atsec is thrilled to announce it is the first accredited conformity assessment body (CAB) for the new EU Common Criteria (EUCC) certification scheme! With this accreditation, atsec can provide certifications and evaluations for both the Substantial and High1 assurance levels, as well as offer post-certification compliance support.
This is a major milestone, as the EUCC represents an evolution in cybersecurity regulations in the EU and a crucial requirement for ICT product manufacturers, given it provides a harmonized approach to security certification across the region.
atsec is a Conformity Assessment Body that provides both Information Technology Security Evaluation Facility (ITSEF) and Certification Body (CB) services, resulting in a seamless end-to-end EUCC certification process for manufacturers.
By offering both evaluation and certification, we eliminate unnecessary complexity and streamline the certification journey for manufacturers.
As you consider EUCC certification, here’s an overview of the four-step process to receive one:
- Determine the Required Assurance Level
- Substantial – cover vulnerability analysis at AVA_VAN level 1 or 2.
- High – cover vulnerability analysis AVA_VAN level 3, 4 or 5.
- Prepare Security Documentation
Each assurance level has requirements for security documentation, including providing guidance documentation, development & lifecycle evidence, test documentation. The manufacturers will need to provide the Security Target (ST) which can claim compliance to a Protection Profile (PP). - Conduct Independent Evaluation
The EUCC-approved ITSEF performs evaluation of your product against security assurance requirements defined in the ST. This includes:- Vulnerability Analysis & Penetration Testing
- Functional Testing
- Evaluating design and guidance documentation
- Certification
Once the evaluation is completed, the EUCC-approved CB issues an EUCC certificate, allowing your product to be recognized across the EU market.
It’s important to note that EUCC certification is not a one-time process—manufacturers must maintain security compliance after certification. Certificate holders are required to:
- Provide security guidance for end users to ensure secure configuration, installation, operation, and maintenance of the certified product.
- Commit to providing security updates and defining the period during which security updates and cybersecurity-related patches will be provided to end users.
- Establish a vulnerability disclosure process and maintain clear contact information and procedures for receiving vulnerability reports from end users and security researchers.
- Monitor and address publicly disclosed vulnerabilities and to reference online vulnerability repositories as well as respond to security advisories related to the certified product.
Failure to meet these requirements could impact the validity of the EUCC certificate.
Details for atsec’s accreditation and approvals can be found on our certificates page.
For more information about our EUCC services, please visit the CC evaluation and CC certification pages on our website.
- The authorization process with the National NCCA is ongoing. ↩︎
