ANSSI — France's Common Criteria Scheme

ANSSI, the Agence nationale de la sécurité des systèmes d’information, is France’s national cybersecurity agency and the certification body for Common Criteria evaluations performed in France. It is a long-standing CCRA authorizing scheme and a major issuer of high-assurance certifications.

Key facts

• Authorizing body: Agence nationale de la sécurité des systèmes d’information (ANSSI)
• Country / region: France
• Year established: ANSSI was created in 2009, taking over responsibilities from the former DCSSI; France has operated a national CC scheme since the original Common Criteria were published
• Product types: smart cards and ICs, HSMs, secure microcontrollers, eID components, network devices, operating systems, mobile devices
• CCRA status: Certificate Authorizing Member; historically a SOG-IS authorizing member; designated EUCC certification authority in France
• Canonical portal: https://cyber.gouv.fr/en/certification

Overview

ANSSI is known for strict procedural discipline and for operating the Certification de Sécurité de Premier Niveau (CSPN), a national, lighter-weight scheme distinct from Common Criteria. For CC proper, ANSSI certifies at EAL levels up to EAL7 in technical domains where SOG-IS (and now EUCC) allowed high-assurance recognition, most notably smart card hardware and software.

How evaluations work under this scheme

Evaluations are carried out by ANSSI-licensed Centres d’évaluation de la sécurité des technologies de l’information (CESTI), the French designation for an ITSEF. The CESTI produces an Evaluation Technical Report and ANSSI issues the final Certification Report. France has a strong tradition in formal methods, which makes ANSSI one of the schemes most familiar with EAL5+, EAL6, and EAL7 evaluations.

Beyond standard CC, ANSSI actively publishes technical notes and interpretations, and coordinates with its European peers on smart card attack methodology.

Notable product categories

• Smart card ICs and embedded secure elements at high EALs with AVA_VAN.5
• Smart card operating systems (including Java Card platforms)
• Payment and banking products
• eID components for French and European government use
• Qualified trust service components under eIDAS

Relationship to CC baseline

ANSSI evaluations follow ISO/IEC 15408 and CC:2022. France participates in international Protection Profile development, particularly for smart cards and embedded devices, and is a designated EUCC authority issuing certificates under the EU Cybersecurity Act framework.

Where to find official records

• ANSSI certified products catalog: https://cyber.gouv.fr/en/products-certified-cc
• Published CSPN and CC certificates: https://cyber.gouv.fr/en/certification
• CCRA portal listings for France: https://www.commoncriteriaportal.org/products/
• NenkinTracker normalizes ANSSI records with those of other schemes for unified monitoring.

See also: What is Common Criteria?, EAL Levels, Protection Profiles, Glossary.