As cybersecurity frameworks continue to evolve, organizations that are already familiar with Common Criteria may find themselves navigating new terminology, regional initiatives, and emerging certification schemes. With the introduction of European Union efforts, it can feel as though an entirely new framework is taking shape that requires a fresh approach to evaluation and compliance.

But is this truly a new system, or a continuation of what already exists?

A common misconception is that European Union Common Criteria represents a complete departure from the established certification model. In reality, these initiatives are built upon the same foundational principles, with adjustments that reflect regional priorities and regulatory direction rather than a wholesale reinvention.

This post is the fifth and final installment in our series, Deconstructing Common Criteria: 5 Myths and Realities, which explores the assumptions that shape how organizations approach certification. While each post stands on its own, together they illustrate how Common Criteria continues to evolve—highlighting not only how organizations achieve certification, but how they adapt to changes that influence long-term strategy, global market access, and ongoing compliance.

---

Myth #5: European Union Common Criteria is a completely new certification framework.

At first glance, the European Union’s approach to cybersecurity certification—often associated with terms like “EUCC” or frameworks tied to the Cybersecurity Act—can appear to introduce an entirely new system.

This perception is understandable. New governance structures, updated terminology, and evolving regulatory drivers can make it seem like organizations must start from scratch when pursuing certification in the EU.

Reality: EU certification builds on existing Common Criteria foundations—it does not replace them

Despite the new terminology and regulatory context, European Union certification efforts are not a departure from Common Criteria—they are an evolution of it. The EUCC is simply the scheme that is performing evaluations under Common Criteria.

Common Criteria itself is already an internationally recognized framework used to evaluate the security of IT products, with mutual recognition across participating countries under the Common Criteria Recognition Arrangement (CCRA).

What the European Union is doing is leveraging that existing foundation and adapting it to align with regional policy goals, regulatory oversight, and assurance needs.

---

Understanding What’s Actually Changing

• Governance and Oversight Are Becoming More Centralized

One of the most noticeable shifts is organizational. EU initiatives introduce more centralized governance and coordination across member states. This can influence how certifications are managed, reviewed, and maintained, but it does not fundamentally change the underlying evaluation methodology. It is still Common Criteria.

• Alignment with Broader EU Cybersecurity Policy

European certification frameworks are being shaped to support broader regulatory efforts, such as supply chain security, digital sovereignty, and risk management across critical sectors.

This means certification may be more tightly integrated into compliance requirements—but again, the technical evaluation roots remain grounded in Common Criteria.

• Continued Reliance on Established Evaluation Concepts

Common Criteria elements still apply, including Defined security requirements (e.g., Protection Profiles or Security Targets), Independent lab evaluations, Certification by an authoritative body and international recognition mechanisms. These are not new concepts as they are the same building blocks organizations have been working with for years.

• Potential for Expanded Assurance and Lifecycle Expectations

Where organizations may see differences is in expectations around ongoing assurance and maintenance, certification lifecycle management and alignment with evolving regulatory requirements. These shifts reflect changing risk environments instead of a replacement of the certification framework itself.

---

What This Means for Your Certification Strategy

Understanding that EU certification efforts are an extension—not a replacement—of Common Criteria has important implications:

• You can leverage existing Common Criteria knowledge and artifacts
• You should plan for regional nuances, not a full restart
• Early alignment can help avoid duplicate work or conflicting requirements
• A unified strategy can support both global and regional market access

Organizations that recognize this continuity are better positioned to adapt efficiently as certification landscapes evolve.

Learn more about identifying the right evaluation path with a with a Common Criteria Assessment. and start the conversation early to significantly improve program predictability and learn how structured planning can help define a clear evaluation path while supporting successful market entry.

---

The introduction of European Union certification frameworks does not signal the arrival of an entirely new system as much as it reflects the continued evolution of an established one.

As with the other myths in this series, the key is not just understanding the framework but understanding how it is evolving.

When organizations begin exploring Common Criteria, one of the first questions they face is whether their product aligns with an existing requirements framework – a Protection Profile. In environments where certification pathways appear structured around predefined requirements, products that fall outside those boundaries can seem difficult to analyze for evaluation.

This uncertainty frequently shapes early planning decisions. Teams may hesitate to initiate certification discussions if they believe their product does not align to an existing Protection Profile, assuming that evaluation pathways are limited to predefined product categories. In reality, Common Criteria was designed to support a wide range of technologies, including those that introduce new functionality or operate in evolving technical spaces.

This post is the third segment in our series, Deconstructing Common Criteria: 5 Myths and Realities, which examines the assumptions that most often shape how organizations approach Common Criteria certification. While each post is designed to stand on its own, together they provide a clearer view into the decisions that influence certification success across product, engineering, and leadership teams.

---

Myth 3: “My product does not align to a Protection Profile, so evaluation is not possible.”

Among the myths explored in this series, this assumption often emerges during early practicality discussions. When teams review Protection Profiles and fail to identify a direct match, certification can appear out of reach. This perception can lead organizations to postpone planning efforts or dismiss certification altogether, even when viable pathways exist.

Reality: Protection Profile alignment is not the only path to evaluation.

While Protection Profiles provide structured, widely recognized sets of security requirements for specific product types, they are only one component of the Common Criteria ecosystem. Products that do not align directly to an existing Protection Profile may still be evaluated using alternative approaches, most commonly through the development of a custom Security Target that defines the product’s security functionality and evaluation scope. This approach is evaluated against an Evaluation Assurance Level or EAL.

EAL evaluations allow organizations to describe their product’s intended security capabilities in a structured and testable manner. Rather than forcing alignment to predefined requirements, this approach enables evaluation based on the product’s actual design and implementation. In many cases, emerging technologies, specialized platforms, or products with unique architectural features are evaluated successfully through an EAL evaluation.

In addition, Protection Profiles themselves continue to evolve. As technology landscapes shift, new profiles are developed to address emerging product categories and security needs. Organizations participating in modern development cycles may find that today’s gap between their product and existing Protection Profiles becomes tomorrow’s standard alignment.

Early engagement in certification discussions can help teams understand whether alignment, adaptation or alternative evaluation strategies are possible. Learn more about identifying the right evaluation path with a with a Common Criteria Assessment. and start the conversation early to significantly improve program predictability and learn how structured planning can help define a clear evaluation path while supporting successful market entry.

Scope definition plays a critical role in evaluation feasibility.

When products appear misaligned with existing Protection Profiles, the underlying issue is often related to scope rather than eligibility. The defined Target of Evaluation (TOE)—which establishes the boundaries of what is included in the evaluation—can significantly influence how closely a product aligns with available requirements. Carefully defining system boundaries, security functionality, and operational context often reveals alignment opportunities that are not immediately obvious during initial reviews.

Modular architectures and clearly defined security components can also support flexible evaluation strategies. By isolating security-relevant functionality, organizations may be able to evaluate a portion of the system that aligns with known requirements, while maintaining flexibility for the broader product ecosystem. This approach can reduce complexity and create pathways to certification even when full-system alignment appears challenging.

Early planning reduces uncertainty around alignment.

Much like cost and scheduling considerations, alignment challenges are most manageable when addressed early in the development lifecycle. Organizations that engage in structured planning—reviewing product architecture, identifying security features, and assessing potential evaluation pathways are often better positioned to determine whether Protection Profile alignment is achievable or whether alternative strategies like an EAL evaluation are available.

Delaying these discussions can create downstream complications, particularly if architectural decisions are finalized without considering certification requirements. Early evaluation readiness assessments help clarify pathways, identify potential risks, and establish realistic expectations for scope, documentation, and timeline development.

For many organizations, the perception that evaluation is not possible reflects uncertainty rather than limitation. When teams gain visibility into the available certification approaches, they are better equipped to make informed decisions about product design, market positioning, and long-term certification strategy.

Organizations that engage experienced guidance early are often better positioned to navigate alignment decisions and maintain forward progress. From evaluating potential Protection Profile matches to developing custom Security Targets, structured planning helps transform uncertainty into actionable certification strategy.

---

Following this discussion, the series continues with additional misconceptions that frequently influence certification planning and long-term product strategy. Each reflects a different stage in the certification lifecycle and highlights how technical, operational, and regulatory assumptions can shape both timing and market readiness.

Continue to follow along as we examine the remaining two myths that continue to influence certification strategy:

Myth 4: If my product is no longer listed on the Common Criteria Portal, I can still access the same markets.
Myth 5: European Union Common Criteria (EUCC) is a completely new certification framework.

These assumptions often stem from practical challenges. A closer examination shows that they can instead highlight opportunities for more structured planning, clearer expectations, and stronger certification outcomes.