Eurosmart | The voice of the Digital Security Industry | Eurosmart’s Feedback on the Draft EUCC Implementing Act

29 Aug 2025 Eurosmart’s Feedback on the Draft EUCC Implementing Act

Posted at 14:39h in IoT, ITSC, News, Position Papers byMafalda Leão Aguiar

Executive summary

Eurosmart welcomes the European Commission’s proposed amendments to the EU Cybersecurity Certification Scheme on Common Criteria (EUCC). While broadly supportive of the objectives, Eurosmart identifies several areas where clarification and adjustments seem to be necessary to ensure practicality, and alignment with existing practices:

1. Definition of Major Changes

Current definition only covers negative impacts. Eurosmart recommends extending it to any significant change – positive or negative -that affects assurance.

2. Security Target Publication

Only sanitised versions of security targets should be made publicly available. This ensures consistency with Annex V of Implementing Regulation 2024/482 and protects sensitive information.

3. Application of State-of-the-Art (SotA) Documents

It must be clear that SotA documents applicable only if published before the start of an evaluation. Once an evaluation started, the version in force should apply to avoid rework and inconsistencies.

4. Clarity on Protection Profiles (PPs)

Annex II should explicitly list mandatory PPs (at AVA_VAN.4 or 5), while Annex III should clearly cover recommended PPs. Eurosmart calls for clarification on whether Annex III PPs must become EUCC-certified or recognised SotA documents.

5. Re-Assessment and Patch Management

The re-assessment process must clearly define outcomes: either confirmation or modification of assurances, depending on results.

Patch handling procedures should clarify when a new certificate is (or is not) issued, ensuring alignment between Annex IV provisions and Article 13/19 of the Regulation.

6. Annex V: Intended Use and Certification Reporting

Requirements for intended use should be more specific and less subjective, to ensure clear understanding across all stakeholders.

Certification bodies should not be burdened with summarising vulnerability management procedures; instead, certificate holders should provide publicly available information in line with Article 8(b).

EUCC_feedback_final-1

Print page

Eurosmart’s Feedback on the Draft EUCC Implementing Act

EUCS and the Future of Cloud Certification: Bridging Technical and Legal Gaps in the CSA

Strengthening ENISA’s role and Improving the ECCF

Eurosmart Announces New Board Composition and Engages with European Commission on Strategic Cybersecurity Priorities Following 15 May 2025 General Assembly

2025 Eurosmart’s Strategic Priorities

Eurosmart appoints Olivier Van Nieuwenhuyze as new President

Eurosmart’s Feedback on the Draft EUCC Implementing Act

EUCS and the Future of Cloud Certification: Bridging Technical and Legal Gaps in the CSA

Strengthening ENISA’s role and Improving the ECCF

European Cybersecurity certification scheme for Cloud Services and compatibility with EU regulations – what is missing?

Eurosmart’s Answer to Public Consultation on Travel – Dizitalizing ID Cards to make travelling easier

European Common Criteria-based cybersecurity certification scheme (EUCC), state-of-the-art documents specifing evaluation methods, techniques and tools

Eurosmart’s Feedback on the Draft EUCC Implementing Act

29 Aug 2025 Eurosmart’s Feedback on the Draft EUCC Implementing Act

Executive summary

1. Definition of Major Changes

2. Security Target Publication

3. Application of State-of-the-Art (SotA) Documents

4. Clarity on Protection Profiles (PPs)

5. Re-Assessment and Patch Management

6. Annex V: Intended Use and Certification Reporting

Recent news

Follow us on X