CPSTIC Catalogue inclusion

  • Experts in LINCE, Common Criteria and complementary STIC assessments
  • We use unique tools to optimize assessment
  • Leading laboratory for CPSTIC listed products
  • Comprehensive management of the process and communication with the CPSTIC catalogue

Click here to find our talks related to CPSTIC catalogue offered in the most relevant cybersecurity events
By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.

What are the benefits of including your product in the CPSTIC catalogue?

CPSTIC is the CCN-STIC-105 reference catalogue for cybersecure ICT products in the Spanish Public Administration. It offers a list of products with security guarantees contrasted by the CCN (the Spanish Certification Body).It has a taxonomy divided into different categories and families, which is continuously growing.

Including your product in the catalogue has multiple advantages:

  • It improves the cybersecurity of your product
  • Powerful marketing tool
  • It offers greater visibility of your product in the Spanish Public Administration
  • You get a certificate issued by CCN

But, how to include your product in the CPSTIC catalogue?

LINCE evaluation

LINCE is the most common evaluation to access the catalogue as it is the most agile, allowing to reduce time and economic costs. It is a lightweight certification for medium or low security levels, according to the ENS (Spanish National Security Scheme) classification.

It is a certification recognized in Spain, which allows, in a limited time and effort, to obtain a certification issued by the CCN.

Common Criteria Evaluation

Common Criteria is the cybersecurity certification with the widest international scope, as it is recognised in more than 30 countries. It is ideal for high levels of security, taking into account that the cost in both time and money is significantly higher compared to LINCE.

It allows the product to be included in the catalogue as long as the security level is at least EAL 2 and the fundamental security requirements (FRS) defined for that category of the taxonomy are met.

If the original assessment does not meet the RFS, supplementary STIC testing is required.

Supplementary STIC assessment

This is a type of evaluation that is performed on products that have already obtained a Common Criteria certification and are intended to be part of the CPSTIC catalogue but the original evaluation did not cover all the RFS defined for that category. In this case, CPSTIC requires additional STIC testing by one of the accredited laboratories in order to gain access to the catalogue.

STIC Evaluation

When a product is certified, it is done on a specific version and the evaluation is done on premise. However, more and more products/services are being developed directly in the cloud (cloud-native). They are deployed in the cloud and are usually developments in constant evolution, making it impossible to identify the exact object of the evaluation. Due to this, the product/service cannot be certified, but it can be qualified and still be part of the catalogue of cyber secure products. For this reason, in addition to complying with the requirements specified for their taxonomy, the product/service must also pass the requirements specified in Annex G “Servicios en la nube” dedicated to those cloud-native products.


Currently all the products included in this taxonomy have been evaluated by jtsec. Access to this category does not require making a Security Declaration and passing a LINCE, Common Criteria or CPSTIC assessment, but it does require passing penetration tests to verify that the tool complies with minimum security standards. This peculiarity makes the process less costly for the client, in terms of money, staff resources and time.

Success stories

At jtsec we have evaluated different products that have been included in different families and categories of the CPSTIC catalogue taxonomy (firewalls, antivirus, authentication servers, access control, switches...). The adaptability of the catalogue to new products allows the expansion of this taxonomy. Among the most outstanding success stories we would like to mention:

  • Electric vehicle chargers: At jtsec we have carried out the first evaluation of an electric charger under the LINCE methodology. The existence of a solicitation documents published by a private company that makes it compulsory for suppliers of electric vehicle chargers to be LINCE certified, has led to the emergence of a demand for LINCE certification for this type of product
  • Video Identification Tools: This is the first time that a ministerial order (Order ETD/465/2021 of 6 May) has been used to introduce products in the catalogue, creating a precedent, the Administration is anticipating manufacturers. jtsec has evaluated the first product of this new taxonomy created in the CPSTIC catalogue
  • Port management software: Enhancing the cybersecurity of critical infrastructures is one of the objectives of the Administration. It is a innovative project at Spanish level, in which we evaluate the first software of these characteristics

10 reasons for choosing jtsec

  1. Top notch experts
  2. Leading laboratory in LINCE evaluations
  3. Laboratory accredited by ENAC and CCN for LINCE and Common Criteria assessments
  4. Editors of LINCE as a UNE standard
  5. We use unique tools developed by us that save up to 40% of time and money in the evaluation
  6. We assure you a fixed price from the beginning, do not face unexpected surprises!
  7. Deliver on time on launch a support engineer is always available for projects, ensuring we meet deadlines and expectations
  8. Members of SCCG (Stakeholder Cybersecurity Certification Group)
  9. Common Criteria native professionals.
  10. Commitment to your project before, during and after certification

They already trusted us. Let's talk!


At jtsec we are experts in security evaluation and we know the process perfectly. In order to avoid unnecessary costs, contact us as soon as possible.


    We have years of experience in LINCE and Common Criteria security assessments, as well as complementary STIC assessments. For your peace of mind, we take care of the entire process, saving you unnecessary time and money.

  2. TOOLS

    At jtsec we have developed unique internal tools to speed up the certification process in both Common Criteria (CCToolbox) and LINCE (LinceToolbox). They allow you to speed up both the consultancy and the evaluation of your product. These tools are available free of charge to our clients to create a perfect coordination between jtsec and our client in the project.


    We offer a customised approach to your certification, a tailor-made process taking into account that each client and each product is unique. We adapt to your needs by creating a framework, taking into account the specific needs of your project.


    Our commitment is to solve and eliminate problems for our clients, not to create new ones. For this reason, we take all the necessary steps with the Catalogue so that the adaptation and inclusion of your product is carried out without delays or incidents.