European Common Criteria-based cybersecurity certification scheme (EUCC), state-of-the-art documents specifing evaluation methods, techniques and tools

18 Oct 2024 European Common Criteria-based cybersecurity certification scheme (EUCC), state-of-the-art documents specifing evaluation methods, techniques and tools

Eurosmart’s feedback:

Eurosmart welcomes the constant efforts of the European Commission and the European Cybersecurity Certification Group’s (ECCG) on EUCC maintenance (EsEm) to update the EU Cybersecurity Common Criteria-based cybersecurity certification scheme (EUCC). While the proposal introduces some positive elements, we believe there are key areas that require further attention to ensure effective international recognition, smoother transition period, and a more agile and efficient update mechanism for annexed documents.

1.    Continuity Beyond 2027: Need for Certification Using CCRA Protection Profiles

Article 3.2 (revised): “Until 31 December 2027, an ICT product may be certified against its security target, which incorporates a protection profile issued under national cybersecurity certification schemes that have applied the standards listed in Article 49(4), points (a) to (d).”

While this provision is positive, but it remains insufficient. There is a clear need for certification using Common Criteria Recognition Arrangement (CCRA) Protection Profiles after the 2027 deadline. It is essential to be able to claim conformance to a SOGIS PP, an EUCC PP, or a PP under CCRA, and to ensure that this information is explicitly stated in both the certificate and the certificate report.

Moreover, International recognition remains a significant uncertainty for the industry, whilst international recognition is essential for businesses. Member States should uphold mutual recognition rules, particularly the CCRA, until the EUCC scheme has an equivalent  agreement with international communities. Additionally, the text does not include provisions for recognizing Protection Profiles (PP) that  have been recognised outside the EU (as mentioned on the CC portal).

2.    Clarification on the Transition Period from CC 3.1 to CC:2022

There is a need for clarification regarding the transition from Common Criteria (CC) version 3.1 to CC:2022 in the EUCC certification scheme. Specifically:

• Implementing Act, Article 2, points (1) and (2), have been amended to reference CC:2022.
• Amended Article 3 introduces a transition period, allowing certificates to be issued under the EUCC scheme by applying the standards listed in Article 49(4), points (a) to (d), until 31 December 2027.
• However, Article 49, §(4) (a) to (d), still refers to CC v3.1.

This leads to the statement that CC V3.1  could be used for EUCC certification of products if the certificate is issued before 31st December 2027. Further clarification is necessary to confirm this interpretation and to ensure a smooth transition between versions.

3.    Article 49.4(a) – ISO/IEC 15408-4:2009 and ISO/IEC 15408-5:2009

Article 49.4, point (a), references ISO/IEC 15408-4:2009 and ISO/IEC 15408-5:2009. These parts of the ISO/IEC 15408 standard were not introduced until the 2022 version of the Common Criteria (CC). Therefore, it is recommended that these outdated references be removed to avoid confusion and ensure alignment with the current standards.

4.    Annexes – need for a More Dynamic and Efficient Update Process

Eurosmart has identified that several documents listed in Annex 1 are not final versions, and other key documents are missing. This is likely due to ongoing work by the EsEm. However, the static nature of Annexes creates inefficiencies in maintaining up-to-date references. The process to update these annexes are cumbersome, which hinders the ability to reflect the latest state-of-the-art documents.

This approach is not suitable for instance for the list of recommended PPs. Eurosmart recommends a more agile approach by referencing a dynamic web portal maintain by ENISA or the Commission. Moreover the act should specify the process to reference these PPs. The current list of PPs in the annexes does not appear to be complete and up to date. Eurosmart has identified the following missing PPs: