Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC)

CHAPTER I

GENERAL PROVISIONS

Article 1

Subject matter and scope

This Regulation sets out the European Common Criteria-based cybersecurity certification scheme (EUCC).

This Regulation applies to all information and communication technologies (‘ICT’) products, including their documentation, which are submitted for certification under the EUCC, and to all protection profiles which are submitted for certification as part of the ICT process leading to the certification of ICT products.

Article 2

Definitions

For the purposes of this Regulation, the following definitions shall apply:

(1) ‘Common Criteria’ means the Common Criteria for Information Technology Security Evaluation, as set out in standards ISO/IEC 15408-1:2022, ISO/IEC 15408-2:2022, ISO/IEC 15408-3:2022, ISO/IEC 15408-4:2022 or ISO/IEC 15408-5:2022, or set out in Common Criteria for Information Technology Security Evaluation, version CC:2022, Parts 1 through 5, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security;

(2) ‘Common Evaluation Methodology’ means the Common Methodology for Information Technology Security Evaluation, as set out in standard ISO/IEC 18045:2022, or the Common Methodology for Information Technology Security Evaluation, version CEM:2022, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security;

(3) ‘target of evaluation’ means an ICT product or part thereof, or a protection profile as part of an ICT process, which is subjected to cybersecurity evaluation to receive EUCC certification;

(4) ‘security target’ means a claim of implementation-dependent security requirements for a specific ICT product;

(5) ‘protection profile’ means an ICT process that lays down the security requirements for a specific category of ICT products, addressing implementation-independent security needs, and that may be used to assess ICT products falling into that specific category for the purpose of their certification;

(6) ‘evaluation technical report’ means a document produced by an ITSEF to present the findings, verdicts and justifications obtained during the evaluation of an ICT product or a protection profile in accordance with the rules and obligations set out in this Regulation;

(7) ‘ITSEF’ means an Information Technology Security Evaluation Facility, which is a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008 that performs evaluation tasks;

(8) ‘AVA_VAN level’ means an assurance vulnerability analysis level that indicates the degree of cybersecurity evaluation activities carried out to determine the level of resistance against potential exploitability of flaws or weaknesses in the target of evaluation in its operational environment as set out in the Common Criteria;

(9) ‘EUCC certificate’ means a cybersecurity certificate issued under the EUCC for ICT products, or for protection profiles that can be used exclusively in the ICT process of certification of ICT products;

(10) ‘composite product’ means an ICT product that is evaluated together with another underlying ICT product that has already received an EUCC certificate and on whose security functionality the composite ICT product depends;

(11) ‘national cybersecurity certification authority’ means an authority designated by a Member State pursuant to Article 58(1) of Regulation (EU) 2019/881;

(12) ‘certification body’ means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008, which performs certification activities;

(13) ‘technical domain’ means a common technical framework related to a particular technology for the harmonised certification with a set of characteristic security requirements;

(14) ‘state-of-the-art document’ means a document which specifies evaluation methods, techniques and tools that apply to the certification of ICT products, or security requirements of a generic ICT product category, or any other requirements necessary for certification, in order to harmonise evaluation, in particular of technical domains or protection profiles;

(15) ‘market surveillance authority’ means an authority defined in Article 3(4) of Regulation (EU) 2019/1020;

(16) ‘product series’ means a set of ICT products by an applicant, built upon the same functional basis in order to address the same security needs, having a design, hardware, firmware or software which may vary from an ICT product to another;

(17) ‘minor change’ means any change in the certified target of evaluation or its environment that does not adversely impact the assurance expressed in the EUCC certificate;

(18) ‘major change’ means any change in the certified target of evaluation or its environment that may adversely impact the assurance expressed in the EUCC certificate.

Article 3

Evaluation standards

The following standards shall apply to evaluations performed under the EUCC scheme:

(a) the Common Criteria;

(b) the Common Evaluation Methodology.

Until 31 December 2027, a certificate may be issued under the EUCC scheme applying either of the following standards:

(a) ISO/IEC 15408-1:2009, ISO/IEC 15408-2:2008 or ISO/IEC 15408-3:2008;

(b) Common Criteria for Information Technology Security Evaluation, version 3.1, revision 5, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security;

(c) ISO/IEC 18045:2008;

(d) Common Methodology for Information Technology Security Evaluation, revision 5, version 3.1, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security.

A certificate applying the standards referred to in paragraph 1 may also be issued under the EUCC scheme claiming conformance to a protection profile that has applied either of the following standards, provided that the use of such protection profile is required under Commission Implementing Regulation (EU) 2016/799 (¹), Regulation (EU) No 910/2014 of the European Parliament and of the Council (²) or Commission Implementing Decision (EU) 2016/650 (³):

(a) Common Criteria for Information Technology Security Evaluation, version 3.1, revision 1 to 4, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security;

(b) Common Methodology for Information Technology Security Evaluation, version 3.1., revision 1 to 4, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security.

Article 4

Assurance levels

Article 5

Methods for certifying ICT products

Certification of an ICT product shall be carried out against its security target:

(a) as defined by the applicant; or

(b) claiming conformance to a certified protection profile as part of the ICT process, where the ICT product falls in the ICT product category covered by that protection profile.

Article 6

Conformity self-assessment

A conformity self-assessment within the meaning of Article 53 of Regulation (EU) 2019/881 shall not be permitted.

CHAPTER II

CERTIFICATION OF ICT PRODUCTS

SECTION I

Specific standards and requirements for evaluation

Article 7

Evaluation criteria and methods for ICT products

An ICT product submitted for certification shall, as a minimum, be evaluated in accordance with the following:

(a) the applicable elements of the standards referred to in Article 3;

(b) the security assurance requirements classes for vulnerability assessment and independent functional testing, as set out in the evaluation standards referred to in Article 3;

(c) the level of risk associated with the intended use of the ICT products concerned pursuant to Article 52 of Regulation (EU) 2019/881 and their security functions that support the security objectives set out in Article 51 of Regulation (EU) 2019/881;

(d) the applicable state-of-the-art documents listed in Annex I; and

(e) the applicable certified protection profiles listed in Annex II.

Certification of ICT products at AVA_VAN level 4 or 5 shall only be possible in the following scenarios:

(a) where the ICT product is covered by any technical domain listed in Annex I, it shall be evaluated in accordance with the applicable state-of-the-art documents of those technical domains,

(b) where the ICT product falls into a category of ICT products covered by a certified protection profile that includes AVA_VAN levels 4 or 5 and that has been listed as a state-of-the-art protection profile in Annex II, it shall be evaluated in accordance with the evaluation methodology specified for that protection profile,

(c) where points a) and b) of this paragraph are not applicable and where the inclusion of a technical domain in Annex I or of a certified protection profile in Annex II is unlikely in the foreseeable future, and only in exceptional and duly justified cases, subject to the conditions set out in paragraph 4.

SECTION II

Issuance, renewal and withdrawal of EUCC certificates

Article 8

Information necessary for certification and evaluation

Applicants for certification may provide to the certification body and ITSEF appropriate evaluation results from prior certification pursuant to:

(a) this Regulation;

(b) another European cybersecurity certification scheme adopted pursuant to Article 49 of Regulation (EU) 2019/881;

(c) a national scheme referred to in Article 49 of this Regulation.

Applicants for certification shall also provide the certification body and the ITSEF with the following information:

(a) the link to their website containing the supplementary cybersecurity information referred to in Article 55 of Regulation (EU) 2019/881;

(b) a description of the applicant’s vulnerability management and vulnerability disclosure procedures.

Article 9

Conditions for issuance of an EUCC certificate

The certification bodies shall issue an EUCC certificate where all of the following conditions are met:

(a) the category of ICT product falls within the scope of the accreditation, and where applicable of the authorisation, of the certification body and the ITSEF involved in the certification;

(b) the applicant for certification has signed a statement undertaking all commitments listed in paragraph 2;

(c) the ITSEF has concluded the evaluation without objection in accordance with the evaluation standards, criteria and methods referred to in Articles 3 and 7;

(d) the certification body has concluded the review of the evaluation results without objection;

(e) the certification body has verified that the evaluation technical reports provided by the ITSEF are consistent with the provided evidence and that the evaluation standards, criteria and methods referred to in Articles 3 and 7 have been correctly applied.

The applicant for certification shall undertake the following commitments:

(a) to provide the certification body and the ITSEF with all the necessary complete and correct information, and to provide additional necessary information if requested, including an English version of the security target;

(b) not to promote the ICT product as being certified under the EUCC before the EUCC certificate has been issued;

(c) to promote the ICT product as being certified only with respect to the scope set out in the EUCC certificate;

(d) to cease immediately the promotion of the ICT product as being certified in the event of the suspension, withdrawal or expiry of the EUCC certificate;

(e) to ensure that the ICT products sold with reference to the EUCC certificate are strictly identical to the ICT product subject to the certification;

(f) to respect the rules of use of the mark and label established for the EUCC certificate in accordance with Article 11.

Article 10

Content and format of an EUCC certificate

Article 11

Mark and label

The mark and label shall be set out as in Annex IX and contain:

(a) the assurance level and the AVA_VAN level of the certified ICT product;

(b) the unique identification of the certificate, consisting of: (1) the name of the scheme; (2) the identification number, in accordance with Article 3 of Implementing Regulation (EU) 2024/3143, of the certification body that has issued the certificate; (3) year of issuance of the initial certificate; (4) identification number assigned by the certification body that has issued the certificate.

The mark and label shall be accompanied by a QR code with a link to a website containing at least:

(a) the information on the validity of the certificate;

(b) the necessary certification information as set out in Annexes V and VII;

(c) the information to be made publicly available by the holder of the certificate in accordance with Article 55 of Regulation (EU) 2019/881; and

(d) where applicable, the historic information related to the specific certification or certifications of the ICT product to enable traceability.

Article 12

Period of validity of an EUCC certificate

Article 13

Review of an EUCC certificate

Following the results of the review, and where applicable of the re-evaluation, the certification body shall:

(a) confirm the EUCC certificate;

(b) withdraw the EUCC certificate in accordance with Article 14;

(c) withdraw the EUCC certificate in accordance with Article 14 and issue a new EUCC certificate with an identical scope and an extended validity period; or

(d) withdraw the EUCC certificate in accordance with Article 14 and issue a new EUCC certificate with a different scope.

Article 14

Withdrawal of an EUCC certificate

CHAPTER III

CERTIFICATION OF PROTECTION PROFILES

SECTION I

Specific standards and requirements for evaluation

Article 15

Evaluation criteria and methods

A protection profile shall be evaluated, as a minimum, in accordance with the following:

(a) the applicable elements of the standards referred to in Article 3;

(b) the level of risk associated with the intended use of the ICT products concerned pursuant to Article 52 of Regulation (EU) 2019/881 and their security functions that support the security objectives set out in Article 51 of that; and

(c) the applicable state-of-the-art documents listed in Annex I. A protection profile covered by a technical domain shall be certified against the requirements set out in that technical domain.

SECTION II

Issuing, renewing and withdrawing EUCC certificates for protection profiles

Article 16

Information necessary for certification and evaluation of protection profiles

An applicant for certification of a protection profile shall provide or otherwise make available to the certification body and the ITSEF all information necessary for the certification and evaluation activities in a complete and correct form. Article 8(2), (3), (4) and (7) shall apply mutatis mutandis.

Article 17

Issuance of EUCC certificates for protection profiles

A protection profile shall be certified solely by:

(a) a national cybersecurity certification authority or another public body accredited as certification body; or

(b) a certification body, upon prior approval by the national cybersecurity certification authority for each individual protection profile.

Article 18

Period of validity of an EUCC certificate for protection profiles

Article 19

Review of an EUCC certificate for protection profiles

Following the results of the review, and where applicable of the re-evaluation, the certification body shall do one of the following:

(a) confirm the EUCC certificate;

(b) withdraw the EUCC certificate in accordance with Article 20;

(c) withdraw the EUCC certificate in accordance with Article 20 and issue a new EUCC certificate with an identical scope and an extended validity period;

(d) withdraw the EUCC certificate in accordance with Article 20 and issue a new EUCC certificate with a different scope.

Article 20

Withdrawal of an EUCC certificate for a protection profile

CHAPTER IV

CONFORMITY ASSESSMENT BODIES

Article 20a

Specification of requirements for accreditation of conformity assessment bodies

The accreditation of conformity assessment bodies shall take into account the specification of requirements for accreditation of certification bodies and ITSEFs as laid down in the applicable state-of-the-art documents listed in point 2 of Annex I.

Article 21

Additional or specific requirements for a certification body

A certification body shall be authorised by the national cybersecurity certification authority to issue EUCC certificates at assurance level ‘high’ where that body demonstrates that, in addition to meeting the requirements laid down in Article 60(1) and the Annex to Regulation (EU) 2019/881 regarding accreditation of conformity assessment bodies, the following:

(a) it has the expertise and competences required for the certification decision at assurance level ‘high’;

(b) it conducts its certification activities in cooperation with an ITSEF authorised in accordance with Article 22; and

(c) it has the requisite competences and put in place appropriate technical and operational measures to effectively protect confidential and sensitive information for assurance level ‘high’, in addition to the requirements set out in Article 43.

In its assessment, the national cybersecurity certification authority may reuse any appropriate evidence from prior authorisation or similar activities granted pursuant to:

(a) this Regulation;

(b) another European cybersecurity certification scheme adopted pursuant to Article 49 of Regulation (EU) 2019/881;

(c) a national scheme referred to in Article 49 of this Regulation.

Article 22

Additional or specific requirements for an ITSEF

An ITSEF shall be authorised by the national cybersecurity certification authority to carry out the evaluation of ICT products which are subject to certification under the assurance level ‘high’, where the ITSEF demonstrates that, in addition to meeting the requirements laid down in Article 60(1) and the Annex to Regulation (EU) 2019/881 regarding accreditation of conformity assessment bodies, it complies with all of the following conditions: