Full Report
EUCC (EU Common Criteria) and the Cyber Resilience Act There were two inconspicuous developments in February and March... The post Mandatory, externally verified cybersecurity certificates are approaching appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: EU Cybersecurity Certification (EUCC) and Cyber Resilience Act Context
## Overview
This summary addresses two interconnected EU legislative developments: the entry into force of the first EU-wide cybersecurity certification scheme based on Common Criteria (EUCC), established under the EU Cybersecurity Act, and its relationship to the developing Cyber Resilience Act (CRA), which mandates security requirements and CE marking for digital products. The EUCC provides a standardized mechanism for achieving EU-wide recognized security assurance for products.
## Key Details
- Issuing Authority: European Union (Cybersecurity Act 2019/881, Implementing Regulation 2024/482).
- Effective Date: EUCC scheme is in force since **February 27, 2025**. The German National Certification Body notification occurred on **March 20, 2025**.
- Jurisdiction: European Union (all 27 member states).
- Status: **In Effect** (EUCC certification scheme).
## Requirements
### Mandatory Requirements
1. **EUCC Certification for CRA Compliance (Implied/Future):** Achieving an EU Cybersecurity Certificate under the EUCC scheme (with an assurance level of at least "medium") is presented as *one potential path* for manufacturers to comply with the mandatory security requirements and CE marking obligations established by the *Cyber Resilience Act* (CRA) for products with digital elements.
2. **External Assessment:** Under the EUCC scheme, self-assessment is **not permitted**. External assessment by a conformity assessment body is mandatory.
3. **High Assurance Level Testing:** For the "high" assurance level under EUCC, external assessment by a certification body, vulnerability testing, and potentially a penetration test simulating a competent attacker are required.
### Recommended Practices
1. **Align with Common Criteria:** Manufacturers should align product security documentation and processes with the ISO/IEC 15408 standard as implemented by the EUCC.
2. **Preparation for Mandatory Audits:** Organizations targeting the EU market should anticipate and prepare for mandatory external audits necessary to obtain EUCC certification at the required assurance levels.
## Affected Organizations
- Industries: All digital product manufacturers intending to sell products within the European Union market.
- Organization Size: Not explicitly specified, but impacts all manufacturers placing products on the EU market.
- Geographic Scope: Manufacturers globally selling into the European Union.
## Compliance Timeline
- **February 27, 2025:** EUCC Certification Scheme (Implementing Regulation 2024/482) comes into force.
- **March 20, 2025:** BSI notified as the sole German National Certification Body for the EUCC scheme.
- **Future (CRA Dependent):** Full compliance deadlines for CE marking and meeting mandatory security requirements under the **Cyber Resilience Act** are pending the CRA's full implementation timeline (not detailed in this article).
## Implementation Guidance
### Assessment Phase
- **Identify Assurance Needs:** Determine the required assurance level (medium or high) necessary to meet the future obligations likely imposed by the Cyber Resilience Act.
- **Documentation Review:** Prepare technical documentation necessary for assessment under the Common Criteria structure.
### Implementation Phase
- **Select Certification Body:** Engage with accredited EU certification bodies (like the BSI in Germany) competent to issue EUCC certificates.
- **External Audit Preparation:** Prepare the product and supporting evidence for mandatory external conformity assessment.
### Validation Phase
- **Certification Issuance:** Successful external assessment results in an EU Cybersecurity Certificate, recognized across the EU.
- **Monitoring and Maintenance:** Continuously monitor security posture to ensure ongoing adherence to the standards underpinning the certificate.
## Technical Requirements
The EUCC scheme is based on the internationally standardized **ISO/IEC 15408 (Common Criteria)**. Specific technical requirements are defined within:
- Assurance Levels: Focus on testing rigor (e.g., penetration testing for the 'high' level).
- EUCC Specifics: Only assurance levels "medium" and "high" are available under the initial EUCC scheme, necessitating external assessment.
## Penalties & Enforcement
- Fines: Not detailed in this text, but non-compliance with the forthcoming Cyber Resilience Act will involve penalties associated with affixing the CE mark, typically market withdrawal procedures and potentially significant fines.
- Other Consequences: Inability to legally place products on the EU market if mandatory certificates (like those potentially required by the CRA) cannot be obtained.
- Enforcement: Handled initially via national certification bodies (like BSI) and overall EU market surveillance mechanisms enforcing the Cyber Resilience Act.
## Related Standards
- **ISO/IEC 15408 (Common Criteria):** The foundational international standard used for the EUCC scheme.
- **ISA/IEC 62443:** Analogous concept of security levels mentioned for reference regarding assurance rigor.
- **Cybersecurity Act (EU 2019/881):** The enabling regulation for EU-wide voluntary certificates.
- **Cyber Resilience Act (EU 2024/2847):** The impending regulation making certain security certificates mandatory for products with digital elements.
## Resources
- Official Documentation:
- Cybersecurity Act: Link provided for EU 2019/881.
- Cyber Resilience Act: Link provided for EU 2024/2847.
- EUCC Scheme: Implementing Regulation (2024/482).
- Guidance Documents: BSI press release on being named the German certification body.
- Tools: Not explicitly listed, but compliance requires utilizing tools and methodologies compatible with Common Criteria evaluation processes.
## Practical Recommendations
1. **Track the CRA:** Digital product manufacturers must closely follow the final requirements of the Cyber Resilience Act to understand *when* an EUCC certificate becomes mandatory.
2. **Engage Early with Certification Bodies:** Manufacturers should begin aligning documentation to the framework of ISO/IEC 15408 (EUCC) and proactively engage with accredited certification bodies (like BSI in Germany) to plan for external audits.
3. **Design for Medium/High Assurance:** Future product design processes must incorporate security sufficient to pass external verification testing required by assurance levels "medium" or "high."