What is Common Criteria?

One of the most effective ways to meet cybersecurity and compliance requirements is by using products certified under the globally recognized Common Criteria standard.

Not familiar? Allow us to explain.

Below, we’ll walk through the fundamentals of Common Criteria evaluation — what it is, why it matters, and how certification helps organizations strengthen trust in their security posture.

The Common Criteria for Information Technology Security Evaluation — often referred to simply as Common Criteria or CC — is an international standard for computer security certification. Based on ISO/IEC 15408, its goal is to provide confidence that a product’s security features have been independently tested and verified through a rigorous and repeatable process appropriate to its intended use case.

Originally, Common Criteria was created to unify national certification schemes from countries including the United States, Canada, Germany, the United Kingdom, France, Australia, and New Zealand. Today, it stands as a comprehensive global framework — one that offers the broadest mutual recognition of secure IT product certifications worldwide.

Overview

Common Criteria–certified solutions are relied upon by governments, enterprises, and service providers worldwide to protect mission-critical infrastructure.

In fact, it’s often a prerequisite for many solutions, including qualified digital signature services under the European Union’s Electronic Identification and Trust Services regulation, better known as eIDAS (which was updated in 2024 and now referred to as eIDAS 2). Additionally, U.S. government customers frequently request secure IT products that are listed by the >National Information Assurance Partnership, which requires Common Criteria evaluation.

The Common Criteria standard provides assurance that key aspects of product security have been thoroughly designed, implemented, tested, maintained, and independently verified. Among its core focus areas:

• Product development and related security functions, including high-level design, architecture, and implementation.
• Guidance for secure product deployment and preparation.
• Life cycle management for documents and processes related to product configuration, delivery, and retirement.
• Testing security functions according to their baseline requirement.

Certification Authorities

As an international standard, Common Criteria is governed by participating countries through independent Certification Bodies. Each body is responsible for evaluating and certifying products against the Common Criteria requirements, ensuring that certifications meet consistent, globally recognized benchmarks for assurance.

Common Criteria introduces several key terms that define its evaluation process:

• Target of Evaluation (TOE): The product or system undergoing certification.
• Security Target (ST): A document defining the TOE’s security features and objectives. The ST allows vendors to tailor evaluation to their product’s specific capabilities, often referencing one or more Protection Profiles.
• Protection Profile (PP): A standardized set of security requirements for a product category (for example, hardware security modules or signature activation modules). PPs ensure consistent, repeatable evaluation criteria.
• Security Functional Requirements (SFRs): The product’s specific security functions and capabilities.
• Security Assurance Requirements (SARs): The measures used to verify that a product meets its claimed standards.
• Evaluation Assurance Level (EAL): A numerical rating that indicates the depth and rigor of evaluation, from EAL1 (basic) to EAL7 (most stringent).

All Common Criteria-certified products and solutions must be independently tested and verified according to a specific evaluation process:

1. The developer must first complete a Security Target description and submit any supporting documents that describe the product, its security functionality, and any potential vulnerabilities.
2. Optionally, the organization may choose a Protection Profile to serve as its guiding document throughout the CC certification process. Choosing a PP may not be necessary, but it does signify a commitment to thorough evaluation, ensuring the TOE is aligned with the intended use case.
3. Next, an independently licensed Common Criteria Laboratory must evaluate the product to see if it meets the Common Criteria standard. Once complete, it compiles its findings into an evaluation report.
4. If the TOE meets its minimum requirement, a Certification Body issues a Common Criteria certificate. Once verified, all Common Criteria-certified products are listed in the Common Criteria portal.

How do Protection Profiles work?

While a Protection Profile defines standardized security requirements for a product category, in practice, it also shapes how that product is evaluated. Each PP outlines the security objectives, potential threats, and evaluation activities that must be addressed during certification.

Qualified Signature Creation Devices (QSCDs) — used to generate qualified electronic signatures and seals — rely heavily on Common Criteria Protection Profiles to ensure secure, trustworthy signature creation.

Vendors can claim conformance to an existing PP — such as EN 419 221-5 for hardware security modules (HSMs) or EN 419 241-2 for signature activation modules (SAMs) — to demonstrate compliance with well-defined industry standards. Aligning with a PP ensures the product is evaluated against consistent and recognized criteria, enabling mutual recognition across jurisdictions and simplifying audits under eIDAS and other digital trust frameworks.

From the perspective of the eIDAS 2 Regulation, a QSCD will be composed of an HSM with a CC EAL4+ certification claiming with the PP EN 419 221-5, and a SAM with a CC EAL4+ certification claiming with the PP EN 419 241-2.

Common Criteria continues to evolve to meet the demands of modern cybersecurity and digital trust frameworks — including closer alignment with the EU’s Cybersecurity Act and the emerging EU Cybersecurity Certification Scheme. These developments emphasize continuous assurance, vulnerability management, and lifecycle security for certified products.

As part of these advancements, Entrust Signature Activation Module 1.1.1 has achieved Common Criteria EAL4+ certification, augmented with ALC_FLR.2 (flaw remediation) and AVA_VAN.5 (advanced vulnerability analysis), and claiming the PP EN 419 241-2.

This certification provides a high level of assurance in the SAM’s design, testing, and ongoing security maintenance — supporting compliance with European cybersecurity and digital trust regulations, including eIDAS. The augmentations validate Entrust’s mature vulnerability management processes and its ability to identify, remediate, and defend against advanced attack scenarios.

Entrust nShield HSMs provide a secure root of trust that’s tested and certified to the rigorous EN 419 221-5 Protection Profile under Common Criteria, helping organizations maintain compliance and strengthen confidence in their cryptographic operations.

Our Solo XC, Connect XC, nShield 5c and nShield 5s models deliver tamper-resistant protection for key generation, encryption, and signing. Available in multiple form factors and as a service, they support diverse deployment requirements.

For organizations deploying remote signing services, Entrust offers the Signature Activation Module 1.1.1, now certified at EAL4+. When paired with an Entrust HSM, it forms an eIDAS-compliant Qualified Signature Creation Device — enabling trusted, standards-based electronic signatures and seals across regulated industries.