SESIP vs Common Criteria: When to Choose Each

If you build connected devices, certify chips, or write procurement requirements for IoT products, you have probably had to choose between SESIP and Common Criteria. The two methodologies look similar on paper. They share a lot of vocabulary. They produce certificates that can sit on the same shelf.

They are not interchangeable. They optimise for different deployment contexts, and choosing the wrong one means paying for assurance you do not need or claiming assurance you cannot defend.

The short version

• Common Criteria (ISO/IEC 15408) is the international standard for IT security evaluation. Designed for high-assurance products, government procurement, and complex IT systems. Evaluations are thorough, expensive, and slow.
• SESIP (Security Evaluation Standard for IoT Platforms) is GlobalPlatform’s evaluation methodology for connected device components. Designed for IoT scale: lighter-weight, faster, calibrated to typical IoT deployment threat models.

Both produce certificates. Both rely on accredited labs. Both define assurance levels. The difference is in what they are calibrated for: Common Criteria is calibrated for the worst-case threat models in government and high-stakes commercial markets; SESIP is calibrated for the much larger volume of consumer and industrial IoT products that need credible-but-proportionate security evidence.

Where each one fits

When Common Criteria is the right choice

• The product is going to government, defence, or regulated-sector procurement that requires CC certification.
• The product is a smart card, secure element, hardware security module, or other high-assurance component where EAL4+ with AVA_VAN.5 (or higher) is the established market norm.
• The threat model assumes capable, well-resourced attackers with physical access and substantial reverse-engineering capability.
• A relevant Protection Profile exists in the Common Criteria PP catalog.
• The procurement framework explicitly cites Common Criteria, EUCC, or a national CCRA scheme.

When SESIP is the right choice

• The product is an IoT chip, secure microcontroller, root of trust, or platform component, and the buyer is integrating it into a connected device.
• The threat model is bounded: remote attackers, casual physical attackers, supply-chain manipulation - but not nation-state physical attack.
• Time-to-market and evaluation cost matter, and a Common Criteria evaluation would take longer or cost more than the product economics support.
• The product is being evaluated as a building block that other products will compose with, and the buyer needs a clear, structured assurance claim without the overhead of a full CC evaluation.
• Industry frameworks for IoT security cite SESIP as an acceptable evaluation route - this is increasingly common, including in EU radio equipment regulation.

When you need both

It is not unusual for a single product to carry both certifications, or for a higher-level product to inherit one assurance regime through a component that carries the other. A smart card chip might be CC-certified at EAL5+ AVA_VAN.5, while a SESIP-certified IoT platform built around that chip cites the chip’s CC certificate as part of its own evidence.

How they actually differ

Assurance ladder

• Common Criteria uses Evaluation Assurance Levels EAL1 through EAL7. Most commercial products land at EAL2 or EAL4; smart cards and secure elements at EAL4+ to EAL6+.
• SESIP defines five levels (SESIP 1 to SESIP 5) calibrated to typical IoT deployment contexts. The top level, SESIP 5, is intended to be roughly equivalent to CC AVA_VAN.5-level resistance for the IoT context.

The levels are not directly equivalent and cross-mapping is approximate. SESIP 3 is, very roughly, comparable to a meaningful chunk of EAL4 in terms of evaluator activity, but the comparison breaks down quickly because the threat models differ.

Evaluation effort

A Common Criteria evaluation at EAL4+ with augmentation typically takes many months and substantial vendor effort: detailed design documentation, source code review, vulnerability analysis, penetration testing. The evaluator generates a comprehensive evidence package.

A SESIP evaluation at SESIP 1 or SESIP 2 is dramatically lighter. Higher SESIP levels approach CC-equivalent rigour for the specific IoT threat model but stay calibrated to faster cadence than CC.

Reuse and composition

SESIP was designed with composition in mind. A SESIP certificate explicitly states what assurance can be inherited by products that integrate the certified component. This is particularly valuable in IoT, where a final device often uses many certified components stacked together.

Common Criteria has its own composition mechanisms (composite evaluation, ETR for composition), but they are heavier-weight and tend to be used for tightly coupled hardware/software stacks like smart card OS on smart card chip.

Recognition

• CC certificates are recognised internationally under the CCRA within stated assurance limits, and within the EU under EUCC. See EUCC vs CCRA for the EU side.
• SESIP certificates are issued by accredited labs under the GlobalPlatform programme. Recognition is growing in IoT-specific frameworks but is not equivalent to the multilateral mutual recognition CCRA provides.

For a vendor selling internationally, that recognition gap matters. A CC certificate issued by one CCRA member can be cited in another with confidence; a SESIP certificate is increasingly accepted by IoT-specific frameworks but is not yet a substitute for CC where CC is required by procurement.

The decision in three questions

If you are picking between SESIP and Common Criteria for a new product or a procurement requirement, three questions usually settle it:

1. Does any regulation, sectoral framework, or buyer in your target market explicitly require Common Criteria, EUCC, or a national CCRA scheme certification? If yes, the answer is CC. SESIP can be additional evidence; it is not a substitute where CC is required.
2. Is the product a connected-device building block intended to be composed with other components, with the buyer integrating it into a final IoT device? If yes, SESIP is designed for exactly this case and is usually the right choice.
3. Does your threat model include capable physical attackers (smart card, payment terminal, root of trust)? If yes, CC at EAL4+ with AVA_VAN.5 (or the EUCC equivalent) is typically the floor.

If the answer to all three is no, you are probably looking at a commercial IoT or industrial product where SESIP offers a better cost-to-credibility ratio than CC.

How NenkinTracker treats both

NenkinTracker indexes SESIP, CCRA, EUCC, PSA Certified, EMVCo, ESA, and MIFARE certifications side by side. SESIP-only products live in the SESIP scheme overview; CCRA + EUCC products live in Common Criteria; products that hold both surface as a single product entity with multiple certificates attached.

See also

• Common Criteria overview - the standard CC is built on.
• SESIP scheme entry - more on SESIP itself.
• EAL reference - the CC assurance ladder.
• Which EAL do I need? - if you have already decided on CC, how to pick the level.
• EUCC vs CCRA - the EU regulatory side of CC.

Continue reading

Apr 14, 2026

Common Criteria vs FIPS 140-3: What's the Difference?

Common Criteria and FIPS 140-3 are both IT security evaluation standards, but they serve different purposes. Learn when each applies and how they compare.

comparisonfipscommon-criteriacompliance

May 6, 2026

CAB and Lab Independence in Common Criteria: When the Separation Matters Most

Why independence between the evaluation lab (ITSEF) and certification body matters in Common Criteria and EUCC, and how to apply ISO 31000-style risk assessment to combined lab/CB structures at substantial versus high assurance.

common-criteriaeuccealprocurementguide

May 5, 2026

Anatomy of an EUCC Certificate: A Walkthrough of EUCC-3095-2026-01

An EUCC certificate from April 2026, taken apart piece by piece. Cert ID structure, NCCA versus CAB, the document set, EAL choice, and what is distinctive about EUCC compared with classical CCRA certificates.

eucccommon-criteriacertificate-walkthroughguide