EUCC — The EU Cybersecurity Certification Scheme for CC

EUCC is the European Union Common Criteria-based cybersecurity certification scheme, adopted as the first candidate scheme under the EU Cybersecurity Act. It replaces SOG-IS mutual recognition for EU member states and formalises CC-based evaluation at the Union level under ENISA’s coordination.

Key facts

• Authorizing body: ENISA coordinates; national cybersecurity certification authorities (NCCAs) in each EU member state issue certificates
• Country / region: European Union
• Year established: Adopted via Commission Implementing Regulation (EU) 2024/482; application from 27 February 2025
• Product types: ICT products within scope of ISO/IEC 15408
• CCRA status: EUCC certificates are issued by EU national authorities who are CCRA members; mutual recognition with CCRA continues via those national schemes
• Canonical portal: ENISA EUCC page: https://certification.enisa.europa.eu/index_en

Overview

EUCC defines two assurance levels: substantial (mapped to CC EAL1 through EAL3) and high (mapped to CC EAL4 through EAL7). It uses ISO/IEC 15408 and the CEM as its technical baseline and incorporates Supporting Documents previously developed under SOG-IS for the smart card and hardware domain.

How evaluations work under this scheme

An applicant engages a conformity assessment body (CAB) accredited under EUCC by the national NCCA. The CAB performs the evaluation against the claimed Protection Profile and assurance package, producing the evaluation report. The NCCA issues the EUCC certificate at substantial or high. ENISA maintains the EUCC product list at Union level and publishes state-of-the-art documents, including Protection Profiles recognized for EUCC use.

Notable product categories

• Smart card ICs and secure microcontrollers (the historical SOG-IS high domain)
• HSMs and payment terminals
• Network products and enterprise IT evaluated under cPPs
• eIDAS-related components (trust service components, signature creation devices)

Relationship to CC baseline

EUCC is a conformity assessment framework layered on top of Common Criteria. The substantive evaluation is still CC — SFRs, SARs, CEM, and EALs — and certified products remain listed with their CC attributes. EUCC adds EU-level governance, uniform assurance-level naming (substantial / high), and legal grounding in the Cybersecurity Act. See What is Common Criteria? for the underlying standard.

Where to find official records

• ENISA EUCC page and product list: https://certification.enisa.europa.eu/index_en
• Implementing Regulation text: https://eur-lex.europa.eu/eli/reg_impl/2024/482/oj
• National NCCAs (BSI, ANSSI, and others) publish national EUCC certificates on their own portals.
• NenkinTracker tracks EUCC certificates alongside national CC records.

See also: BSI, ANSSI, SESIP, Glossary.