EU Common Criteria (EUCC) Certification Scheme

29 Oct 2023 EU Common Criteria (EUCC) Certification Scheme

Draft implementing regulation establishing the European cybersecurity certification scheme (EUCC) based on Common Criteria (CC)

Eurosmart’s Comments

Eurosmart and its members are delighted to be able to contribute to the implementation of the first European certification scheme. This initial scheme underscores the rigor and technical expertise of common criteria in Europe, an area in which Eurosmart and its members have been active contributors for many years.

The release of this implementing regulation represents a substantial stride towards a more cyber-resilient Europe. While commending the efforts of the Commission, the Member States, and ENISA, Eurosmart also wishes to provide constructive feedback for the scheme’s practical implementation.

Eurosmart has categorized its feedback into two parts. The first part highlights elements deemed highly critical, requiring necessary modifications. The second part focuses on elements that Eurosmart believes should receive additional technical implementation clarifications. Moreover, Eurosmart encourages the legislator to pay special attention to the following points:

Mutual recognition

International recognition remains a significant uncertainty for many stakeholders, whilst international recognition is essential for businesses. Member States should uphold mutual recognition rules, particularly the Common Criteria Recognition Arrangement (CCRA), until the European Union Cybersecurity Certification (EUCC) has an equivalent agreement with international communities. Additionally, the text does not include provisions for recognizing Protection Profiles (PP) that have been recognized outside the EU (as mentioned on the CC portal).

Transitional period and SOG-IS transposition

In line with the Cybersecurity Act, the text envisions an abrupt termination of national schemes, while some certificates may remain valid. The management of these certificates remains unresolved. The current text does not explicitly outline a clear transposition procedure. Eurosmart advocates for a 2-year grace period remains a transitional solution and does not resolve the issue of mutual recognition. Within 2 years, SOGIS certificates must be transitioned into EUCC certificates. The question that remains is how the transposition of SOGIS and the implementation of the EUCC will simplify and enhance the efficiency of certifications within the already extensively employed technical domains, where there is a significant demand for such streamlining.

Monitoring Activities and Other Additional Efforts under Chapter V

Many provisions are described that will result in additional efforts for Certification Authorities (CABs) and Information Technology Security Evaluation Facilities (ITSEFs). The text does not specify who will bear these costs.

Scheme Maintenance

There are few references to scheme maintenance in the text. An ad-hoc working group from ENISA (TG-M) has developed an ISAC (Information Sharing and Analysis Centre) proposal to ensure the continuity of Joint Interpretation Library Working Groups (JIL-WGs). The recitals in the current text only refer to subgroups within ECCG by technical domains. Limiting it to such an approach might not be very neither encouraging for the in-depth involvement of private stakeholders, nor stimulating an efficient collaboration between public and private actors.

List of SOTA Documents

The implementing act refers to dynamic documents initiated by the ECCG. However, by referencing a certain number of documents in the annex of this act, their legal updates become exceedingly complex. Furthermore, the list of Protection Profiles (PPs) does not appear to be up to date. Will future PPs require a new delegated act to be referenced?