As cybersecurity frameworks continue to evolve, organizations that are already familiar with Common Criteria may find themselves navigating new terminology, regional initiatives, and emerging certification schemes. With the introduction of European Union efforts, it can feel as though an entirely new framework is taking shape that requires a fresh approach to evaluation and compliance.

But is this truly a new system, or a continuation of what already exists?

A common misconception is that European Union Common Criteria represents a complete departure from the established certification model. In reality, these initiatives are built upon the same foundational principles, with adjustments that reflect regional priorities and regulatory direction rather than a wholesale reinvention.

This post is the fifth and final installment in our series, Deconstructing Common Criteria: 5 Myths and Realities, which explores the assumptions that shape how organizations approach certification. While each post stands on its own, together they illustrate how Common Criteria continues to evolve—highlighting not only how organizations achieve certification, but how they adapt to changes that influence long-term strategy, global market access, and ongoing compliance.

---

Myth #5: European Union Common Criteria is a completely new certification framework.

At first glance, the European Union’s approach to cybersecurity certification—often associated with terms like “EUCC” or frameworks tied to the Cybersecurity Act—can appear to introduce an entirely new system.

This perception is understandable. New governance structures, updated terminology, and evolving regulatory drivers can make it seem like organizations must start from scratch when pursuing certification in the EU.

Reality: EU certification builds on existing Common Criteria foundations—it does not replace them

Despite the new terminology and regulatory context, European Union certification efforts are not a departure from Common Criteria—they are an evolution of it. The EUCC is simply the scheme that is performing evaluations under Common Criteria.

Common Criteria itself is already an internationally recognized framework used to evaluate the security of IT products, with mutual recognition across participating countries under the Common Criteria Recognition Arrangement (CCRA).

What the European Union is doing is leveraging that existing foundation and adapting it to align with regional policy goals, regulatory oversight, and assurance needs.

---

Understanding What’s Actually Changing

• Governance and Oversight Are Becoming More Centralized

One of the most noticeable shifts is organizational. EU initiatives introduce more centralized governance and coordination across member states. This can influence how certifications are managed, reviewed, and maintained, but it does not fundamentally change the underlying evaluation methodology. It is still Common Criteria.

• Alignment with Broader EU Cybersecurity Policy

European certification frameworks are being shaped to support broader regulatory efforts, such as supply chain security, digital sovereignty, and risk management across critical sectors.

This means certification may be more tightly integrated into compliance requirements—but again, the technical evaluation roots remain grounded in Common Criteria.

• Continued Reliance on Established Evaluation Concepts

Common Criteria elements still apply, including Defined security requirements (e.g., Protection Profiles or Security Targets), Independent lab evaluations, Certification by an authoritative body and international recognition mechanisms. These are not new concepts as they are the same building blocks organizations have been working with for years.

• Potential for Expanded Assurance and Lifecycle Expectations

Where organizations may see differences is in expectations around ongoing assurance and maintenance, certification lifecycle management and alignment with evolving regulatory requirements. These shifts reflect changing risk environments instead of a replacement of the certification framework itself.

---

What This Means for Your Certification Strategy

Understanding that EU certification efforts are an extension—not a replacement—of Common Criteria has important implications:

• You can leverage existing Common Criteria knowledge and artifacts
• You should plan for regional nuances, not a full restart
• Early alignment can help avoid duplicate work or conflicting requirements
• A unified strategy can support both global and regional market access

Organizations that recognize this continuity are better positioned to adapt efficiently as certification landscapes evolve.

Learn more about identifying the right evaluation path with a with a Common Criteria Assessment. and start the conversation early to significantly improve program predictability and learn how structured planning can help define a clear evaluation path while supporting successful market entry.

---

The introduction of European Union certification frameworks does not signal the arrival of an entirely new system as much as it reflects the continued evolution of an established one.

As with the other myths in this series, the key is not just understanding the framework but understanding how it is evolving.

For organizations building products intended for government, defense, and regulated industries, Common Criteria remains one of the most widely recognized pathways to demonstrate product security assurance. Yet despite its longevity and global adoption, Common Criteria is often misunderstood—sometimes in ways that delay market entry, increase cost, or create false confidence in compliance readiness.

These misconceptions are not limited to a single function. Product managers may question applicability, engineers may underestimate documentation rigor, and sales teams may assume market access is unaffected by certification status. The result is a fragmented understanding of what Common Criteria actually requires and what it enables.

As the European Union continues to reshape its cybersecurity regulatory landscape, product vendors face a growing need for clarity, alignment, and practical guidance. Corsec is pleased to announce our attendance at the 7th International Conference on the EU Cyber Security and Resilience Acts, taking place March 24–26 in Brussels.

Key Tracks & Sessions Corsec Will Be Following

Throughout the conference, Corsec will be actively engaging across several tracks that are particularly relevant to manufacturers:

• The EU Cybersecurity Agenda 2025–2029: What It Means for Industry
  This track provides a strategic view of the Commission’s priorities for the next legislative cycle, including CRA implementation, NIS 2 enforcement, and the future direction of certification schemes. For vendors, these discussions shape long‑term product and compliance planning.
• From Regulation to Reality: How the EC Is Supporting CRA Implementation Across Europe
  Sessions focused on how the European Commission is supporting harmonized CRA adoption offer insight into what “compliance” will look like in practice—and where flexibility or risk remains for manufacturers preparing today.
• Certification in Practice: From EUCC to CRA Conformity
  These discussions explore how EUCC, EUCS, and other schemes relate to CRA obligations. Understanding this mapping is essential for vendors deciding where certification adds value versus where it introduces unnecessary cost or duplication.
• Designing for Lifecycle Security and Post‑Market Responsibility
  CRA Articles addressing vulnerability reporting, patch delivery, and supply‑chain assurance are a major shift for many organizations. This track highlights what continuous compliance means beyond initial market entry.
• Panel Discussion: AI Act Cybersecurity—Real-World Risks, Requirements, and What Comes Next
  “The EU’s AI Act introduces sweeping new cybersecurity expectations—along with plenty of uncertainty. In this panel discussion, experts will break down how the rules reshape AI deployment, what “compliance” actually requires in practice, and where the biggest technical and organizational challenges lie. Panelists will provide a clear view of the security measures regulators expect, how to implement them without blowing up existing workflows, and what these obligations mean for your company’s risk landscape.”
• The Cost of Compliance: New Realities for Testing, Assessment, and Post-Market Obligations
  As assessment, testing, and post‑market obligations expand, vendors must budget realistically for long‑term compliance. This track addresses the emerging cost structures and tradeoffs organizations will face.
• What Market Surveillance Authorities Expect from Manufacturers under the CRA
  “What manufacturers need to provide under the CRA, information and supporting evidence to enable verification of compliance and assurance of requirements.”
• Too Much Already, Supply Chain Security? A Sensible Approach to Rating True Potential Vulnerabilities Is Needed
  “Threat modeling and product-context analysis to cut through the ~140 daily EUVD CVE filings and distinguish real, exploitable vulnerabilities from inflated worst-case assessments.”
• Vulnerability Management in Consumer IoT: Why No IoT Manufacturer Is Ready for CRA Vulnerability Management (And How to Fix It)
  With increasing scrutiny from Market Surveillance Authorities, manufacturers must be prepared to demonstrate not only secure design, but effective vulnerability monitoring, reporting, and remediation over time.
• Panel Discussion: Navigating Fragmented Global Cyber Regulations
  With overlapping global frameworks—from CRA and EUCC to international standards—this panel addresses whether meaningful harmonization is achievable and what manufacturers can do in the meantime.

What is The EUCC?

The European Union Cybersecurity Act (EUCC) is a framework for evaluating security of Information and Communication Technology (ICT) products and services. It was originally defined in the Cybersecurity Act (EU 2019/881) in March of 2019. This act also created the European Union Agency for Cybersecurity (ENISA), establishing it as an EU Agency and defining the EUCC framework at a very high level. The act was amended in December 2024 to add managed security services as part of the certification schemes. An implementing act, which clarified the framework was published in January 2024.

For more information and background on EUCC, read our previous post on “The EUCC and What It Means For You“.

What is Common Criteria?

Common Criteria is an international cybersecurity standard recognized by 33 countries, or schemes.  18 of these schemes participate as certificate authorizing entities). While Common Criteria offers a common framework for evaluating products, each national certifying scheme was allowed to establish their own rules for doing so. Over the years certain nations have made more large scale changes to the framework. While these changes initially create turmoil, the Common Criteria community works to integrate the changes in the overall framework. We see this with NIAP in the U.S. when they moved to certifying only Protection Profile based certifications.

We are now seeing it again, as the EU, and specifically ENISA, have created the EUCC.

How is EUCC Affecting CC?

This shift to the EUCC will impact all vendors seeking evaluation in Europe. After Feb 27, 2025, certifications within the EU will need to use the EUCC framework, EU schemes will no longer approve Common Criteria evaluations.

The EUCC still uses the Common Criteria standard as a framework for evaluation but now emphasizes vulnerability assessment. Instead of the classical Evaluation Assurance Level (EAL) products will be classified by the vulnerability level that is sought. What used to be an EAL 2, is now assurance level Substantial and conforms with AVA_VAN level 1 or 2. Additionally an assurance class AVA_PAM will now cover patch management of the certified products. Protection Profiles will also be used, however, only 2 main profiles exist currently: Smart Cards and Hardware Devices. We anticipate more being created over time.

This move to focus on vulnerabilities goes deeper than the certification itself. In the past, if your product achieved certification, it was valid until the Expiration Date. Some schemes stated they could remove the product due to vulnerabilities, but it was rarely, if ever done. In the EUCC, schemes are accountable for reviewing their certified products and ensuring that no vulnerabilities exist against them. Managing vulnerabilities, patches, and certification will become a continual effort and not just a once every few years problem. The scheme vulnerability review also appears to be enforced retroactively on currently certified products. Vendors should consider having a plan in place prior to releasing CVEs.

Scheme and labs are still learning the nuances of EUCC and undergoing evaluation by ENISA to be approved for processing and issuing certificates. National schemes who were previously the highest authority on the standard, must now conform with EU requirements.

The standard does include more flexibility. Labs can now work with multiple schemes within the EUCC and not just one national scheme. Some labs may be able to issue Substantial certificates without needing a national scheme review. All certification of the High level (previously EAL 4 or higher), must be reviewed by a national scheme.

What’s Next?

The Common Criteria members have all stated that mutual recognition is the goal. We anticipate a bumpy ride while the EU starts implementing this new standard and other national schemes work with the EU to move towards mutual recognition.

For now, it seems that selling within the EU will require conformance to EUCC standards and selling the U.S. will highly recommend using a NIAP approved PP.

The good news is Corsec can help vendors with either EUCC or CC evaluations. Finding the right path to meet all of your customers needs will be a challenge that Corsec is happy to help solve.

There has been a great deal of discussion on a new certification process originating in Europe, specifically related to cybersecurity.  Corsec outlines what the new certification is, how it will apply to vendors around the world, as well as what to expect next.