EUCC Perspectives

In this post we examine the proposed European Cybersecurity Certification Scheme (EUCC). We’ll cover:

• What is EUCC?
• What is the status of EUCC?
• What has changed since the draft EUCC regulation was published?
• What impact will EUCC have on vendors?
• What impact will EUCC have on the certification industry?
• How is Lightship Security preparing for EUCC to support our clients?

What is EUCC?

EUCC is a European Commission proposal for the creation of an ICT product cybersecurity certification scheme based on Common Criteria. The birthplace of EUCC is the EU Cybersecurity Act (CSA).

In 2019 the CSA established a framework for the creation of European cybersecurity certification schemes covering ICT products, ICT services and ICT processes and gave the European Union Agency for Network and Information Security (ENISA) the mandate to implement the framework. The Dutch Authority for Digital Infrastructure have published a good CSA Overview noting that CSA certification is voluntary unless otherwise specified in other EU law or national law.

EUCC is the first proposed EU cybersecurity certification scheme under the CSA framework and is intended to replace SOG-IS – an EU specific Mutual Recognition Agreement (MRA) focused mainly on ‘Smartcards and Similar Devices’ and ‘Hardware Devices with Security Boxes’ per the SOG-IS Technical Domains. 

In its current form, EUCC is draft legislation covering:

1. General Provisions. Establishes CC as the relevant standard for ICT product evaluation and links vulnerability analysis levels (AVA_VAN) to the CSA assurance levels ‘substantial’ or ‘high’.
2. Certification of ICT products. Details on evaluation methods including ‘state of the art’ (aka supporting) documents. Rules for certificate issuance, validity, usage, and withdrawal.
3. Certification of Protection Profiles. Associated rules for Protection Profile certification.
4. Conformity Assessment Bodies. Requirements and rules for CABs which are split into Certification Bodies (CB) and labs (ITSEF).
5. Monitoring, non-conformity and non-compliance. Introduces a hierarchy of compliance monitoring between entities and includes market surveillance of certified ICT products. The consequences for failure to remediate non-conformances are identified, such as certificate suspension.
6. Vulnerability management and disclosure. Requires holders of EUCC certificates (vendors) to maintain vulnerability management procedures including reporting and disclosure requirements.
7. Retention, disclosure and protection of information. General requirements for protection and retention of information for involved entities. Designates ENISA as the publisher of related information including lists of certified products and accredited CABs.
8. Mutual recognition agreements with third countries. Rules for mutual recognition between the EU and third countries. Paragraph (29) indicates that mutual recognition agreements may be bi- or multilateral and should replace similar agreements currently in place.
9. Peer assessment of certification bodies. Rules for peer assessment among CBs (note that these may be commercial CBs).
10. Final provisions. Specifies transition timelines:
    • The Regulation shall apply from 12 months after entry into force
    • EU national schemes for products and processes covered by the EUCC shall cease to produce effects from 12 months after the entry into force
    • Evaluations may be initiated under EU national schemes within 12 months from entry into force provided they are finalized within 24 months
11. State of the art documents (Annex I – III). Mostly a reproduction of the Technical Domains and supporting documents from SOG-IS focused on smart cards and security boxes along with associated EU Protection Profiles.
12. Assurance continuity (Annex IV). Rules for assurance continuity similar to the existing framework, however it introduces requirements for patch management and associated reporting. This includes the requirement to report all patches within 5 working days to the CB and submit security relevant patches to the ITSEF for review (see II.4(6)). The wording for when this process applies in II.4(2) is not clear.
13. Sundry requirements (Annexes V – IX). Certification report details, Peer assessment details, EUCC Certificate details, Assurance package conventions, EUCC Mark and label.

What is the status of EUCC?

The draft regulation has been through a public comments phase which completed on 30^th of October 2023. The draft has since been updated and voted on in Comitology. The process is describe by ENISA in From Candidate to Certification Scheme. 

What has changed since the draft EUCC regulation was published?

The revised draft regulation that was voted on in Comitology is available at:

• Draft implementing regulation laying down rules for the application of Regulation 2019/881 as regards the adoption of the European Common Criteria-based cybersecurity certification scheme
• Annexes to the draft implementing regulation laying down rules for the application of Regulation 2019/881 as regards the adoption of the European Common Criteria-based cybersecurity certification scheme

Highlights:

• Mutual Recognition. Paragraph (29) revised: mutual recognition agreements may be bi- or multilateral and should replace similar agreements currently in place. In view of facilitating a smooth transition to such mutual recognition agreements, Member States may continue existing cooperation arrangements with third countries for a limited period.
• AVA_VAN 4/5. Clarification that evaluation at AVA_VAN level 4 or 5 shall only be possible where the ICT product is covered by a specified technical domain and state-of-the-art documents (defined in Annexes) or in exceptional and duly justified cases.
• Vulnerability management and disclosure. Major revisions to this section – vulnerability reporting is now only in response to reasonable CB requests or if the vendor’s own analysis indicates that a vulnerability has a likely impact on the conformity of the ICT product with its certificate – in such cases, an IAR must be submitted without undue delay.
• Transition phase. A transition phase has been introduced to allow EU national schemes to complete existing or new evaluations started within the first 12 months after entry into force. These must be completed within 24 months of entry into force.

What impact will EUCC have on vendors?

If vendors have not had to specifically pursue SOG-IS or EU specific certification in the past, then EUCC is not likely to have an immediate impact. Those vendors with EU specific certification requirements should pay close attention to the following sections of the draft regulations:

• Chapter VI Vulnerability management and disclosure
• Annex IV.4 Patch Management

Vendors with ongoing evaluations in EU schemes may be impacted, depending on the timeline of the evaluation in consideration of the transition phase. Longer term, the real impact to vendors will depend on any new EU or national laws that mandate CSA / EUCC certification.

Finally, the impact to vendors will not fully be known until EU CCRA participation and mutual recognition are settled.

What impact will EUCC have on the certification industry?

There is no doubt that EUCC has set the proverbial cat among the pigeons. In particular, the requirements relating to vulnerability management, patch management and market surveillance all address one of the perceived weaknesses of CC head on – the fact that it is a point in time static certification. While this may be painful medication, it is needed if CC is to remain relevant in the future. It remains to be seen if and how the non-EU CCRA nations adapt to this change.

If successfully implemented and gracefully merged with CCRA, the EUCC will result in a stronger certification industry with new opportunities for all involved.

How is Lightship Security preparing for EUCC?

Lightship is part of the European headquartered Applus+ Laboratories division.  We, along with our European colleagues are paying close attention to these developments to understand how EUCC is evolving and how to best support our clients internationally as it gets rolled out.  Ultimately, we will be in a good position to provide seamless coverage for vendors who require EUCC certificates in the future as part of their overall product certification strategy.

Contact us if you have any questions about how EUCC might affect your certification strategy. We’ll be at the EU Cyber Acts Conference if you’d like to discuss in person. Hope to see you there!