ENISA publishes EUCC 1.1.1 the first European cybersecurity scheme for ICT products.


- May
Posted by: Javier Tallón
ENISA publishes EUCC 1.1.1 the first European cybersecurity scheme for ICT products.

ENISA has published this week an update of the EUCC (Common Criteria based European candidate cybersecurity certification). A scheme that we are deeply proud to be published, since jtsec has actively participated through the Ad Hoc Working Group and the Stakeholders Cybersecurity Certification Group in the creation of the candidate scheme named by ENISA as valid for the certification of ICT products.

In addition, it supports the use of the Patch Management methodology . This Patch Management is developed in ISO with jtsec as its editor.

What does this new scheme mean at the European level?

EUCC is the first scheme published under the guidelines of the CSA (Cybersecurity Act), which proposes the creation of a common European framework for the certification of "cybersecure" ICT products and services. It can be considered a horizontal scheme, as it can be usable in several sectorial competences.

EUCC is based on Common Criteria (ISO/IEC 15408 and ISO/IEC 18045) and is aimed at replacing the current national certification schemes also based on Common Criteria.

The following chart shows the process followed by the EUCC until it was approved by the European Commission.

The existence of cybersecurity schemes recognized by the European Commission provides a framework in which cybersecurity laboratories, private companies and public administrations can abide when certifying their products within Europe, in the case of the EUCC, for ICT products.

We have always been committed to the standardization and unification of criteria in terms of cybersecurity certifications, so the creation of the EUCC is a major milestone at European level.

Our contributioin in the development of the EUCC

Javier Tallón, Technical Director at jtsec Beyond IT Security, has been part of the ENISA ad-hoc Working Group on the SOG-IS successor scheme, in charge of developing the EUCC scheme. Therefore, we are very proud that, finally, this candidate scheme has been the one selected by the European Commission for the cybersecurity certification of ICT products.

As member of the AhWG, Javier has actively participated in the thematic working groups TG2 and TG5, corresponding to the "Necessary elements to specify, evaluate and certify products in a harmonised way" and "Continuity assurance and handling of vulnerabilities" and is Rapporteur of TG7 "Guidance on harmonized interpretations of ISO/IEC 17025 and 17065".

Moreover, ENISA has relied on jtsec (in collaboration with Red Alert Labs and KPMG) for the creation of three new guides:

  • ITSEF requirements for licensing to perform VAN.3 evaluations.

  • Guidance on commitments of manufacturers.

  • Guidelines on security of information.

    It is worth mentioning that recently our CTO, José Ruiz, has also been incorporated to the AhWG as Common Criteria expert for the creation of a label that allows the general public to identify the products certified in the new scheme, not only by the level of assurance according to the CSA (Basic / Substantial / High), but also allowing to introduce the level of assurance using the Common Criteria Security Assurance Requirements (EAL4+ALC_FLR.1).

    In this working group will collaborate with other experts in market surveillance and labeling such as those responsible for CE marking or PEGI labeling for use in video games.

    *original source ENISA

    Finally we are very proud that the work we have done (and are still doing!) in ISO in these last years is bearing a magnificent fruit, allowing the use of the Patch Management methodology developed in ISO.

    Of course, there is still some time to go before the scheme is finalized, so we look forward to continuing to give our full support to ENISA and the ECCG.

    How is the new EUCC scheme expected to be adapted?

    Based on the discussions with the European Commission, the scenario of a "big bang" has been considered as the most probable one, being it consists of the following::

  • All existing schemes cease at the same date.

  • There is zero parallel emission of EUCC and SOG-IS MRA certificates for the same ICT products during the transition period.

    To minimize this impact, ENISA is creating transition guides that will allow laboratories and manufacturers to adapt to the new conditions.

    There will be a transition period, however, which will allow:

  • Termination of current certification projects under the existing schemes, or their easy conversion into EUCC projects.

  • Smooth transfer of certificates that require maintenance in the long run, therefore under for the EUCC scheme, or reuse for composite evaluations and certifications under the EUCC scheme.

    Furthermore, the scheme foresees some possible reuse conditions as to ease the transition (e.g., reuse of certification activities or reuse of peer assessment results).

    What is new in version 1.1.1?

    Major changes relate to the:

  • Addition and clarification of definitionss.

  • Systematic cooperation with the ECCG for the development of guidance documents supporting the scheme.

  • Clarification of activities related to the maintenance of certificates.

  • Clarification of deadlines associated to the handling of non-conformities, non-compliances and vulnerabilities.

  • Modification of the status of the new patch management process, now in annex and for trial use.

  • Modification of the logo associated to the certificates, allowing to establish an additional specific logo for the scheme and to mention the evaluation level achieved in addition to the CSA level.

  • Clarification of the peer assessment requirements and simplification of the associated annex.

  • Update of annexes 7 and 9 based on their recent evolution within the SOG-IS, and the addition of one annex related to ST sanitization.

    Next steps

    This version of the candidate scheme will be used by the European Commission for the drafting of the Implementig Act, by which the scheme becomes part of European legislation.

    This process will be long and complex, and will probably require new discussions and guidelines to facilitate the transition and use of the new scheme, but progress is unstoppable and it will soon be a reality throughout Europe to which we must adapt as soon as possible.

    *original source ENISA

    How can we help you evaluating your product complying with the EUCC?

    If your are thinking of certifying your ICT product under the EUCC scheme, do not hesitate to contact us so we can help you. In addition, as a Common Criteria expert laboratory, we can assist you in getting your product certified in the shortest possible time, smoothing the process thanks to our technical expertise.

  • Javier Tallón/Technical Director

    Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker at several conferences on computer security and certification (SuperSec, Cybercamp, Navaja Negra, International Common Criteria Conference, International Cryptographic Module Conference, EUCyberact Conference). He is also Cyber Security lecturer, giving classes of Secure Software Engineering at the University of Granada and is CISSP (Certified Information Systems Security Professional) and OSCP/OSCE (Offensive Security Certified Professional & Certified Expert) certified .

    In 2015 he begins to lay the foundations of what will be jtsec. He currently works as Technical Director of the evaluation lab and Chief Operations Officer (COO) of the Granada site from where the company develops most of the work. Recognized expert in various disciplines of cybersecurity (reversing, exploiting, web, ...), assumes the technical direction of most of the projects, directing and organizing the work of the team. He also leads the Research and Development area, encouraging the participation of the jtsec team in multiple Congresses.


    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.