Cyber threats continue to evolve – and so do the standards designed to stop them. In response, the European Union (EU) has introduced the EU Cybersecurity Certification Scheme on Common Criteria (EUCC), the first EU-wide framework for evaluating and certifying information and communication technology (ICT).
Developed under the EU Cybersecurity Act (CSA), the EUCC Scheme creates a unified approach to product assurance, replacing a patchwork of national schemes with a single standard recognized across the EU. For organizations operating in or serving European markets, understanding EUCC isn’t optional – it’s essential to build digital trust and ensure regulatory compliance.
Key takeaways
- EUCC is the EU’s new Common Criteria-based cybersecurity certification scheme for ICT products.
- EUCC provides two assurance levels – substantial and high – designed to harmonize security evaluation across Member States.
- The scheme aligns with both the Cybersecurity Act and eIDAS, supporting compliance for trusted digital services.
- Entrust solutions, including the Common Criteria EAL4+-certified SAM, are already aligned with EUCC requirements.
- Continuous vulnerability management and post-quantum readiness will be key differentiators under the new framework.
What is EUCC?
EUCC stands for the EU Cybersecurity Certification Scheme on Common Criteria. It’s the EU’s first cybersecurity certification framework for ICT products. Introduced under the Cybersecurity Act, EUCC builds on the internationally recognized Common Criteria standard – the same foundation trusted globally for secure product evaluation.
Unlike national-level agreements, EUCC delivers a single, harmonized approach for the entire EU, simplifying certification and mutual recognition between Member States. The program officially launched in 2025, marking the start of a new era for product assurance and digital trust across Europe.
EUCC and Common Criteria
Both frameworks are closely connected, but they serve slightly different purposes. Common Criteria defines the technical standard and evaluation methodology used to assess the security of ICT products. EUCC, meanwhile, is the European Union’s implementation of that standard within a broader legal and governance framework. It takes the principles of Common Criteria and embeds them in an EU-wide certification structure that standardizes assurance levels, harmonizes national schemes, and mandates ongoing compliance across the product lifecycle.
Key features of EUCC
EUCC provides two recognized assurance levels:
- Substantial: For ICT products that need to resist basic to moderate attack potential.
- High: For products that must withstand sophisticated, well-resourced threats.
These map approximately to Common Criteria’s Evaluation Assurance Levels (EALs), focusing on the rigor of testing, design documentation, and vulnerability analysis. EUCC also introduces governance processes for continuous vulnerability monitoring, ensuring certified products maintain compliance over time — a major evolution beyond traditional one-time certification.
Protection Profiles
Protection Profiles are at the heart of EUCC evaluations. A Protection Profile is a standardized set of security requirements for a specific product type – such as a hardware security module (HSM) or a signature activation module (SAM). Each profile defines how the product must behave, what threats it mitigates, and which evaluation activities are required to prove its resilience.
Under EUCC, Protection Profiles must themselves be certified and endorsed by the European Cybersecurity Certification Group (ECCG) before they can be used in high-assurance evaluations. Products evaluated against these certified profiles gain a faster, more consistent path to certification while ensuring that testing is relevant and repeatable across Europe.
How EUCC applies to QSCDs and SAMs
In EUCC, several key Protection Profiles are already in scope, including:
- EN 419 241-2:2019 – Protection Profile for Signature Activation Modules supporting server signing.
- EN 419 221-5:2018 – Protection Profile for Trust Service Provider Cryptographic Modules used in Qualified Signature Creation Devices (QSCDs).
Together, these define how products like Entrust SAMs and QSCDs meet EUCC’s requirements for high-assurance evaluation.
EUCC vs. FIPS 140-3
While both evaluate cryptographic modules, EUCC focuses on broader ICT cybersecurity resilience, aligning with EU regulations. In contrast, Federal Information Processing Standard 140-3 is a U.S. government standard primarily concerned with the validation of cryptographic modules. Together, they represent complementary approaches for organizations operating globally.
Benefits of EUCC certification
For enterprises, EUCC certification offers more than regulatory alignment. It represents a competitive advantage in digital trust. Some of its key advantages include:
- Enhanced security: Independent validation under EUCC ensures that products meet high assurance standards, improving resilience against evolving threats.
- Regulatory compliance: EUCC certification helps organizations meet requirements under the Electronic Identification, Authentication and Trust Services (eIDAS) Regulation, the Network and Information Security Directive 2 (NIS2), and the Cyber Resilience Act (CRA).
- Market credibility: A certified product signals maturity, transparency, and reliability – building trust with customers and regulators across Europe and beyond.
For Entrust, EUCC reinforces the company’s longstanding leadership in Common Criteria and QSCD certifications – a track record that helps customers choose solutions already proven against the highest European standards.
The EUCC certification process
Obtaining an EUCC certificate involves a structured, multi-stage process designed to ensure both product security and ongoing lifecycle assurance. Here’s how it works:
1. Define scope
Certification begins with defining the Target of Evaluation (ToE) – the product or component being assessed – and identifying any applicable Protection Profile or Technical Domain. For products seeking “high” assurance, aligning with a certified Protection Profile is often required to ensure that evaluation criteria are appropriate for the product category.
2. Apply to an accredited Certification Body (CB)
The vendor applies to an EUCC-accredited Certification Body, outlining the product’s intended scope, assurance level, and supporting documentation. The CB conducts an initial feasibility review to confirm readiness and scope alignment.
3. Prepare documentation and evidence
Vendors must provide a comprehensive Security Target, design and architecture documentation, lifecycle management plans, threat models, and user guidance. These artifacts serve as the foundation for the evaluation and must demonstrate compliance with EUCC requirements.
4. Undergo evaluation by an accredited testing lab
An accredited Information Technology Security Evaluation Facility (ITSEF) performs the technical assessment. The ITSEF lab reviews documentation, performs vulnerability analysis, and executes penetration tests tailored to the chosen assurance level. The evaluation confirms that the product meets all defined security and functional requirements.
5. Receive certification decision
Once the evaluation is complete, the CB reviews the evaluation process and issues a formal decision. Approved products receive an EUCC certificate and are published in the European Union Agency for Cybersecurity’s certification registry, providing transparency and public proof of compliance. Certificates may remain valid for up to five years, depending on the assurance level and product category.
6. Maintain continuous compliance
Certification doesn’t end with approval. Vendors must actively monitor their products for vulnerabilities, report findings to authorities, and apply mitigations within set timeframes – often within 30 days for critical issues. Failure to maintain these standards can lead to suspension or withdrawal of the certificate.
Challenges in achieving EUCC certification
Like any rigorous evaluation, EUCC certification requires preparation, precision, and patience. Common challenges include:
1. Complex documentation
One of the most demanding aspects of EUCC certification is the amount and depth of documentation required. Organizations must produce detailed materials covering system architecture, security functions, lifecycle processes, design decisions, and threat models – all of which must align closely with Common Criteria methodologies.
For many vendors, this requires revisiting internal development practices, consolidating documentation that may be spread across teams, and ensuring that every artifact reflects consistent, verifiable security claims. The time and resources needed to prepare these materials can be significant, especially for products with long histories or multiple components.
2. Vulnerability management
Under EUCC, certified products must undergo regular vulnerability assessments and report significant issues to authorities – ensuring that trust and compliance extend throughout the product lifecycle, not just at the moment of certification. This focus on ongoing compliance reinforces digital trust by holding vendors accountable for vulnerability detection, remediation, and transparent communication with certification bodies.
3. Coordinating with multiple authorities
EUCC introduces a multi-layered governance structure involving national certification bodies, accredited evaluation labs, and EU-level oversight groups. Navigating these parallel approval paths can be complex, especially for organizations certifying products across multiple markets.
Vendors must ensure that their documentation, assessment activities, and remediation plans satisfy both local and EU-wide requirements, which may differ in emphasis or timelines. This coordination requires strong internal project management and a clear understanding of how national and European authorities interact within the EUCC framework.
Overcoming obstacles
Organizations can streamline certification by partnering with experienced evaluators and leveraging pre-certified, standards-aligned components – such as Entrust’s EAL4+-certified SAM – to reduce time, cost, and risk. Establishing a vulnerability management process early in the product lifecycle also supports faster recertification and sustained compliance.
Entrust’s Signature Activation Module 1.1.1 includes built-in vulnerability management and rapid recertification processes that align with both EUCC and eIDAS expectations. The product’s Common Criteria certification (EAL4+, augmented with ALC_FLR.2 and AVA_VAN.5) demonstrates advanced capabilities for detecting, mitigating, and patching security flaws quickly.
Entrust also continuously monitors its SAM for emerging threats and maintains agile recertification for security updates, ensuring that the product remains compliant and resilient throughout its lifecycle.
The future of EUCC
As Europe continues strengthening its digital trust framework, EUCC will evolve in parallel with upcoming regulations such as eIDAS 2 and the Cyber Resilience Act.
In the long term, the scheme may expand to include cloud services, IoT devices, and post-quantum cryptographic systems, ensuring assurance keeps pace with technological innovation. Entrust actively participates in this evolution, aligning its Common Criteria and QSCD-certified solutions to support EUCC’s highest assurance levels and post-quantum readiness.
Building trust through certification
The EUCC represents a milestone in Europe’s effort to unify and elevate cybersecurity standards. For organizations that depend on trust – from government agencies to global enterprises – it provides a clear, reliable way to prove security assurance.
The Entrust history of Common Criteria and QSCD certifications, coupled with our ongoing EUCC alignment, makes us a trusted partner for achieving compliance and maintaining confidence in an interconnected world. Learn more about Entrust’s certified solutions and how they can benefit your organization’s data security today.
FAQs
What does EUCC stand for?
EUCC stands for the EU Cybersecurity Certification Scheme on Common Criteria – the European Union’s harmonized framework for certifying the cybersecurity of ICT products.
Who manages the EUCC?
EUCC is managed by the European Union Agency for Cybersecurity in coordination with national certification authorities and the European Cybersecurity Certification Group.
Which products qualify for EUCC certification?
EUCC applies to information and communication technology products and components, such as hardware security modules, signature activation modules, and secure communication systems. Achieving recognition as a certified ICT product under the EUCC demonstrates that a solution has undergone rigorous, independently verified security evaluation.
How does EUCC relate to Common Criteria?
EUCC builds on the Common Criteria (CC) standard, using its evaluation methodology and assurance levels as a foundation. While CC defines how products are tested and certified, EUCC establishes the EU-wide governance and recognition system that ensures consistent application across Member States.
Is EUCC mandatory?
The EUCC Scheme is currently voluntary, but it is expected to become an essential requirement for many products that fall under EU digital trust regulations, such as eIDAS, NIS2, and the Cyber Resilience Act. As the regulatory landscape evolves, EUCC certificates are likely to become a key indicator of trust and security for ICT products operating within the European market.
