EUCC is here. Track every certificate moving from national CC to EUCC, in one feed.

EUCC is the Cyber Resilience Act fast lane

The Cyber Resilience Act (CRA) requires cybersecurity conformity for products with digital elements sold in the EU. For higher-risk product classes, the CRA recognises EUCC as a valid assurance route - an EUCC certificate at the right assurance level grants a presumption of conformity with the CRA's essential cybersecurity requirements for the matching class. Vendors who would have to certify under CRA anyway gain a directly recognised path: take the existing CC evaluation infrastructure, route it through an EUCC CAB, and satisfy CRA on the same evidence base.

For a deeper read, the wiki entry on EUCC vs CCRA walks through the two schemes' overlap, governance differences, and what each one means in a procurement clause.

Who this is for

• Vendor cert-program PMs whose product holds a national CC certificate today and is heading to EUCC - either for CRA conformity or because the source national scheme is winding down its standalone CC track.
• Procurement and supplier-assurance teams whose suppliers are mid-transition, where the certificate quoted on the contract may be the national one, the EUCC one, or both.
• EUCC Conformity Assessment Bodies who need a single dashboard of every EUCC issuance plus the national certificates feeding it - talk to us about the CAB / NCCA tier.

Frequently asked questions

What is the EUCC scheme?

EUCC is the EU Cybersecurity Certification scheme under the EU Cybersecurity Act, formally established by Implementing Regulation (EU) 2024/482. It re-anchors Common Criteria evaluation under EU governance: ENISA holds the framework, accredited Conformity Assessment Bodies (CABs) issue certificates, and certified products are recognised across all EU member states without per-country re-certification. Mechanically EUCC reuses Common Criteria methodology - so an existing CC evaluation transfers naturally - but the legal basis, oversight, and recognition perimeter are different.

How does EUCC relate to the Cyber Resilience Act (CRA)?

The CRA mandates cybersecurity conformity for products with digital elements sold in the EU. EUCC is the assurance route the CRA recognises for higher-risk products: an EUCC certificate at the appropriate assurance level satisfies the CRA's essential cybersecurity requirements presumption of conformity for the matching product class. For vendors who would have to certify under CRA anyway, EUCC is the fast lane - it carries pre-existing CC infrastructure and recognised mutual acceptance.

Will national CC certificates still be valid after EUCC?

Yes - existing national CC certificates remain valid through their stated expiry, and several national schemes operate transition arrangements that allow moving an existing certificate to EUCC without redoing the full evaluation. NenkinTracker tracks both the source national certificate and any EUCC certificate that supersedes it, so you can see the linkage as it is published.

How do I track the EUCC transition for my own product?

Sign in to NenkinTracker and follow your product. You will receive notifications when a new EUCC certificate is issued for it, when the source national CC certificate changes status, or when any of the EUCC CABs publishes a Maintenance Report against your evaluation. The Professional plan at 49.90 EUR/month covers a vendor-sized portfolio. The 30-day free trial includes the same features.