EU Adopts EUCC Cybersecurity Certification Scheme — January 31, 2024
The European Commission’s EUCC certification scheme introduces EU-wide Common Criteria assurance for ICT products, requiring manufacturers and buyers to align procurement, vulnerability management, and lifecycle governance.
Executive briefing: On , the European Commission adopted the European Common Criteria-based cybersecurity certification scheme (EUCC), the first scheme under the EU Cybersecurity Act. EUCC harmonises security evaluations for information and communication technology (ICT) products across the European Union using Common Criteria methodologies. Manufacturers seeking market access, and organisations procuring critical ICT equipment, must now plan for EUCC compliance, including certification, vulnerability management, and lifecycle documentation obligations.
Scope and assurance levels. EUCC applies to ICT products and components—such as hardware security modules, routers, firewalls, identity management systems, and industrial control devices—that process data, enable networking, or provide security functions. The scheme supports three assurance levels: basic, substantial, and high. Evaluations follow Common Criteria ISO/IEC 15408 standards and ISO/IEC 18045 methodologies, ensuring alignment with global practices. Certificates issued by accredited national cybersecurity certification authorities become valid across the EU, reducing the need for multiple national approvals.
Certification process. Manufacturers must define security targets, threat models, and evaluation assurance levels (EALs) for their products. Accredited conformity assessment bodies (CABs) conduct evaluations, including documentation review, testing, and vulnerability analysis. Certificates have defined validity periods and require maintenance when significant changes occur. Vendors must implement vulnerability handling processes, issue security updates, and report incidents that could impact certified security properties. Failure to maintain security posture may lead authorities to suspend or withdraw certificates.
Implications for procurement. Public sector buyers and operators of essential services can reference EUCC certificates to satisfy risk assessments and regulatory requirements (e.g., NIS2, Digital Operational Resilience Act). Procurement teams should update policies to require EUCC certification—or credible roadmaps—when sourcing high-risk ICT products. Contracts should mandate notification of certificate status changes, provide access to evaluation reports, and require adherence to security maintenance obligations. Buyers should also plan for independent verification of certificate validity through the EU cybersecurity certification register.
Vendor preparation. Manufacturers must align product development processes with EUCC expectations. Key steps include integrating secure development lifecycle practices, generating accurate software bills of materials, conducting penetration testing, and documenting configuration guidance. Vendors should establish governance for vulnerability disclosure, patch management, and end-of-life planning, ensuring updates are communicated to customers. Supply chain management becomes critical: component suppliers must support documentation requests, and outsourced development teams must follow secure coding standards.
Integration with other regulations. EUCC complements upcoming legislation such as the EU Cyber Resilience Act (CRA) and the Radio Equipment Directive delegated act on cybersecurity. Vendors should map overlapping requirements to avoid duplicative testing. For sectors subject to specific schemes (e.g., EUCS for cloud services, EU5G for telecom), organisations must track how EUCC certifications interact with vertical standards. Regulators may reference EUCC in supervision of high-risk AI systems, critical entities, or defence procurement.
Lifecycle and maintenance obligations. EUCC emphasises ongoing security beyond initial certification. Vendors must monitor for vulnerabilities, publish advisories, and provide security updates within defined timelines. They should maintain incident response processes, coordinate with national authorities, and inform customers of remediation steps. Buyers must track update availability, apply patches promptly, and document compliance in asset management systems. Failure to maintain EUCC requirements could affect regulatory reporting or insurance coverage.
Assurance documentation. Certificates include security targets, evaluation reports, and maintenance conditions. Organisations should archive these documents within governance risk and compliance platforms to support audits and board reporting. Internal audit teams may review EUCC-certified products to confirm that deployment configurations match evaluated baselines and that update processes align with maintenance obligations.
Third-country recognition. EUCC aligns with the Common Criteria Recognition Arrangement (CCRA), facilitating recognition of certificates issued by participating non-EU countries up to certain assurance levels. Multinational vendors can leverage existing Common Criteria certificates as a foundation for EUCC adoption, though they must address EU-specific requirements such as vulnerability handling obligations and reporting to national authorities.
Implementation roadmap. Organisations should inventory ICT products within scope, prioritising those supporting critical services. Manufacturers should engage CABs early to plan evaluation schedules and resource requirements. Buyers should collaborate with vendors to understand certification timelines and potential cost impacts. Both parties should update risk registers to capture EUCC dependencies, allocate budgets for certification fees, and integrate requirements into project plans.
Metrics and governance. Boards and executive committees should receive metrics on percentage of critical ICT products certified under EUCC, number of outstanding certification projects, vulnerability remediation timelines, and supplier compliance status. Procurement and security teams should monitor certificate expirations, track incidents affecting certified products, and report on any deviations from evaluated configurations. Regulators and auditors may request evidence of EUCC compliance during inspections or supervisory reviews.
EUCC marks a significant step toward harmonised cybersecurity assurance in Europe. Manufacturers that invest early in certification processes, and buyers that embed EUCC requirements into procurement and lifecycle governance, will be better prepared for forthcoming regulatory scrutiny and will enhance trust in critical ICT products across the single market.
High assurance requirements. Achieving the high assurance level involves rigorous vulnerability analysis, penetration testing, and life-cycle support evaluations. CABs will scrutinise development environments, configuration management systems, and delivery processes to ensure authenticity of certified products. Vendors targeting critical infrastructure customers should plan for longer evaluation timelines, dedicate engineering support for evidence generation, and maintain secure distribution channels (e.g., code signing, tamper-evident packaging). Buyers relying on high assurance certificates should verify that deployed versions match evaluated releases and that any updates undergo re-evaluation when required.
Stakeholder engagement. The European Union Agency for Cybersecurity (ENISA) will manage the certification framework, publish guidance, and maintain the EUCC certificate register. Organisations should monitor ENISA communications, participate in stakeholder groups, and provide feedback on scheme evolution. Industry associations can facilitate knowledge sharing on evaluation best practices and coordinate responses to emerging requirements.
Risk management integration. EUCC certifications should feed into enterprise risk registers, supplier scorecards, and compliance reporting. Security teams must map certified security features to risk mitigation plans, noting residual risks not covered by evaluations. Internal audit and compliance functions should schedule periodic reviews to confirm ongoing adherence and to evaluate whether EUCC-certified products reduce regulatory reporting burdens under NIS2 or sector-specific supervisory regimes.
Customer communication. Vendors and service providers should develop communication plans to inform customers about certification status, upcoming reassessments, and security advisories. Transparent updates build trust and help customers coordinate patch deployment, change management approvals, and regulatory notifications tied to EUCC requirements.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.