What Common Criteria Certification Means for Your Products
Common Criteria (ISO/IEC 15408) is an international framework for evaluating and certifying the cybersecurity properties of IT products. It provides independent assurance that a product meets defined security requirements and has been assessed by an accredited evaluation laboratory.
In the European Union, Common Criteria evaluations are now delivered under the European Union Cybersecurity Certification Scheme (EUCC), which establishes a harmonized, EU-wide certification framework based on Common Criteria.
EUCC certificates are issued at Substantial (AVA_VAN.1 or 2) or High (AVA_VAN.3–5) assurance levels, with results published centrally by ENISA.
For product manufacturers, EUCC certification supports trust, regulatory acceptance, and market access across the EU and beyond.
What Common Criteria Certification Requires
Common Criteria certification is based on a structured evaluation of a defined Target of Evaluation (TOE) against specified security requirements.
Key elements of the evaluation include:
Definition of security requirements in a Security Target
Evaluation of product design, implementation, and guidance documentation
Assessment of development processes and lifecycle controls
Independent vulnerability analysis and penetration testing
Evaluations are performed against defined assurance levels, with EUCC currently supporting assurance levels aligned with Common Criteria methodology.
EUCC certificates are issued at Substantial (AVA_VAN.1 or 2) or High (AVA_VAN.3–5) assurance levels, with results published centrally by ENISA and commoncriteriaportal.org.
Manufacturers must prepare or seek advisory detailed technical documentation and provide evidence demonstrating that the product meets the claimed security requirements.
Who Common Criteria Certification Applies To
Common Criteria and EUCC apply to IT products where independent cybersecurity assurance is required or expected.
This includes a wide range of products such as network devices, software applications, operating systems, cryptographic modules, embedded systems, and security-critical components. Applicability is driven by product function, assurance needs, and market or regulatory expectations rather than by industry sector.
Relationship to Other Regulations and Standards
Common Criteria and EUCC are used both as standalone certification schemes and as supporting mechanisms for regulatory compliance.
They are closely linked to:
EU product cybersecurity regulations, including the Cyber Resilience Act (CRA)
eIDAS requirements for qualified trust services and secure signature devices
Sector-specific procurement or regulatory requirements that mandate independent cybersecurity certification
EUCC is designed to replace national Common Criteria schemes within the EU, providing a single, harmonized certification framework.
How QIMA Supports Common Criteria and EUCC Certification
QIMA supports product manufacturers throughout the Common Criteria and EUCC certification process. Our services include advisory (consultancy services), independent Common Criteria evaluations performed in our laboratories, and support in preparing Security Targets and technical documentation. We also assist manufacturers in addressing evaluation findings and managing assurance continuity for product updates.
This expertise helps manufacturers navigate the EUCC framework efficiently while reducing certification risk and timelines.
Common Criteria and EUCC certification activities are delivered through QIMA’s Common Criteria testing laboratories and IT Security Evaluation Facilities (ITSEFs).
QIMA has experience evaluating products against a wide range of Common Criteria Protection Profiles and assurance packages, depending on product type and certification scope.
For suitable projects, accelerated evaluation timelines may be achievable, depending on product maturity, documentation readiness, and certification scope.
All evaluation activities are conducted within laboratories accredited to ISO/IEC 17025, ensuring that testing and assessment are carried out in accordance with internationally recognized competence and quality standards.
Talk to Our Cybersecurity Experts
If your products require independent cybersecurity certification under Common Criteria or EUCC, QIMA can support you from preparation through certification.
Contact us to discuss your requirements
Resources
Explore practical guidance on Common Criteria and EUCC certification.
Guide and Checklist for Common Criteria Evaluations (updated with EUCC Scheme) - E-book
Exploring EUCC: Legal, Market Impact, and Practical Application - On-Demand Webinar
EUCC Study - The New European Union Cybersecurity Certification Scheme - E-book
FAQs
Is EUCC mandatory?
EUCC is not universally mandatory, but it may be required under specific regulations, procurement rules, or market expectations.
How does EUCC differ from national Common Criteria schemes?
EUCC provides a harmonized EU-wide certification framework, replacing national schemes and enabling mutual recognition across EU Member States.
How long does a Common Criteria evaluation take?
Evaluation timelines vary depending on product complexity, assurance level, and documentation readiness. Early preparation can significantly reduce duration.