The first EU Cybersecurity Certification Framework, known as the European Cybersecurity Scheme on Common Criteria (the “EUCC”), has been adopted on the 31st January 2024.

The Cybersecurity Act, EU Regulation 2019/881 (the “Act”) tasks and empowers the European Union Agency for Cybersecurity (the “ENISA”) to support EU policy in the cybersecurity field whilst establishing and maintaining a Cybersecurity Framework (hereinafter the “Framework”) at EU level. The Framework shall provide assurances to ICT products, ICT services and processes, and strengthening trust in the digital internal market and its competitiveness. This is done by virtue of rules of technical standards, requirements and rules of standards and procedures to applied across the EU.

ENISA by virtue of the provisions of Act, the Framework, and after having set up an Ad Hoc Working Group (hereinafter “AHWG”), issued the EUCC which aims to succeed pre-existing schemes under the Senior Officials Group Information Systems Security (hereinafter "SOG-IS”), whilst also paving the way for further following schemes which are in preparation.

The EUCC is on a voluntary basis and is based on the time-proven SOG-IS Common Criteria evaluation framework already used across 17 EU Member States, consisting in an assessment process to showcase proof of assurance by virtue of a common EU assessment certifying ICT products such as technological components, hardware, and software.

In due course, the EUCC is expected to replace national certification schemes previously under the SOG-IS agreement. Upon application and replacement, the SOG-IS certificates may be converted into EUCC certificates after adjusting to the requirements as specified in the EUCC. Hence, this certification is meant to incentivize suppliers to abide by the certification requirements, which in return will allow the certified EU businesses to compete at national, Union, and Global levels.

Further to the adoption of the EUCC, it should be noted that the ENISA is currently working on two more cybersecurity certification schemes, namely the EU Cybersecurity Scheme for Cloud Services (the “EUCS”) and the 5G Cybersecurity Certification (the “EU5G”); whilst also working on the feasibility of an EU cybersecurity certification requirements on AI and supporting the EU Commission to establish a certification strategy for the eIDAS/wallet.

For more information or assistance on Cybersecurity related issues, please contact Dr Ian Gauci.

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content