• EUCC
• Understanding EUCC Assurance Levels: What Substantial and High Really Mean for ICT Security

Understanding EUCC Assurance Levels: What Substantial and High Really Mean for ICT Security

The Shift to Risk-Based Certification

Under the traditional Common Criteria framework, certification was often treated as a linear ladder. EAL5 was "better" than EAL4.

The EUCC changes the focus. It aligns directly with the EU Cybersecurity Act (CSA), classifying products based on the risk associated with their intended use.

This means your certification strategy must now start with a risk profile, not just a target number.

• Substantial: Designed for products where security incidents could cause moderate damage or disruption.

• High: Reserved for critical products where a breach could have catastrophic consequences, requiring resistance to state-of-the-art attacks.

Crucially, achieving these levels grants you a "presumption of conformity" with upcoming regulations. As we explored in Cyber Resilience Act & EUCC Explained: Key Differences, Overlaps and Compliance Pathways, this alignment is key for long-term market access under the Cyber Resilience Act (CRA).

Decoding "Substantial" Assurance (EAL1 - EAL3)

If your product targets general commercial use, "Substantial" is likely your new baseline.

This category maps to Evaluation Assurance Levels EAL1 through EAL3. But the EAL number is only half the story. The real driver here is AVA_VAN (Vulnerability Analysis). For Substantial assurance, you must meet AVA_VAN.1 or AVA_VAN.2.

What this means for your engineering team:

• Focus: You must prove the absence of publicly known vulnerabilities.

• Attack Potential: The evaluation tests if your product can withstand attackers with limited skills and resources.

• Testing Depth: The lab performs a vulnerability survey and basic independent testing. They are not trying to break your device with military-grade exploits.

This level effectively filters out "low-hanging fruit" vulnerabilities. It proves your door is locked, but it doesn't guarantee the lock is pick-proof against a professional thief.

Your assurance level dictates the intensity of the vulnerability analysis you will face. Source: Freepik

Decoding "High" Assurance (EAL4 - EAL7)

This is where the game changes. "High" assurance is not just "Substantial Plus." It requires a completely different rigorous approach to design and testing. This category maps to EAL4 through EAL7. The critical difference lies in the vulnerability analysis, which must reach AVA_VAN.3, AVA_VAN.4, or AVA_VAN.5.

The "High" Assurance Reality Check:

• Adversary Profile: You are now defending against attackers with significant (Moderate) to expert (High) skills and resources.

• Penetration Testing: The lab will perform advanced penetration testing. They will attempt to break your security using bespoke tools and complex attack vectors.

• White-Box Access: For levels like EAL5 (AVA_VAN.5), you often must provide full source code and hardware logic transparency to the evaluators.

If you are building smartcards, hardware security modules (HSMs), or critical network components, "High" is not optional. It is the entry ticket. This mirrors the strict requirements seen in the digital identity sector, as discussed in EUCC Behind eIDAS 2.0, where devices like Qualified Signature Creation Devices (QSCDs) mandate high-assurance evaluations to guarantee legal validity.

The New "Hidden" Requirement: Lifecycle & Patching

There is a trap in the EUCC that many manufacturers miss. In the old world, you certified a product version and walked away. Under EUCC, particularly for Substantial and High levels, you must demonstrate continuous vulnerability management.

You cannot just pass the test once. You must have a process to:

1. Monitor for new vulnerabilities continuously.

2. Patch issues within strict timeframes (e.g., critical issues often require analysis within tight deadlines).

3. Disclose vulnerabilities to users responsibly.

If you fail to maintain this lifecycle security, your certificate can be revoked. The "fire-and-forget" era of certification is over.

Checklist: Which Level Do You Need?

Choosing between Substantial and High defines your budget and timeline. Use this quick check:

• Risk Profile: Is your product a target for state-sponsored actors or organized crime? (Go High).

• Market Requirement: Does your customer (e.g., government, critical infrastructure) mandate resistance to "state-of-the-art" attacks? (Go High).

• Technical Domain: Is your product a secure element, smartcard, or payment terminal? (Go High).

• Hidden Safety Risks: Does your product have AI components that trigger safety regulations? See The Hidden Risks of AI Toys: Navigating the Regulatory Gap to check if you are inadvertently in a high-risk category.

• General Use: Is it a standard commercial IoT device or enterprise software? (Substantial is likely sufficient).

Summary

The transition to EUCC is not just a regulatory update. It is a market reset. "Substantial" proves you have covered the basics against common threats. "High" proves you are ready for the frontline of cyber warfare. Understanding the difference, and specifically the AVA_VAN requirements, is the only way to build a certification strategy that works.

The takeaway: Do not guess your assurance level. Align your EAL and vulnerability analysis strategy with your market's risk profile today to secure your place in the European market tomorrow.

Need a visual overview? Download our EUCC Study 2026 for the most up-to-date information on the new scheme.

How QIMA CCLab Can Support You

At QIMA CCLab, we provide professional assistance to guide manufacturers through the European Union Cybersecurity Certification (EUCC) process. As an experienced evaluation facility, we support our clients by offering:

• Consultancy Services: Expert guidance to help you navigate the complexities of the new EUCC framework and Common Criteria methodologies.

• Documentation Support: Dedicated assistance in preparing and reviewing the essential documentation required for compliance.

• Security Evaluations: Rigorous, independent assessments of your product's security features to ensure they meet all required EUCC standards, facilitating a smoother certification journey.

FAQ

What is the EUCC?

The European Union Cybersecurity Certification Scheme (EUCC) is a Common Criteria-based certification system drafted by the European Union Agency for Cybersecurity (ENISA). Adopted within the framework of the EU Cybersecurity Act (CSA), it harmonizes the evaluation and certification of Information and Communication Technology (ICT) products across Europe, replacing previous national schemes to ensure consistent cybersecurity standards across all EU member states.

What are the benefits of obtaining EUCC certification for my product?

Achieving EUCC certification demonstrates that your ICT product complies with rigorous cybersecurity standards, significantly enhancing its credibility and marketability. It also facilitates easier access to the European market by eliminating the need for multiple national certifications, allowing for the free movement of your certified products across all member states.

How can QIMA CCLab assist in achieving EUCC certification?

QIMA CCLab offers professional consultancy services to guide you through the EUCC certification process. Our team provides comprehensive support in preparing the necessary documentation, conducting independent security evaluations, and ensuring your product meets all required standards to facilitate an efficient and successful certification journey.