EUCC and Cybersecurity Certification in Europe

The European Union Agency for Cybersecurity (ENISA) hosted a cybersecurity certification conference on April 18, 2024, in Brussels, Belgium. The conference very much focused on the implementation of the EUCC - European Cybersecurity Certification Scheme. This scheme, based on the established Common Criteria (CC), aims to harmonize cybersecurity assessments for Information and Communication Technology (ICT) products in Europe.

Transitioning phase
While the EUCC officially launched in February 2024, a transition period is in place to ensure a smooth shift from existing national schemes. Here's a breakdown of what to expect:

• 2024: This year serves as a grace period for national certifications. Existing certificates issued under national schemes remain valid until their expiration date.
• 2025 and beyond: It's anticipated that by 2025, the EUCC will become the dominant certification scheme across Europe. National schemes are expected to be phased out completely, making the EUCC the sole gateway for cybersecurity certification within the EU.

A Look Ahead: Embracing the EUCC
The EUCC signifies a positive step towards a more robust cybersecurity environment in Europe. As we move into the latter half of 2024 and beyond, here's what to keep in mind:

• National Cybersecurity Certification Authorities (NCCAs) and Conformity Assessment Bodies (CABs): Establish the necessary certification structure; achieve required authorizations and accreditation.
• Manufacturers: Familiarize yourself with the EUCC requirements and consider initiating the certification process for your products. Also, consider post-certification vulnerability handling requirements that will be enforced by the EUCC.
• Consumers: Look for the EUCC mark when purchasing ICT products and cloud services, signifying their adherence to a rigorous cybersecurity standard.

Market uptake
Predicting the exact pace of market uptake of the EUCC is difficult, but global certificate recognition, well defined and streamlined certification processes would make the scheme attractive to the manufacturers of the ICT products. The future of the EUCC might also be impacted by broader European cybersecurity regulations that could potentially mandate the use of the scheme for certain types of products.
Rasma Araby, from atsec information security, participated in the panel discussion “How to handle vulnerabilities in certified solutions,” discussing vulnerability management and disclosure procedures compliance with the obligations outlined in the EUCC.

What can atsec do for you?
Since the start of the ENISA initiative in 2018, we have been actively contributing to the EUCC development. We regularly inform our customers of the progress to help them benefit from EUCC certification. 
If you are interested in performing EUCC certification or have questions regarding our evaluation services, please do not hesitate to contact us (info@atsec.com). We look forward to working with you.