Glossary · EU Cybersecurity Certification EUCC (European Cybersecurity Certification scheme on Common Criteria)
The first EU-wide cybersecurity certification scheme adopted under the Cybersecurity Act. Adopted by Commission Implementing Regulation 2024/482 in February 2024. Applies to ICT products (hardware, software, components) and is based on the international Common Criteria standard, with EU-specific assurance levels.
## What EUCC actually is
EUCC is the **European Cybersecurity Certification scheme on Common Criteria**. It is the first cybersecurity certification scheme adopted at EU level under the framework established by the EU Cybersecurity Act (Regulation 2019/881).
EUCC was adopted in **February 2024** via Commission Implementing Regulation 2024/482, after several years of preparatory work led by [ENISA](/en/glossary/enisa/). It covers ICT products — hardware, software, and components — and is built on the international Common Criteria standard (ISO/IEC 15408), which has been the global baseline for product-level cybersecurity certification since the 1990s.
Importantly, EUCC is **not** the same as [EUCS](/en/glossary/eucs/). EUCC is for products. EUCS is the proposed (and contested) scheme for cloud services. The two are sister regulations addressing different categories.
## Why EUCC matters
Before EUCC, cybersecurity certification of ICT products in Europe was fragmented across national schemes. France had CSPN (issued by ANSSI). Germany had BSI's Common Criteria certification. The Netherlands, Italy, Spain, and the Nordics had their own variants. A product certified in one country was not automatically recognised in another, even when both certifications were based on Common Criteria.
EUCC closes that gap by creating a single EU-wide certification with mutual recognition across all Member States. A device certified at EUCC "high" assurance level in Germany now has the same legal standing in France, Italy, and across the EU.
## What EUCC certifies
EUCC certifies *Targets of Evaluation* — typically:
- **Hardware security modules (HSMs)** — for cryptographic key management
- **Smart cards and secure elements** — payment cards, eID chips, SIM cards
- **Embedded systems** — for IoT, industrial control, automotive
- **Operating system kernels and security-critical components**
- **Network equipment** — firewalls, encryption appliances
- **PKI / certificate authority products**
The certification scope is the actual product against a defined set of security functional requirements and an assurance level.
## EUCC assurance levels
EUCC defines two assurance levels above the "basic" baseline of the Cybersecurity Act:
### Substantial
Equivalent to Common Criteria EAL 1 to EAL 4. Includes vulnerability assessment based on publicly known threats, basic penetration testing, and standard documentation requirements. Suitable for general-purpose security products.
### High
Equivalent to Common Criteria EAL 5 to EAL 7. Includes advanced vulnerability assessment, sophisticated penetration testing against state-actor-level threats, formal security modelling for critical functions, and extensive design documentation review. Required for products handling national security, critical infrastructure, or major financial transactions.
Both assurance levels involve laboratory evaluation by an accredited Conformity Assessment Body. "High" level certifications additionally require national certification authority (NCA) oversight — meaning the national cybersecurity agency (ANSSI in France, BSI in Germany) directly validates the evaluation.
## How EUCC relates to existing schemes
EUCC explicitly subsumes and replaces existing national schemes based on Common Criteria:
| Pre-EUCC scheme | Country | Status under EUCC |
|------------------|---------|---------------------|
| CSPN | France (ANSSI) | Continues for now; EUCC "substantial" overlap |
| BSI Common Criteria | Germany | EUCC certifications fully recognised |
| OCSI | Italy | EUCC fully integrated |
| CCN | Spain | EUCC certifications recognised |
| NSCIB | Netherlands | EUCC fully integrated |
National schemes continue to exist during a transition period. Eventually they will either be subsumed into EUCC or maintained for very narrow use cases (e.g. national-classification products).
## Mandatory vs voluntary
Under the Cybersecurity Act framework, EU cybersecurity certifications are by default *voluntary*. Suppliers may certify their products to gain commercial advantage, but they are not compelled to.
Member States may, however, make EUCC certification *mandatory* for specific product categories under national law. Several are doing so:
- **France**: ANSSI is making EUCC effectively mandatory for products supplying public-sector procurement and operators of essential services
- **Germany**: BSI is integrating EUCC certification into critical infrastructure regulation
- **Estonia, Finland, Netherlands**: aligning national procurement frameworks toward EUCC preference
The [Cyber Resilience Act](/en/glossary/cyber-resilience-act/), which mandates product-level cybersecurity requirements EU-wide, references EUCC as a recognised conformity assessment route. Products with EUCC certification benefit from presumption of conformity under CRA. This is the major adoption driver.
## EUCC and US-headquartered vendors
Unlike [SecNumCloud](/en/glossary/secnumcloud/) and the contested EUCS sovereignty criteria, EUCC does not impose corporate-structure or jurisdiction requirements on the *vendor*. A US-headquartered hardware maker can obtain EUCC certification for a product designed and manufactured in compliance with the standard.
What EUCC does require is that the *evaluation* be performed by an EU-based accredited laboratory under EU oversight. The product can be made anywhere; the evaluation must happen inside the EU regulatory perimeter.
This is consistent with the Common Criteria tradition — globally recognised, locally evaluated.
## What EUCC means in practice
### For ICT product manufacturers
If you sell hardware security modules, smart cards, secure embedded systems, or network security appliances into EU markets, EUCC certification is becoming a baseline expectation rather than a differentiator. Public-sector and regulated-industry buyers increasingly will not accept non-EUCC products for sensitive use cases.
### For EU buyers
EUCC certification is meaningful evidence of product security. A product holding EUCC "high" certification has been through evaluation by an accredited EU laboratory under national cybersecurity authority oversight. This is materially different from self-declared security claims.
### For US and global suppliers
EUCC participation requires investment — typically €200,000 to €500,000 for a "substantial" level certification of a moderately complex product; significantly more for "high" level. This barrier is intentional. Suppliers willing to invest in EUCC certification signal serious commitment to EU markets.
### For cybersecurity researchers
The published EUCC certification reports become high-quality public documentation of product security characteristics. The reports are searchable through ENISA's certification database.
## What 2026-2027 brings
- **More products certified at EUCC "high"** as the scheme matures
- **EUCS finalisation** — the cloud-service sister scheme, still politically contested over sovereignty criteria
- **EU 5G certification scheme** following the EUCC pattern, likely 2027
- **EU AI certification** under discussion as a possible third EU-level scheme
- **Cross-recognition negotiations** with non-EU certification regimes (notably US FIPS and emerging UK schemes)
## Practical implications
- **For European businesses choosing ICT products**: EUCC certification is meaningful and increasingly procurement-relevant
- **For European ICT manufacturers**: certification investment is becoming necessary for serious EU public-sector positioning
- **For US/global manufacturers**: EUCC participation is the path to EU public-sector access for security-critical products
- **For EU regulators**: EUCC is the foundation; expect parallel schemes for cloud (EUCS), 5G, AI, and other technology domains
EUCC sets the precedent for EU-level cybersecurity certification working across borders without prejudicing sovereignty. EUCS — for cloud — is the same question with much more politically contested answers.
Was this helpful?
Thanks for your feedback!