Top 10 (+2) Things You Need to Know About the EUCC Implementing Act

The European Common Criteria-based cybersecurity certification scheme (EUCC)

By Roland Atoui and Ayman Khalil, Red Alert Labs

 

With the introduction of the European Common Criteria-based cybersecurity certification scheme (EUCC), the European Commission makes a significant advancement in a time when cybersecurity threats are more serious than ever. Supported by Regulation (EU) 2019/881, sometimes referred to as the Cybersecurity Act, this creative framework unifies member state certification procedures while reinforcing the EU’s commitment to enhancing cybersecurity.

With its foundation in the widely accepted Common Criteria (CC) for information security assessment, the EUCC offers a standardized method for ICT product certification. This action promotes a more resilient digital Europe by facilitating the mutual acceptance of security certificates and highlighting the EU’s commitment to maintaining the highest standards of cybersecurity. This scheme is a turning point for cybersecurity governance in the EU, as the European Commission hopes to improve trust and security in a quickly changing digital ecosystem by clearly defining roles, regulations, and obligations.

The purpose of EUCC is to provide a revolutionary framework certifying information and computer technology in Europe enhancing the level of security of ICT products dedicated to security (i.e., firewalls, encryption devices, gateways etc.) as well as of any ICT product embedding a security functionality (i.e., routers, smartphones, banking cards etc.). This new scheme, replacing the preceding SOG-IS MRA, emerges as a major component under the EU’s Cybersecurity Act.

Beyond being a regulatory requirement, the EUCC allow to improve the Internal Market conditions in Europe. Without further ado, let’s dive into our 12 key insights:

1. Patch Management Mechanism: EUCC introduces an innovative patch management mechanism, ensuring continuous compliance and proactive adaptation to evolving cybersecurity threats. This structured approach enhances the longevity and effectiveness of certified products.
2. State-of-the-Art Documents and Guidance: The scheme incorporates state-of-the-art (SoTA) documents, providing detailed guidance on implementing the latest cybersecurity standards and practices. This inclusion ensures that certified products adhere to innovative industry standards.
3. EUCC and Cyber Resilience Act (CRA): EUCC aligns with the Cyber Resilience Act (CRA) to demonstrate conformity, though additional steps are necessary for full CRA compliance. This connection emphasizes the synergy between the two frameworks.
4. Clarifications and Recommendations: The EUCC Implementing Act offers indispensable clarifications and recommendations, particularly regarding non-compliance, certification review processes, and the management of new technical domains. This clarity fortifies transparency and accountability within the certification process.
5. Certified Protection Profiles (PPs) and Compliance Monitoring: Certified PPs are integral to EUCC conformity and must be included in compliance monitoring by national cybersecurity certification authorities. These profiles are also subject to peer assessments to evaluate the methodology, tools, and skills applied in ICT product evaluations, aiding in the definition of technical domains based on specific protection profiles.
6. Certification and Assessment Methodology: EUCC mandates third-party conformity assessments by Information Technology Security Evaluation Facilities (ITSEFs) and certification bodies, disallowing self-assessment. This approach ensures a high level of trust and assurance in certified ICT products, aligning with established harmonized methodologies.
7. Vulnerability Management and Analysis: Certificate holders under EUCC must implement comprehensive vulnerability management procedures, conducting thorough vulnerability analyses and reporting findings. Adhering to standards like EN ISO/IEC 29147 for vulnerability disclosure ensures transparency and a timely response.
8. Mutual Recognition Agreements and Peer Assessments: EUCC establishes conditions for mutual recognition agreements with third countries, aiming to replace existing agreements. Peer assessments ensure compliance, harmonized operations, and the exchange of best practices among certification bodies and ITSEFs.
9. Authorisation Requirements for ITSEF: To be authorized under the EUCC, ITSEFs must demonstrate capabilities, including determining the absence of known vulnerabilities, correct implementation of state-of-the-art security functionalities for specific technologies, and the targeted ICT product’s resistance to skilled attackers. For certain technical domains like smart cards and hardware devices with security boxes, ITSEFs must also meet minimum technical requirements and be capable of conducting various types of attacks as outlined in supporting Common Criteria documents.
10. Confidential Data and Business Secrets Protection: Conformity Assessment Bodies (CABs) and National Cybersecurity Certification Authorities (NCCAs) handling sensitive data must possess the necessary technical competencies and systems to protect this information, including business secrets and intellectual property. Meeting these requirements is vital for both accreditation and authorization, ensuring the security and confidentiality of sensitive data.
11. EUCC Marks and Labels for Trustworthiness: The EUCC scheme employs distinctive marks and labels to visually showcase the reliability of certified ICT products. This visual clarity helps users to make well-informed decisions. It’s important to note that the application of these marks and labels is governed by specific rules and conditions, meticulously outlined in ISO/IEC standards such as 17065 and 17030.
12. Validity Duration of Certificates: Within the EUCC framework, certification bodies take the responsibility of determining the duration of certificate validity. This decision needs a thoughtful consideration of the ICT product’s life cycle and version management policies, with a maximum validity period of five years. In addition, this duration aligns with prevailing practices in other Member States for analogous ICT products, ensuring coherence and relevance.

No doubt that the first EU cybersecurity certification scheme will be a game-changer for businesses in and outside the EU. It’s clear that in a world where digital trust is both precious and precarious, establishing a uniform cybersecurity standard is not just beneficial but necessary. This isn’t just about the EU; it’s about setting a precedent that could shape the future of digital security worldwide. With a comprehensive and harmonized framework, this scheme will improve the EU Internal Market conditions for ICT products, and as a result will also have positive effects for ICT services and processes that rely on such products. The EUCC not only aligns with the EU’s broader cybersecurity strategy but also sets a high standard for cybersecurity certification globally. By nurturing a secure digital environment, the EUCC significantly contributes to the resilience and trustworthiness of ICT products, ultimately supporting not only the EU’s digital single market but its global competitiveness.

This insight post originally appeared on the website of DOSS consortium partner Red Alert Labs, here.