Certification Schemes Overview

Common Criteria certifications are issued by national scheme bodies around the world. Each scheme operates its own accredited evaluation labs and issues certificates, but through the CCRA mutual recognition arrangement, these certificates are accepted internationally.

Summary: CC certificates are issued by national scheme bodies such as BSI, ANSSI, NIAP, and CCCS and recognised internationally through the CCRA.

Key facts

• Governing arrangement: Common Criteria Recognition Arrangement (CCRA)
• Member roles: Certificate Authorizing Participants (issue) and Certificate Consuming Participants (accept)
• Major certificate-issuing schemes: BSI (Germany), ANSSI (France), NIAP (USA), CCCS (Canada), NSCIB (Netherlands), OCSI (Italy), CCN (Spain), JISEC (Japan), KECS (South Korea)
• European regional arrangement: SOG-IS MRA for higher-assurance recognition; being transitioned into the EUCC
• EU framework: EUCC under the EU Cybersecurity Act (Regulation 2019/881, Implementing Regulation (EU) 2024/482)
• Evaluators: Accredited IT Security Evaluation Facilities (ITSEFs) / Conformity Assessment Bodies (CABs)

Major certification schemes

BSI (Germany)

The Bundesamt für Sicherheit in der Informationstechnik is one of the largest and most active CC certification bodies globally. BSI certifies a wide range of products including smart cards, hardware security modules, and operating systems. Germany is both a certificate-authorizing and certificate-consuming member of the CCRA.

ANSSI (France)

The Agence nationale de la sécurité des systèmes d’information operates France’s national CC scheme. ANSSI is particularly active in certifying products for European government and defense use. France has a strong tradition in formal methods and higher EAL evaluations.

NIAP (USA)

The National Information Assurance Partnership manages the U.S. CC scheme. NIAP has shifted toward Protection Profile-based evaluations, requiring products to conform to specific PPs rather than arbitrary EAL targets. This approach focuses evaluations on threat-relevant security requirements for each product category.

CCCS (Canada)

The Canadian Centre for Cyber Security operates Canada’s CC scheme. Like NIAP, CCCS emphasizes PP-conformance evaluations and participates actively in international PP development.

Other schemes

Additional CC schemes include:

• OCSI (Italy)
• CCN (Spain)
• NSCIB (Netherlands)
• JISEC (Japan)
• ASD (Australia)
• KECS (South Korea)

EUCC - The EU Cybersecurity Certification Scheme

The European Union Common Criteria-based Cybersecurity Certification Scheme (EUCC) is a new framework under the EU Cybersecurity Act. It builds on Common Criteria and aims to create a unified European certification process, reducing fragmentation across national schemes within the EU.

EUCC introduces two assurance levels (“substantial” and “high”) and will be managed by national cybersecurity certification authorities across EU member states.

Tracking certifications across schemes

With certifications issued by dozens of national bodies, keeping track of certificate status, new issuances, and expirations across schemes is a significant operational challenge. NenkinTracker aggregates data from these sources into a unified view, enabling teams to monitor the full CC certification landscape from one platform.

See also

• What is Common Criteria? — the underlying ISO/IEC 15408 framework each scheme evaluates against.
• Evaluation Assurance Levels (EAL) — how schemes grade evaluation rigor from EAL1 to EAL7.
• Common Criteria Schemes by Country — deeper reference on BSI, ANSSI, NIAP, and other national schemes.
• EUCC: What the EU Cybersecurity Certification Scheme Means for Common Criteria — how EUCC changes the European scheme landscape.