditation requirements beyond existing ISO 17025 and CC scheme recognition.

Compliance teams

If you track CC certifications for compliance purposes, EUCC introduces a new certificate type to monitor. Products may hold both a traditional national CC certificate and a EUCC certificate, or transition from one to the other.

Relationship to other EU regulation

The EUCC does not exist in isolation. It is part of a broader EU cybersecurity regulatory framework:

• Cyber Resilience Act (CRA) - Mandates cybersecurity requirements for products with digital elements sold in the EU. The CRA may reference EUCC as a presumption-of-conformity pathway.
• NIS2 Directive - Requires essential and important entities to use cybersecurity-certified products where available. EUCC certification may satisfy these requirements.
• EU Cybersecurity Act - The parent regulation that establishes the framework for EU certification schemes. The EUCC is the first scheme adopted under it; others (for cloud services, for example) may follow.

Tracking EUCC and CC certifications

As the EUCC rolls out alongside existing national CC schemes, tracking the certification landscape becomes more complex. Products may hold certificates from different frameworks, and understanding which certificates are active, expiring, or superseded requires monitoring multiple sources.

NenkinTracker already tracks certifications from EUCC and major national CC schemes including BSI, ANSSI, NIAP, and others. As the EUCC matures, we will continue expanding our coverage.

Start tracking certifications for free to stay current on both EUCC and traditional CC certificates.

See also

• Certification Schemes Overview — EUCC in context with the national schemes it sits alongside.
• What is Common Criteria? — the CC framework EUCC is built on top of.
• Common Criteria Schemes by Country — deeper look at the national schemes that remain in play under EUCC.
• Common Criteria Certification Process Explained — how a traditional CC evaluation flows, for comparison.

Continue reading

Apr 10, 2026

Common Criteria Certification Process Explained

A step-by-step guide to how Common Criteria certification works - from preparation to certificate issuance, including timelines, costs, and key participants.

certificationcommon-criteriaprocessguide

Apr 14, 2026

Common Criteria vs FIPS 140-3: What's the Difference?

Common Criteria and FIPS 140-3 are both IT security evaluation standards, but they serve different purposes. Learn when each applies and how they compare.

comparisonfipscommon-criteriacompliance

Apr 12, 2026

Guide to EAL Levels: What EAL2, EAL4, and EAL5+ Actually Mean

Evaluation Assurance Levels (EAL1-EAL7) determine how rigorously a product is tested under Common Criteria. Learn what each level requires and which one your procurement needs.

ealcommon-criteriaevaluationguide