Which EAL Do I Need? A Procurement Decision Guide

“What EAL do we need?” is one of the most common procurement questions in Common Criteria. It is also one of the most commonly answered backwards. Many procurement teams pick a number first and then look for products that meet it, when the right approach is to start with the threat environment, the regulatory requirements, and the available Protection Profiles, and let the EAL fall out of those constraints.

This post walks through the decision in the order it should actually be made.

Step 1: Be clear about what an EAL is

An Evaluation Assurance Level measures how rigorously a product was evaluated, not how secure it is. A simple product evaluated at EAL4 and a complex product evaluated at EAL2 may offer equivalent real-world security for their respective use cases.

That distinction matters because procurement teams sometimes treat EAL as a linear security score, leading to requirements like “must be EAL4 or higher” without considering whether a higher assurance level adds anything for the specific threat model.

For background on what each level requires, see our EAL reference and the EAL levels explained guide.

Step 2: Start from the regulatory requirement, if any

If your procurement is governed by a regulation, framework, or sector-specific scheme that names a specific EAL or Protection Profile, the decision is largely made for you.

• US federal procurement typically requires NIAP-certified products. NIAP requires conformance to a specific Protection Profile; the PP determines the assurance level rather than EAL being a free choice.
• EU government and EUCC-regulated procurement is increasingly aligned to EUCC. EUCC defines its own assurance levels mapped onto the EAL ladder; the regulation or sectoral framework citing EUCC will name the level.
• EU smart card and secure element markets historically demanded EAL4+ with augmentation such as AVA_VAN.5. This is migrating into the EUCC framework; see our EUCC vs CCRA reference.
• National defence procurement in CCRA member states often requires EAL4+ or higher under that nation’s scheme.
• Payment industry products typically require certifications under EMVCo and PCI in addition to or instead of CC.

If your procurement is bound by one of these frameworks, the rest of this guide is informational. The framework’s required EAL or PP is the answer.

Step 3: If you can choose, start with a Protection Profile

Outside regulated procurement, the best practice is to write requirements in terms of Protection Profile conformance, not EAL alone.

A PP describes what security functions a product in a given category should implement. It anchors the evaluation in a threat-relevant baseline rather than an arbitrary assurance level. “Conformant to NDcPP at EAL2” is more meaningful than “EAL4 certified” because the former says what was tested, not just how thoroughly.

If a Protection Profile exists for the category of product you are buying, search for products that conform to it. The PP already encodes the consensus on what assurance level is appropriate. Use the Protection Profile catalog to find PPs and conforming products.

Step 4: If no PP applies, work back from threat severity

For categories without an applicable PP, the EAL question becomes: what level of evaluator effort do you need to trust the product?

A useful rough mapping, calibrated against current market practice:

Threat context	Typical EAL target
Commodity commercial IT, low-sensitivity data, public-facing services	EAL2
Enterprise infrastructure, business-critical data, internal admin tooling	EAL2 to EAL4
Regulated-sector infrastructure (health, finance, telecoms)	EAL4 or EAL4+
Government and defence non-classified	EAL4+ with augmentation
Smart cards, secure elements, payment terminals	EAL4+ with AVA_VAN.5, or higher
Government and defence classified, dedicated hardware roots of trust	EAL5 to EAL7

These are starting points, not rules. The right EAL depends on the threat environment, the regulatory regime, the product category, and the cost of failure.

Step 5: Understand what + means

A + after the EAL indicates augmentation. The base EAL is a standard package of assurance requirements; + means one or more additional assurance components were added on top.

Common augmentations include:

• AVA_VAN.5 - enhanced vulnerability analysis. Required de facto for smart cards, secure elements, and HSMs in many markets.
• ALC_FLR.2 or ALC_FLR.3 - flaw remediation procedures. Indicates the vendor has a defined process for handling security flaws found after certification.
• ALC_DVS.2 - sufficiency of security measures during development. Used for products where supply-chain security matters.

EAL4+ is not a single thing. Two products labelled EAL4+ may have very different augmentations. Always look in the Security Target to see exactly which components were added.

Step 6: Avoid four common mistakes

These come up repeatedly in procurement reviews.

1. Specifying an EAL without a PP. “Must be EAL4 certified” is weaker than “must be conformant to PP-X at EAL2 or higher” because the EAL says nothing about what the product was tested to do. Specify the PP.
2. Asking for higher EAL “to be safe”. Higher EALs significantly increase evaluation cost and time. If the threat model does not require the additional assurance, the higher EAL adds expense without value, narrows the supplier pool, and slows procurement.
3. Treating CCRA recognition as universal. The CCRA recognises evaluations up to EAL2 across all members, and higher levels for specific collaborative Protection Profiles. EAL5 and above are typically recognised only within the issuing scheme. See EUCC vs CCRA for how this changes inside the EU.
4. Ignoring the TOE. A certificate covers a specific Target of Evaluation, not the entire product the vendor sells. A high EAL on a narrow TOE can be less meaningful than a lower EAL on a broader TOE. Read the Security Target.

Quick-reference decision flow

If you want a one-line summary:

1. Is your procurement governed by a regulation that names a level or PP? Use that.
2. Does an applicable Protection Profile exist? Specify PP conformance with the PP’s recommended EAL.
3. No PP, but high-assurance product category (smart card, HSM, secure element)? EAL4+ with AVA_VAN.5 is the typical baseline.
4. No PP, regulated-sector infrastructure? EAL4 or EAL4+.
5. No PP, general commercial IT? EAL2.
6. Defence or classified context? Talk to the relevant authority; standard answers do not apply.

How NenkinTracker helps

NenkinTracker lets you filter the Common Criteria certified product database by EAL, PP, scheme, and status, so you can shortlist products that match your decision quickly. Per-EAL pages such as EAL4 across all schemes and EAL × scheme intersections such as EAL4 EUCC surface the specific slice you need.

See also

• EAL reference - what each level requires technically.
• EAL levels explained - longer-form guide to EAL1 through EAL7.
• Protection Profiles - the more precise way to express requirements.
• How to read a Common Criteria certificate - what to verify on the certificate itself.
• EUCC vs CCRA - how EU regulatory procurement differs from CCRA national schemes.

Continue reading

May 6, 2026

CAB and Lab Independence in Common Criteria: When the Separation Matters Most

Why independence between the evaluation lab (ITSEF) and certification body matters in Common Criteria and EUCC, and how to apply ISO 31000-style risk assessment to combined lab/CB structures at substantial versus high assurance.

common-criteriaeuccealprocurementguide

May 5, 2026

The Most-Used Protection Profiles in Common Criteria, by Product Count

Of the 267 Protection Profiles tracked in NenkinTracker, a small number account for the majority of certified products. Here is the head and the long tail.

common-criteriaprotection-profilesprocurementguide

Apr 29, 2026

How to Read a Common Criteria Certificate

A field guide to the parts of a Common Criteria certificate: what each line means, what to verify, and where the real scope of the evaluation actually lives.

common-criteriaguideprocurementcompliance