European Commission issues consultation on the European common cybersecurity certification scheme for ICT products

The proposed scheme is based on third party evaluation and self-assessment will not be permitted under this scheme. The EUCC scheme envisages seven Evaluation Assurance Levels (EAL), aligned with established international standards. It builds on a catalogue of security functional requirements and security assurance requirements contained in the Common Criteria for ICT Security Evaluation, as set out in ISO standard EN ISO/IEC 15408 (Common Criteria), and follows the Common Methodology for ICT Evaluation, as set out in ISO standard EN ISO/IEC 18045. The EUCC uses the Common Criteria’s vulnerability assessment family AVA_VAN, components 1 to 5, which indicate the degree of evaluation activities carried out to determine the level of resistance of the product against potential exploitability of flaws or weaknesses. The EUCC scheme establishes the mark and label for the certified ICT product, which demonstrates its trustworthiness and enables users to make an informed choice. The EUCC certificate will be issued for maximum of five years, unless a national cybersecurity certification authority approves a longer period of validity.

The EUCC scheme allows for the certification of ICT products against their security target, which can be defined by the applicant or can incorporate a certified protection profile covering a category of ICT products. The Draft Regulation provides for two types of conformity assessment bodies: IT Security Evaluation Facilities (ITSEF) for calibration and testing activities of the ICT product, and certification bodies for certification and inspection activities. The EUCC scheme lays down specific requirements for the certification body and the ITSEF, which include accreditation, authorisation, competence management and technical capabilities.

The EUCC scheme requires the applicant for certification to provide to the certification body and the ITSEF all information necessary for the certification activities, including the evidence, the documentation, the link to their website containing the supplementary cybersecurity information, and a description of their vulnerability management and disclosure procedures. The EUCC scheme applies the vulnerability management and disclosure procedures in accordance with the standards and the state-of-the-art documents; it also requires the holder of the certificate to perform a vulnerability analysis, and report to the certification body and the national cybersecurity certification authority. The conditions and procedures are provided for the review of an EUCC certificate, which may be requested by the holder of the certificate, the certification body, or the national cybersecurity certification authority.

The EUCC scheme defines the monitoring activities and the corrective measures to be taken by the certification body, the ITSEF, the holder of the certificate, and the national cybersecurity certification authority in case of potential non-compliance issues or vulnerabilities affecting a certified ICT product.

The EUCC scheme assigns an important role to the European Cybersecurity Certification Group and the EU Cybersecurity Agency (ENISA) in the maintenance of the scheme, the endorsement and publication of state-of-the-art documents, and the provision of guidance and recommendations.

The annexes to the Draft Regulation set out further detailed requirements to, among others:

• the content of an EUCC certificate;
• maintaining assurance continuity;
• carrying out reassessments due to the changes in threat environment of a certified product;
• carrying out impact analyses due to changes in the certified product or product category;
• patch management;
• the content of a certification report, and
• the peer assessments of a certification body.

The EUCC scheme provides for the possibility of mutual recognition agreements with third countries, subject to certain conditions and safeguards.

The consultation is open until 30 October 2023.

The final version of the regulation is expected in Q4 2023 and will become applicable 12 months after its entry into force. Once the EUCC becomes applicable, all national cybersecurity certification schemes and the related procedures for ICT products and ICT processes that are covered by the EUCC will cease to have effect insofar as they apply the evaluation standards covered by the Common Criteria. The Draft Regulation names specific national schemes in this respect, such as the certifications provided by Germany’s BSI Gesetz (Art. 9 (1), (2) and (4)), the Netherlands’ Schema voor Certificatie op het gebied van IT-Beveiliging (NSCIB), France’s Decree No. 2002-535 of 18 April 2002 on the evaluation and certification of the security offered by ICT products and systems, as well as the relevant certification schemes in Spain, Italy, Poland and Sweden.

The consultation is available here.