EAL2 — Structurally Tested

EAL2 is the most common Common Criteria assurance level globally. It adds a high-level design review and independent vulnerability analysis beyond the surface-level checks of EAL1, and it is the cap for CCRA mutual recognition of non-cPP evaluations.

See the list of certified products at EAL2 tracked in NenkinTracker.

Key facts

  • Assurance families covered: ADV_ARC.1, ADV_FSP.2, ADV_TDS.1, AGD_OPE.1 / AGD_PRE.1, ALC_CMC.2 / ALC_CMS.2, ALC_DEL.1, ATE_COV.1, ATE_FUN.1, ATE_IND.2, AVA_VAN.2.
  • Typical product categories: commercial software, enterprise hardware, products sold to CCRA-member governments under mutual recognition.
  • Relative cost/time: moderate; typical timelines are several months of evaluation effort plus developer preparation.
  • Attack potential resisted: Basic attacker.

What this level tests

Evaluators review a security architecture description, a functional specification, and a basic TOE design. Developer testing must document coverage and pass independent reproduction (ATE_IND.2). AVA_VAN.2 requires evaluators to perform their own penetration testing against identified vulnerabilities, not merely survey public reports.

Configuration management now requires authorization controls over the TOE (ALC_CMC.2) and coverage of the TOE itself plus parts of the development environment (ALC_CMS.2). A documented delivery procedure (ALC_DEL.1) is required.

Typical product categories

EAL2 is the de-facto baseline for commercial CC certifications: network management software, enterprise applications, database components, identity products, mobile applications, and many virtualization and hypervisor products. It is the common target for vendors who need a CCRA-recognized certificate without committing to a cPP-based evaluation.

Common misconceptions

EAL is an assurance level, not a security-strength rating. An EAL2 certificate means the evaluator reviewed a high-level design and performed Basic-potential vulnerability analysis. It does not mean the product is “twice as secure” as EAL1 or “half as secure” as EAL4. The product’s real security depends on its design, its operational environment, and how precisely its Security Target captures the deployment’s threats.

Comparison to adjacent levels

  • vs. EAL1: EAL2 adds architecture and basic design review (ADV_ARC.1, ADV_TDS.1), stronger CM and delivery requirements, and AVA_VAN.2 evaluator-driven vulnerability analysis.
  • vs. EAL3: EAL3 raises development environment security (ALC_DVS.1), adds systematic testing depth (ATE_DPT.1), and upgrades CM scope (ALC_CMS.3, ALC_LCD.1).

See the EAL Levels overview, Protection Profiles for PP-based alternatives, and the glossary for SAR vocabulary.