European Cybersecurity Certificate (EUCC)
Overview
For critical products (Annex IV CRA), a European Cybersecurity Certificate (EUCC) at least at assurance level "substantial" is required. The EUCC is based on the EU Cybersecurity Act (Regulation (EU) 2019/881) and the Common Criteria framework (ISO/IEC 15408).
LEGAL BASIS
Art. 24(3) CRA: For critical products listed in Annex IV, a European cybersecurity certificate at assurance level "substantial" or higher must be obtained.
Regulation (EU) 2019/881 (Cybersecurity Act): Defines the European framework for cybersecurity certification.
EUCC Scheme (Implementing Regulation (EU) 2024/482): Specifies the European Common Criteria-based certification scheme.
Applicability
| Category | EUCC required? |
|---|---|
| Default | No |
| Class I | No |
| Class II | No |
| Critical (Annex IV) | Yes |
Annex IV Product Categories
The following products are classified as critical:
- Hardware security modules (HSM)
- Smartcards and similar devices (incl. secure elements)
- Smartcard readers
- Sensors and actuators for robots and machine controls
- Smart meter gateways
Assurance Levels
The EUCC defines two levels, based on Common Criteria Evaluation Assurance Levels (EAL):
| EUCC Level | Common Criteria | Examination Depth | Typical Use |
|---|---|---|---|
| Substantial | EAL 3-4 | Methodically tested and checked | Minimum for CRA Annex IV |
| High | EAL 5-7 | Semi-formally/formally verified | High-security products |
For the CRA, at least the "substantial" level is required.
Procedure
1. Select an Evaluation Facility (ITSEF)
- ITSEF = IT Security Evaluation Facility
- Must be accredited under ISO/IEC 17025
- Must be recognised by the national cybersecurity certification authority
- In Germany: BSI (Federal Office for Information Security) as the responsible authority
2. Create Protection Profile / Security Target
Security Target (ST)
The Security Target defines:
- TOE (Target of Evaluation) – Precise description of the product to be evaluated
- Security problem – Threats, organisational security policies, assumptions
- Security objectives – For the TOE and the operational environment
- Security requirements – Functional (SFR) and assurance (SAR)
- TOE summary – How the requirements are met
Protection Profile (PP)
If a relevant Protection Profile exists, it should be referenced. This simplifies the evaluation as security requirements are already standardised.
3. Evaluation
The ITSEF conducts the evaluation:
| EAL | Evaluation Activities |
|---|---|
| EAL 1 | Functionally tested |
| EAL 2 | Structurally tested |
| EAL 3 | Methodically tested and checked |
| EAL 4 | Methodically designed, tested and checked |
| EAL 5 | Semi-formally designed and tested |
| EAL 6 | Semi-formally verified |
| EAL 7 | Formally verified |
For CRA Annex IV, typically EAL 3 or EAL 4 is required ("substantial" level).
4. Certification
Upon successful evaluation:
- ITSEF produces Evaluation Technical Report (ETR)
- National certification body (e.g., BSI) reviews the ETR
- EUCC certificate is issued
- Certificate is published in the EU cybersecurity certification database
5. Maintenance
- Certificate validity: Limited (typically 3-5 years)
- Assurance continuity: For minor changes (maintenance update)
- Re-evaluation: For significant changes
- Vulnerability management: Ongoing obligation for vulnerability handling
Timeline
| Phase | Estimated Duration |
|---|---|
| Security Target creation | 2-4 months |
| ITSEF selection and engagement | 1-2 months |
| Evaluation (EAL 4) | 6-12 months |
| Certification by national body | 2-4 months |
| Total | approx. 12-24 months |
LEAD TIME
EUCC evaluations are extensive and time-consuming. Begin planning at least 18-24 months before the planned market launch.
Costs
| Cost Factor | Estimated Range |
|---|---|
| Security Target creation | EUR 15,000 - 50,000 |
| Evaluation (EAL 3-4) | EUR 50,000 - 200,000 |
| Certification fees | EUR 5,000 - 15,000 |
| Maintenance / Re-evaluation | EUR 20,000 - 100,000 |
| Total (initial assessment) | approx. EUR 70,000 - 265,000 |
Note: Actual costs depend heavily on product complexity and target EAL.
Relevance for BAUER GROUP
Based on the Product Classification:
| Annex IV Category | Affects BAUER GROUP? | Action |
|---|---|---|
| Hardware security modules (HSM) | No (usage, not manufacturing) | None |
| Smartcards / Secure elements | No (typically) | None |
| Smart meter gateways | Check | If energy products are manufactured |
| Sensors/actuators for robots | Check | If safety-critical controls are manufactured |
CURRENT STATUS
Based on current assessment, no BAUER GROUP products fall under Annex IV. This assessment is reviewed for each new product and when Delegated Acts are amended.
Transitional Provisions
- Art. 24(5) CRA: As long as no suitable EUCC scheme exists for an Annex IV product category, Module B+C may be applied as an alternative
- The EU Commission may add further products to Annex IV via Delegated Act
- Manufacturers must actively monitor the development of Implementing Acts
Checklist: EUCC
- [ ] Product classification completed (Annex IV confirmed)
- [ ] Relevant Protection Profile identified (if available)
- [ ] Security Target created
- [ ] ITSEF identified and contacted
- [ ] Evaluation contract concluded
- [ ] Evaluation materials provided (source code, documentation, test plans)
- [ ] Evaluation passed / remediation implemented
- [ ] ETR reviewed by national body
- [ ] EUCC certificate received
- [ ] Certificate published in EU database
- [ ] Maintenance plan established
- [ ] EU Declaration of Conformity issued (Template)
- [ ] CE marking applied