EUCC in Practice: How the New EU Scheme Raises the Security Baseline for ICT Products
Why the EUCC Matters for ICT Product Compliance
Before the EUCC, a manufacturer selling across several EU member states often faced a different set of hoops in each country. Mutual recognition existed on paper under SOG-IS, but inconsistencies in how schemes interpreted requirements made the process less predictable than it should have been. EU cybersecurity regulation has moved to fix this. As covered in our earlier overview of EUCC: A New Cybersecurity Scheme for the Certification of ICT Products in Europe, the scheme is built around a simple goal: ICT products placed on the EU market should meet consistent, independently verified cybersecurity requirements. One certificate, issued by an accredited body, should be enough. The scheme underpins this through mandatory conformity assessment by recognized IT Security Evaluation Facilities (ITSEFs) and National Cybersecurity Certification Authorities (NCCAs).
Substantial and High: Two Assurance Levels, One Risk-Based Logic
The most consequential shift EUCC introduces is how assurance is defined. Under the old CC system, many teams focused on hitting a particular EAL number. The EUCC reorients that approach: the right assurance level is determined by the risk profile of the product's intended use, not by how ambitious the team wants to appear.
The scheme maps onto two levels:
Substantial assurance level covers EAL1 to EAL3 and requires vulnerability analysis at AVA_VAN.1 or AVA_VAN.2. Products at this level are expected to handle common threats from attackers with limited capabilities.
High assurance level covers EAL4 to EAL7 and requires more rigorous testing at AVA_VAN.3 or higher. This tier applies to products where a breach could have serious consequences — smartcards, hardware security modules, critical network equipment.
As explored in our article on What "Substantial" and "High" Really Mean for ICT Security, choosing the wrong level is a common and expensive mistake. Over-engineering at High when Substantial fits the risk profile wastes resources. Under-scoping at Substantial when a product handles critical functions creates a certification gap that will surface during market surveillance.
The Common Criteria Alignment: ISO 15408 in the EUCC Context
The EUCC's technical backbone is Common Criteria, formally published as ISO 15408. This is not a new standard. Governments and procurement bodies have relied on it for decades. What the EUCC does is bring that same evaluation methodology into EU law, giving it regulatory teeth.
A few things are worth understanding about how ISO 15408 operates within the EUCC:
Every evaluation begins with a Security Target (ST) — the document that defines exactly which security functions are being evaluated and which assurance requirements apply.
Products may optionally conform to a Protection Profile (PP), a pre-defined set of security requirements for a category of products. Where relevant PPs exist, conformance simplifies the evaluation and increases mutual recognition.
The assurance methodology (following CC2022, which replaced CCv3.1 Rev 5) now explicitly includes lifecycle requirements: patch management, vulnerability disclosure processes, and ongoing monitoring are part of what gets assessed.
For a detailed walkthrough of these evaluation classes, our piece on Common Criteria Assurance Levels covers each stage in practical terms. The core takeaway: documentation is not just paperwork. It is evidence. What an ITSEF reviews during evaluation has to hold up to scrutiny from the certification body.
EUCC Within the Broader EU Digital Security Framework
The EUCC does not exist in isolation. It is part of a wider legislative architecture that includes the Cyber Resilience Act (CRA), the NIS2 Directive, and sector-specific requirements in areas like eIDAS 2.0.
The connection to the CRA is relevant for ICT manufacturers in a concrete way. Products certified under EUCC at the Substantial level or higher qualify for a presumption of conformity with CRA requirements, a significant operational advantage when facing the 11 September 2026 CRA reporting deadline. As explained in our comparison of Implementing EUCC: What High-Assurance Certification Requires Beyond Traditional Common Criteria Approaches, the two frameworks are not separate hurdles; they reinforce each other.
There is also a future-planning dimension here. EUCC is designed to be the procedural and legal template for upcoming sector-specific schemes, cloud services certification (EUCS), 5G network security, and potentially AI systems. Investing in secure-by-design products and robust ICT security assurance processes now creates reusable infrastructure. As noted in Addressing Gaps in European Cybersecurity Certification, the scheme is a foundation, not a ceiling.
Summary
Achieving EUCC certification for your ICT products is more than a regulatory checkpoint; it is a market signal. By aligning with the EU Cybersecurity Certification Scheme and its risk-based Substantial and High assurance levels, manufacturers can approach conformity assessment with confidence and build products that meet the EU's evolving ICT security assurance expectations from day one.
How QIMA CCLab can help you achieve your goals
At QIMA CCLab, we are an accredited IT Security Evaluation Facility (ITSEF) under TrustCB in the European Cybersecurity Certification Scheme on Common Criteria (EUCC), operating at the Substantial assurance level. We support ICT product manufacturers and sponsors throughout the EUCC certification process:
Common Criteria Evaluation: We offer EAL4+ evaluation projects within 4 months, supporting both national scheme transitions and new EUCC certifications.
Common Criteria Consultancy: We help manufacturers prepare all required documentation — Security Targets, design evidence, and lifecycle management materials — aligned to EUCC requirements.
Cybersecurity Certification support: From pre-evaluation readiness assessments to submission support, our experts guide you through every stage of the conformity assessment process.
FAQ
What is the EUCC?
The EU Cybersecurity Certification Scheme based on Common Criteria (EUCC) is a certification framework developed under the EU Cybersecurity Act. It harmonizes CC-based evaluations across EU member states, and will replace certain national cybersecurity certification arrangements, offering a standardized recognition path across the EU.
What are the two assurance levels under the EUCC?
The EUCC defines two assurance levels: Substantial (covering EAL1 to EAL3, requiring AVA_VAN.1 or AVA_VAN.2 vulnerability analysis) and High (covering EAL4 to EAL7, requiring AVA_VAN.3 or higher). The appropriate level is determined by the risk associated with the product's intended use.
Who is involved in the EUCC evaluation process?
Three parties are involved: the vendor or sponsor, who engages an accredited laboratory and submits the product and its evidence; the laboratory (ITSEF), which performs the evaluation and reports results to the certification body; and the scheme — the National Cybersecurity Certification Authority — which issues the certificate and oversees the laboratory's work.
What does a EUCC evaluation actually cover?
Evaluation activities include review of the Security Target, development documentation (design and architecture), guidance materials, lifecycle practices (patch management, configuration management, delivery), functional testing, and vulnerability analysis or penetration testing. The extent of each activity depends on the chosen EAL.
How long is a EUCC certificate valid?
Certificates issued under the EUCC are valid for up to five years. Updates to the certified product require corresponding updates to the certificate. Certificates issued under national CC schemes during the transition period also remain valid for five years, even after the EUCC took effect in February 2025.
Related Articles
