EU Adopts EUCC Cybersecurity Certification Scheme — January 31, 2024
The European Commission approved the first EU-wide certification scheme for ICT products using Common Criteria assurance levels.
Executive briefing: On the European Commission adopted the European Common Criteria-based cybersecurity certification scheme (EUCC), the first EU-wide scheme under the Cybersecurity Act. EUCC provides harmonized assurance for hardware and software ICT products.
Scheme highlights
- Assurance levels. EUCC supports basic, substantial, and high assurance tiers aligned with international Common Criteria evaluation requirements.
- Mutual recognition. Certificates issued by accredited national bodies become valid across the EU, reducing duplicate testing for manufacturers.
- Security maintenance. Vendors must implement vulnerability handling processes, patch management, and lifecycle documentation to retain certification.
Impact for organizations
- Procurement confidence. Public sector buyers and regulated industries can rely on EUCC certificates when sourcing critical ICT products.
- Market access. Manufacturers targeting European customers should plan for EUCC evaluations alongside national schemes such as Germany’s BSI certifications.
- Supply chain assurance. EUCC documentation offers evidence for NIS2 supply chain requirements and third-party risk assessments.
Recommended actions
- Inventory ICT products used in critical environments and identify where EUCC-certified alternatives can reduce assurance gaps.
- Engage with accredited conformity assessment bodies early to understand testing timelines and evidence expectations.
- Align vulnerability disclosure and patching processes with EUCC maintenance obligations to preserve certification status.