The European Commission on Thursday announced that it has adopted the European Cybersecurity Scheme on Common Criteria (EUCC) drafted by the European Union Agency for Cybersecurity (ENISA) as the first scheme within the EU cybersecurity certification framework.

The new voluntary scheme, backed by EU member states, is envisioned as a long-term replacement for national certification schemes and is expected to pave the way for the next schemes that are currently in preparation, the Commission said.

The EUCC is designed to raise the level of cybersecurity of ICT products, services and processes in the EU Market by setting a comprehensive set of rules, of technical standards requirements, standards and procedures to be applied across the Union.

The scheme allows ICT suppliers who wish to showcase proof of assurance to go through an EU commonly understood assessment process to certify ICT products such as technological components (chips, smartcards), hardware and software.

It is based on the SOG-IS Common Criteria evaluation framework already used across 17 EU Member States, and proposes two levels of assurance based on the level of risk associated with the intended use of the product, service or process, in terms of probability and impact of an accident.

The European Commission said that the scheme is based on “extensive research and consultation” and that it has been “tailored to the needs of the EU Member States”. It added that EU certification schemes such as EUCC “are expected to also stand as an incentive for suppliers to adhere to cybersecurity certification requirements”.

EU Agency for Cybersecurity executive director, Juhan Lepassaar said: “The adoption of the first cybersecurity certification scheme marks a milestone towards a trusted EU digital single market and it is a piece of the puzzle of the EU cybersecurity certification framework that is currently in the making.”

Certificates issued under EUCC will be published by ENISA, which also publishes the Implementing Act and supporting documents such as annexes, state of the art documents and guidance on the dedicated certification website.

---