EUCC vs CCRA - How the Two Common Criteria Frameworks Relate

EUCC and CCRA are both Common Criteria certification frameworks, both based on ISO/IEC 15408, and both produce certificates that look similar on paper. They are not the same. EUCC is a European Union regulatory scheme operated under the EU Cybersecurity Act; CCRA is an international arrangement under which national schemes mutually recognise each other’s evaluations. This entry summarises how the two relate and where they diverge.

Summary: CCRA is the multilateral mutual-recognition arrangement among national schemes worldwide; EUCC is the EU-specific Common Criteria scheme operated under EU regulation. EUCC succeeds the SOG-IS MRA inside the EU, while CCRA continues to provide international recognition for participating nations.

At a glance

Aspect	CCRA	EUCC
Type	International mutual-recognition arrangement	EU-wide regulatory certification scheme
Legal basis	Voluntary multilateral arrangement (most recently revised 2014)	EU Cybersecurity Act (Regulation (EU) 2019/881), Implementing Regulation (EU) 2024/482
Operator	National scheme bodies, coordinated through the CCRA Management Committee	ENISA together with national certification authorities
Recognition	Certificates recognised across CCRA member nations under stated assurance limits	Certificates recognised across EU member states
Standard	Common Criteria (ISO/IEC 15408) and CEM (ISO/IEC 18045)	Common Criteria (ISO/IEC 15408) and CEM, with EU-specific implementing rules
Successor to	First CCRA arrangement (2000)	SOG-IS MRA, for EU member states
Geographic scope	Worldwide, ~31 member nations	EU plus EFTA members participating

What CCRA does

The Common Criteria Recognition Arrangement is a voluntary international arrangement under which participating authorities issue Common Criteria certificates and recognise each other’s evaluations within stated assurance limits. The CCRA defines:

A common evaluation methodology (CEM) so labs in different countries produce comparable results.
A list of Authorising Members that issue certificates and Consuming Members that recognise them without re-evaluation.
Mutual-recognition limits, typically EAL2 for general evaluations and higher EALs for evaluations conformant to specific collaborative Protection Profiles (cPPs).

CCRA membership is not membership of a single regulator. Each participating nation runs its own scheme: BSI in Germany, ANSSI in France, NIAP in the United States, JISEC in Japan, CCCS in Canada, and so on. CCRA defines the rules under which those schemes’ certificates travel internationally.

What EUCC does

The EUCC is the European Union’s first cybersecurity certification scheme adopted under the EU Cybersecurity Act (Regulation (EU) 2019/881). Implementing Regulation (EU) 2024/482 sets out its operational rules. EUCC:

Is a regulatory scheme, not a voluntary arrangement. Where required by EU sectoral regulation or by national rules implementing the Cybersecurity Act, EUCC certification can be a legal prerequisite.
Is operated by ENISA in cooperation with national certification authorities and the European Cybersecurity Certification Group.
Succeeds the SOG-IS MRA for EU member states. Existing SOG-IS certificates can transition to EUCC under defined procedures.
Defines its own assurance levels that map onto the Common Criteria EAL ladder, with additional EU-specific procedures for handling vulnerabilities, maintenance, and patch management.

EUCC builds on the Common Criteria standard rather than replacing it: the underlying ISO/IEC 15408 evaluation methodology is unchanged, but EUCC adds EU regulatory wrapping on top.

How they coexist

For a product seeking broad market recognition, the question is rarely “EUCC or CCRA” but rather “what combination of certifications does my market require”. Common patterns:

EU government and regulated-sector procurement is increasingly oriented toward EUCC, with SOG-IS recognition winding down for EU member states.
Non-EU government procurement (US federal, Japan, Canada, and others) continues to rely on national CCRA schemes.
Smart cards and secure microcontrollers historically certified under SOG-IS at high assurance levels are migrating their recognition to EUCC over a transition period.
Vendors targeting both EU and non-EU markets typically pursue a CCRA certification for international recognition together with an EUCC-aligned certification or transition for EU regulatory acceptance.

The exact migration mechanics differ by product category and by national authority. Vendors should consult their primary scheme early when planning evaluations that need to land valid in both frameworks.

Differences worth knowing

A few points where EUCC and CCRA diverge in operational details:

Vulnerability handling. EUCC has explicit obligations on certificate holders for vulnerability management and patch dissemination. CCRA leaves vulnerability handling to the issuing scheme’s national rules.
Validity periods. Both frameworks rely on the underlying CC assurance-continuity process for maintenance and re-evaluation, but EUCC adds EU-level rules around patch management and conformity reporting.
Authority over issued certificates. A CCRA certificate is owned by the issuing national scheme. An EUCC certificate is governed under EU regulation, with national certification authorities operating within that framework.
Mark and labelling. EUCC certificates carry the EUCC mark; CCRA certificates carry the issuing scheme’s mark and may also carry the CCRA logo if the certificate is recognised by the arrangement.

Tracking certificates across both

NenkinTracker indexes EUCC and CCRA certifications side by side and links them to the same product where that linkage is published by the schemes. The EUCC scheme overview and the recent EUCC certifications page cover the EU-side surface; CCRA certifications across all member schemes appear in the Common Criteria database.