Skip to content
Search our site  
    February 26, 2024

    EUCC implemented. Now what or so what?

    On January 31, the EU announced on their website the adoption of the “first-ever European cybersecurity certification scheme”. This sounds like a big thing, and Thierry Breton, Commissioner for Internal Market, said that this would ensure products like ID cards and routers are cyber secure. But what is EUCC, and how does it fit in with some of the other schemes already in process for ensuring the cybersecurity of products in Europe?

    Cybersecurity Act and EUCC

    The Cybersecurity Act (CSA) introduced in 2019 an ambitious effort to enhance the cybersecurity of Europe and defined 3 levels of security assurance: Basic, Substantial and High. It encompasses both Products, Services and Processes, however in this article we will focus on cybersecurity for Products only.

    The EU Common Criteria (EUCC) is a voluntary certification scheme under the CSA, for products of assurance level Substantial and High. The EUCC Scheme is described in a rather voluminous 283 pages document, largely based on the international Common Criteria (CC) Certification scheme. 
    The CC scheme is an international certification scheme with mutual international recognition. 

    Within the international CC scheme, Europa has already an internal recognition agreement called SOG-IS, so this new EUCC will in other words replace the existing European SOG-IS. 

    Cyber Resilience Act

    In short, the Cyber Resilience Act (CRA) is very similar to CE marking directives like the Low Voltage Directive and the EMC Directive. The Act itself is quite short, main part being 34 pages, but is referring to European Harmonized standards for the technical requirements. Like most other EU directives CRA is mandatory but for most products a self-declaration is allowed when using harmonized standards. The CRA is expected to be implemented from early 2024, and mandatory from early 2027.

    The Radio Equipment Directive (RED)

    RED is the dark horse that took many by surprise when they put into force it’s sleeping cybersecurity clauses, effectively making cybersecurity mandatory for many wireless products in EU. The date for mandatory compliance was set to 1 August 2024, but as the harmonized standards could not be published in time, this date has been moved to 1 August 2025.

    The cybersecurity requirements in RED are however temporary and will be revoked when CRA becomes mandatory in 2027, replacing the RED requirements for cybersecurity.


    EUCC - Now What or So What? 

    The clickbait answer would be: “EUCC – So What?”, and this is correct for most products and manufacturers. For the vast number of manufacturers, it is first the RED and then the CRA which are the directives to pay attention to, and as for the RED, coming next year, it’s getting quite urgent!

    The somewhat boring answer is – it’s both! For manufacturers that today are using Common Criteria certifications it is definitely “Now What?”. The EUCC will be very important as this is the new scheme going forward in Europe. Also, compliance to the voluntary EUCC will be accepted as documentation for the mandatory CRA scheme.

    But what is the “problem” with EUCC? Why can’t all simply use EUCC to comply to CRA? A short answer is that a typical Common Criteria project can easily take more than a year to complete and at a cost of 100k USD and even way beyond this, whilst using a CRA harmonized standard will be a fraction of this.  The total number of active CC certificates world-wide is also quite low, about 1500.

    So, in conclusion – for those needing CC certificate for instance suppliers of equipment such as

    • Defense industry
    • Critical infrastructure
    • Secure money transfer 

    EUCC is a very important change. For most manufacturers however, the CRA is what is important.

    And -if still confused of what will be the best way for your products to meet the coming regulations, simply book a free online meeting with one of our experts in cyber security! 


    Book a free online meeting with a cybersecurity expert.



    PS: Did I mention that the UK will introduce mandatory IoT requirements from April 2024?

    See the on-demand webinar here.


    Geir Hørthe

    Geir Hørthe is responsible for the Nemko cyber security initiative. He has worked at Nemko for more than 30 years, in the capacity of test services, lab manager of safety, ATEX and medical departments. He has also been Managing Director at the Nemko office in London for two years. After he returned to Norway, he held...

    Other posts you might be interested in