BSI — Germany's Common Criteria Scheme

BSI, the Bundesamt für Sicherheit in der Informationstechnik, is Germany’s national cybersecurity agency and the certification body for Common Criteria evaluations carried out in Germany. It is one of the most active authorizing schemes under the CCRA and a central participant in European high-assurance ecosystems.

Key facts

• Authorizing body: Bundesamt für Sicherheit in der Informationstechnik (BSI)
• Country / region: Germany
• Year established: BSI was created in 1991; its CC scheme operates under the national IT security certification regulation (BSI-Gesetz)
• Product types: smart cards and ICs, payment terminals, HSMs, digital tachographs, eID systems, operating systems, network products, and signature-law components
• CCRA status: Certificate Authorizing Member; historically a SOG-IS authorizing member for smart cards; now a designated EUCC certification authority under the EU Cybersecurity Act
• Canonical portal: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/zertifizierung-und-anerkennung_node.html

Overview

BSI publishes Certification Reports and Security Targets for every completed evaluation, which means the scheme produces a large and detailed public record. German ITSEFs include long-standing labs specializing in smart card hardware, cryptographic modules, and payment systems. BSI coordinates with the Common Criteria Recognition Arrangement for international mutual recognition and is a primary driver of high-assurance evaluations in the EU.

How evaluations work under this scheme

An applicant engages an ITSEF accredited by BSI. The ITSEF performs work units defined in the CEM and any applicable Supporting Documents, then drafts an Evaluation Technical Report. BSI reviews the ETR, resolves any observations, and issues the Certification Report and certificate. For smart card products, evaluations typically follow BSI’s guidance on attack methods and interpretations (often referred to as the “JIL” documents co-published with SOG-IS partners).

BSI also operates a maintenance process based on assurance continuity: vendors submit impact analyses and maintenance reports to extend certificates after minor changes, without triggering a full re-evaluation.

Notable product categories

• Smart card ICs and secure microcontrollers at EAL4+ through EAL6+ (with AVA_VAN.5)
• Payment terminals and HSMs evaluated against relevant Protection Profiles
• Digital tachographs for compliance with EU regulations
• Signature-law products for qualified electronic signatures
• Network devices and operating systems (periodic, less frequent than the embedded segment)

Relationship to CC baseline

BSI evaluations follow the Common Criteria baseline established by ISO/IEC 15408 and CC:2022, augmented by the smart card interpretations developed jointly with European partners. Under the transition to EUCC, BSI acts as a national cybersecurity certification authority, issuing EUCC certificates alongside its traditional CC certificates where applicable.

Where to find official records

• BSI Certification Reports: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/zertifizierung-und-anerkennung_node.html
• CCRA portal listings for BSI: https://www.commoncriteriaportal.org/products/
• NenkinTracker consolidates BSI certificate metadata with records from other schemes for cross-scheme monitoring.

See also: What is Common Criteria?, EAL Levels, Protection Profiles, Glossary.