European Commission
Products covered (HS or CCCN where applicable, otherwise national tariff heading. ICS numbers may be provided in addition, where applicable): The draft certification scheme primarily covers specialised IT and ICT equipment, such as integrated circuits, smart cards and related products (cryptographic elements, microcontrollers, dedicated software), network devices and systems (routers, switches, access points) and products for digital signatures (cryptographic modules, hardware security modules, secure servers). The draft certification scheme is not aimed at general purpose or consumer products
Title, number of pages and language(s) of the notified document: Draft Commission Implementing Regulation laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC); (34 page(s), in English), (18 page(s), in English)
Description of content:This draft Commission Implementing Regulation introduces the European Union Common Criteria-based certification scheme (EUCC) as the first scheme under the CSA certification framework.
The European cybersecurity certification framework aims at increasing the trustworthiness of ICT products, ICT services and ICT processes by means of European cybersecurity certification schemes, as certification demonstrates that the scheme's cybersecurity requirements have been met. The framework also aims at avoiding the overlap of cybersecurity certification schemes across the Member States, reducing costs for undertakings operating in the digital single market as well as making available, transparent and comparable assurance statements to customers by means of certificates including marks and labels.
The scheme builds on international standards (see point 8). The requirements and conformity assessment procedures are based on international standards.
Objective and rationale, including the nature of urgent problems where applicable: By providing scalable assurance about cybersecurity measures up to the highest sophistication of cyberattacks, the EUCC scheme will enhance trust in the digital single market. EUCC certification provides coherent and consistent information about cybersecurity properties in a value chain so that customers can make informed decisions. In EUCC certification, cybersecurity claims of an ICT product extend over their lifecycle. EUCC certification increases the probability of discovering and removing unwarranted risks, such as illicit data exfiltration, and thus discourages the placing of insecure products on the market; Consumer information, labelling; Prevention of deceptive practices and consumer protection; Quality requirements
The EUCC builds on two standards (publicly available on ISO website): Common Criteria for Information Technology Security Evaluation, as set out in EN ISO/IEC 15408 (available here); and Common Methodology for Information Technology Security Evaluation, as set out in EN ISO/IEC 18045.
The basis for this implementing regulation is Regulation (EU) No 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology security certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
Both standards are used by the international Common Criteria community convened under the CCRA.
Proposed date of adoption:4th Quarter 2023
Proposed date of entry into force: 20 days from publication in the Official Journal of the EU, with some provisions applying one year after entry into force.
Texts available from: National enquiry point [ ] or address, telephone and fax numbers and email and website addresses, if available, of other body:
European Commission,
EU-TBT Enquiry Point,
Fax: + (32) 2 299 80 43,
E-mail: grow-eu-tbt@ec.europa.eu
The text is available on the EU-TBT Website : http://ec.europa.eu/growth/tools-databases/tbt/en/
Comments