The European Commission has adopted the implementing regulation concerning the EU Cybersecurity Certification Scheme on Common Criteria (EUCC). It is the first approved scheme under Regulation (EU) 2019/881 (Cybersecurity Act)1.

This regulation specifies the roles, rules, obligations, and structure of the European Common Criteria-based cybersecurity certification scheme in accordance with the European cybersecurity certification framework outlined in the Cybersecurity Act.

The implementing regulation refers to documents known as State-of-the-Art (SoA). There will be – inter alia – three SoA documents regarding:

  • Accreditation of ITSEFs (Information Technology Security Evaluation Facility),
  • Accreditation of Certification Bodies (CBs), and
  • Authorisation of CBs and ITSEFs.

The draft SoA document on the accreditation of ITSEFs has been published by ENISA2.

For more information about the adopted EUCC scheme and the SoA documents, visit the ENISA website:

 

 

 

Footnotes

1 The Cybersecurity Act strengthens ENISA by granting the agency a permanent mandate, reinforcing its financial and human resources, and overall enhancing its role in supporting the EU to achieve a common and high level of cybersecurity. It establishes the first EU-wide cybersecurity certification framework to ensure a common approach to cybersecurity certification in the European internal market and ultimately improve cybersecurity in a broad range of digital products (e.g., Internet of Things) and services.

2 The European Union Agency for Cybersecurity (ENISA) is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products (Information Communications Technology), services, and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.