CybersecurityEU Adopts EUCC Cybersecurity Certification Scheme — January 31, 2024
The European Commission’s EUCC certification scheme introduces EU-wide Common Criteria assurance for ICT products, requiring manufacturers and buyers to align procurement, vulnerability management, and lifecycle governance.
Accuracy-reviewed by the editorial team
On , the European Commission adopted the European Common Criteria-based cybersecurity certification scheme (EUCC), the first scheme under the EU Cybersecurity Act. EUCC harmonizes security evaluations for information and communication technology (ICT) products across the European Union using Common Criteria methodologies. Manufacturers seeking market access, and teams procuring critical ICT equipment, must now plan for EUCC compliance, including certification, vulnerability management, and lifecycle documentation obligations.
Scope and assurance levels. EUCC applies to ICT products and components—such as hardware security modules, routers, firewalls, identity management systems, and industrial control devices—that process data, enable networking, or provide security functions. The scheme supports three assurance levels: basic, significant, and high. Evaluations follow Common Criteria ISO/IEC 15408 standards and ISO/IEC 18045 methodologies, ensuring alignment with global practices. Certificates issued by accredited national cybersecurity certification authorities become valid across the EU, reducing the need for multiple national approvals.
Certification process. Manufacturers must define security targets, threat models, and evaluation assurance levels (EALs) for their products. Accredited conformity assessment bodies (CABs) conduct evaluations, including documentation review, testing, and vulnerability analysis. Certificates have defined validity periods and require maintenance when significant changes occur. Vendors must implement vulnerability handling processes, issue security updates, and report incidents that could impact certified security properties. Failure to maintain security posture may lead authorities to suspend or withdraw certificates.
Implications for procurement. Public sector buyers and operators of essential services can reference EUCC certificates to satisfy risk assessments and regulatory requirements (for example, NIS2, Digital Operational Resilience Act). Procurement teams should update policies to require EUCC certification—or credible roadmaps—when sourcing high-risk ICT products. Contracts should mandate notification of certificate status changes, provide access to evaluation reports, and require adherence to security maintenance obligations. Buyers should also plan for independent verification of certificate validity through the EU cybersecurity certification register.
Vendor preparation. Manufacturers must align product development processes with EUCC expectations. Key steps include integrating secure development lifecycle practices, generating accurate software bills of materials, conducting penetration testing, and documenting configuration guidance. Vendors should establish governance for vulnerability disclosure, patch management, and end-of-life planning, ensuring updates are communicated to customers. Supply chain management becomes critical: component suppliers must support documentation requests, and outsourced development teams must follow secure coding standards.
Integration with other regulations. EUCC complements upcoming legislation such as the EU Cyber Resilience Act (CRA) and the Radio Equipment Directive delegated act on cybersecurity. Vendors should map overlapping requirements to avoid duplicative testing. For sectors subject to specific schemes (for example, EUCS for cloud services, EU5G for telecom), teams must track how EUCC certifications interact with vertical standards. Regulators may reference EUCC in supervision of high-risk AI systems, critical entities, or defense procurement.
Lifecycle and maintenance obligations. EUCC emphasizes ongoing security beyond initial certification. Vendors must monitor for vulnerabilities, publish advisories, and provide security updates within defined timelines. They should maintain incident response processes, coordinate with national authorities, and inform customers of remediation steps. Buyers must track update availability, apply patches promptly, and document compliance in asset management systems. Failure to maintain EUCC requirements could affect regulatory reporting or insurance coverage.
Assurance documentation. Certificates include security targets, evaluation reports, and maintenance conditions. Teams should archive these documents within governance risk and compliance platforms to support audits and board reporting. Internal audit teams may review EUCC-certified products to confirm that deployment configurations match evaluated baselines and that update processes align with maintenance obligations.
Third-country recognition. EUCC follows the Common Criteria Recognition Arrangement (CCRA), helping recognition of certificates issued by participating non-EU countries up to certain assurance levels. Multinational vendors can use existing Common Criteria certificates as a foundation for EUCC adoption, though they must address EU-specific requirements such as vulnerability handling obligations and reporting to national authorities.
Implementation roadmap. Teams should inventory ICT products within scope, prioritizing those supporting critical services. Manufacturers should engage CABs early to plan evaluation schedules and resource requirements. Buyers should collaborate with vendors to understand certification timelines and potential cost impacts. Both parties should update risk registers to capture EUCC dependencies, allocate budgets for certification fees, and integrate requirements into project plans.
Metrics and governance. Boards and executive committees should receive metrics on percentage of critical ICT products certified under EUCC, number of outstanding certification projects, vulnerability remediation timelines, and supplier compliance status. Procurement and security teams should monitor certificate expirations, track incidents affecting certified products, and report on any deviations from evaluated configurations. Regulators and auditors may request evidence of EUCC compliance during inspections or supervisory reviews.
EUCC marks a significant step toward harmonized cybersecurity assurance in Europe. Manufacturers that invest early in certification processes, and buyers that embed EUCC requirements into procurement and lifecycle governance, will be better prepared for forthcoming regulatory scrutiny and will improve trust in critical ICT products across the single market.
High assurance requirements. Achieving the high assurance level involves rigorous vulnerability analysis, penetration testing, and life-cycle support evaluations. CABs will scrutinise development environments, configuration management systems, and delivery processes to ensure authenticity of certified products. Vendors targeting critical infrastructure customers should plan for longer evaluation timelines, dedicate engineering support for evidence generation, and maintain secure distribution channels (for example, code signing, tamper-evident packaging). Buyers relying on high assurance certificates should verify that deployed versions match evaluated releases and that any updates undergo re-evaluation when required.
Stakeholder engagement. The European Union Agency for Cybersecurity (ENISA) will manage the certification framework, publish guidance, and maintain the EUCC certificate register. Teams should monitor ENISA communications, participate in stakeholder groups, and provide feedback on scheme evolution. Industry associations can help knowledge sharing on evaluation good practices and coordinate responses to emerging requirements.
Risk management integration. EUCC certifications should feed into enterprise risk registers, supplier scorecards, and compliance reporting. Security teams must map certified security features to risk mitigation plans, noting residual risks not covered by evaluations. Internal audit and compliance functions should schedule periodic reviews to confirm ongoing adherence and to evaluate whether EUCC-certified products reduce regulatory reporting burdens under NIS2 or sector-specific supervisory regimes.
Customer communication. Vendors and service providers should develop communication plans to inform customers about certification status, upcoming reassessments, and security advisories. Transparent updates build trust and help customers coordinate patch deployment, change management approvals, and regulatory notifications tied to EUCC requirements.
Path to implementation
If you are affected, develop setup roadmaps that account for resource constraints, dependencies, and risk priorities. Phased approaches typically provide better outcomes than attempting full changes simultaneously. Early wins build momentum and show value to teams.
Progress monitoring should track setup activities against planned timelines and identify potential issues requiring intervention. Regular reporting keeps teams informed and maintains organizational focus on setup priorities.
Engaging stakeholders
Effective stakeholder engagement ensures alignment on objectives, expectations, and setup approaches. Communication should be tailored to different audiences, providing appropriate levels of detail for technical and executive teams.
Change management processes should address organizational readiness and potential resistance to new requirements or practices. Training and support resources help ensure successful adoption of required changes.
Ongoing improvement
Continuous improvement processes should incorporate lessons learned and feedback from setup experiences. Regular reviews help identify improvement opportunities and ensure approaches remain aligned with evolving requirements.
Documentation of setup activities and outcomes provides evidence of due diligence and supports ongoing maintenance. Knowledge capture ensures institutional learning is preserved for future reference.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook
Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.
-
Network Security Fundamentals Explained Practically
A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…
-
Small Business Cybersecurity Survival Checklist
A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…
Coverage intelligence
- Published
- Coverage pillar
- Cybersecurity
- Source credibility
- 87/100 — high confidence
- Topics
- EU cybersecurity · Certification · Common Criteria · Supply chain assurance
- Sources cited
- 3 sources (digital-strategy.ec.europa.eu, ec.europa.eu, iso.org)
- Reading time
- 6 min
Further reading
- European Commission Adopts First EU Cybersecurity Certification Scheme for ICT Products
- EUCC Implementing Act Publication
- ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.