What is the EU Cybersecurity Certification Scheme on Common Criteria?

The EU Cybersecurity Certification Scheme on Common Criteria (EUCC) is an internationally recognized European Union-wide standard for evaluating and certifying IT security. It confirms that IT products and systems meet defined security requirements transparently, reliably and independently. The EUCC plays a key role in the certification of security technologies across regulated industries, public authorities and the private sector. For businesses, it offers guidance and confidence, particularly for sensitive data, critical infrastructure and cloud services.

To achieve Common Criteria certification, manufacturers must provide a Security Target (ST). Ideally, the manufacturer can refer to an existing and recognized Protection Profile (PP). The PP states generic security objectives for a class of IT products, independent of any implementation, while the ST details the concrete security features of the product and maps them to the PP. Accredited labs in every EU member state evaluate the product against these documents and report to the national certification body. Depending on scope, the process can take several months. Under the Cybersecurity Act, Germany’s BSI serves as the EUCC certification authority.

As cyber threats evolve and digitalization increases, so does the demand for verifiably secure IT products. The EUCC provides reliable benchmarks to help manufacturers and users assess and ensure IT security. Organizations in critical sectors such as energy, finance and healthcare rely on these standards to meet legal obligations and reduce risks. In an increasingly connected and regulated world, the EU Cybersecurity Certification Scheme on Common Criteria ensures that trust is not just promised but demonstrable and certifiable.