Threat Intelligence Lab

European Union Cybersecurity Certification

The European Union Cybersecurity Certification (EUCC) explained

Written by

Reza Rafati
— in

ThreatIntelligenceLab.com

The European Commission and ENISA launched the EUCC cybersecurity certification. It aims to boost ICT product security across the EU. The EUCC standardizes voluntary certification for ICT products, showcasing adherence to security standards.

This move seeks to fortify EU cybersecurity and unify certification schemes.

The goal: secure the EU digital market and gain global recognition for these standards, setting a global benchmark.

EUCC
EUCC

The EUCC in short

What is the EUCC?

This innovative program offers ICT suppliers a chance to demonstrate their products’ security through a comprehensive EU-wide assessment. From chips and smartcards to hardware and software, the EUCC scheme ensures that technological components meet stringent security standards, bolstering consumer confidence and trust across the digital market.

What standards form the foundation of the EUCC cybersecurity certification scheme?

The EUCC cybersecurity certification scheme builds on the Common Criteria standards, specifically using ISO/IEC 15408 for Information Technology Security Evaluation and ISO/IEC 18045 to outline the security evaluation methodology.

How was the EUCC cybersecurity certification scheme developed, and what standards does it follow?

In response to a request from the European Commission, under Article 48.2 of the Cybersecurity Act, ENISA established an Ad Hoc Working Group to develop a new EU cybersecurity certification scheme, known as the EUCC. This scheme aims to certify the cybersecurity of ICT products, leveraging the Common Criteria and the Common Methodology for Information Technology Security Evaluation, aligning with ISO/IEC 15408 and ISO/IEC 18045 standards.

What is the EUCS scheme?

EUCS (European Union Cloud Services Certification): This scheme focuses on certifying the security of cloud services. EUCS aims to establish a uniform level of security for cloud service providers operating within the EU, ensuring that these services meet stringent cybersecurity standards to protect data and services hosted in the cloud.

What is the EU5G scheme?

EU5G: This certification scheme is dedicated to the security of 5G networks. Given the critical importance of 5G infrastructure to the EU’s digital economy, the EU5G scheme aims to address the specific security challenges posed by 5G technology, ensuring that 5G networks are resilient against cyber threats and vulnerabilities.

What other schemes are developed by ENISA?

ENISA is developing several cybersecurity certification schemes1 to enhance the security of the digital infrastructure and services across the European Union. Besides the EUCC scheme for ICT products, based on the Common Criteria, ENISA is working on EUCS and EU5G.

These schemes are part of the EU’s broader strategy to strengthen its cybersecurity posture, ensuring a high level of protection for ICT products, cloud services, and 5G networks across the member states.

Purpose and Objectives

Enhancing ICT Security

The EUCC is designed to establish a high standard of cybersecurity for ICT products and services in the EU market2. This includes a range of technologies like software, hardware, and digital services. The certification scheme aims to ensure that these products and services adhere to stringent security requirements.

Rating of vulnerabilities and TOE resistance (excerpt from the CEM)
Rating of vulnerabilities and TOE resistance (excerpt from the CEM)

Unifying Cybersecurity Standards

Previously, various EU member states had their own national cybersecurity certification schemes. The EUCC intends to replace these with a unified, EU-wide framework.

This harmonization is expected to simplify the certification process and make it easier for businesses to comply with consistent standards across the EU.

Implementation and Features

Voluntary Participation

One key aspect of the EUCC is that it’s voluntary. ICT suppliers can choose to certify their products under this scheme to demonstrate their commitment to cybersecurity and to gain a competitive edge in the market.

Levels of Assurance

The EUCC offers different levels of assurance, tailored to the risk associated with the intended use of the product, service, or process.

This means that products posing a higher risk will undergo more rigorous evaluation than those with lower risk levels.

Impact and Benefits

Trust and Security in the Digital Market

Implementing EUCC will boost trust and security across the EU’s digital single market.

With standardized certifications, consumers and businesses can have greater confidence in the cybersecurity of the products and services they use.

Competitive Advantage and Global Recognition

For businesses, obtaining an EUCC certification can be a significant advantage.

Demonstrating a high level of security, it not only reassures customers but also elevates the global market standing of products and services, given the worldwide recognition of EU standards as benchmarks.

Future Prospects

Broader Cybersecurity Initiatives

The EUCC is just the beginning3. ENISA is working on other cybersecurity certification schemes, including those for cloud services and 5G security.

These efforts are part of a larger strategy to establish a comprehensive cybersecurity framework within the EU.

Encouraging Continuous Improvement

The EUCC scheme aims to drive continuous improvement in cybersecurity standards.

By setting a high bar for certification, it motivates companies to consistently enhance their security measures to meet evolving threats.

Conclusion

The EUCC represents a significant step towards a more secure and unified digital landscape in the EU.

By offering a standardized certification process, it not only strengthens cybersecurity practices but also supports the growth and competitiveness of European businesses in the global digital economy.

Download the Paper

EUCC, a candidate cybersecurity certification scheme to serve as a successor to the existing SOG-IS.

Download from ENISA
Download from Threat Intelligence Lab
  1. https://www.enisa.europa.eu/topics/certification/cybersecurity-certification-framework ↩︎
  2. https://www.enisa.europa.eu/publications/cybersecurity-certification-eucc-candidate-scheme-v1-1.1 ↩︎
  3. https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-certification-group ↩︎

Written by

Reza Rafati
Reza Rafati is an experienced cyber security professional. He is the founder of Threat Intelligence Lab. He has extensive experience in the field of cyber threat intelligence, cyber takedowns, and cyber threat landscapes.