HomepageBusiness CustomersAll ServicesDigital & Product SolutionsCybersecurity ServicesICT CybersecurityEUCC Certification Scheme

EUCC Certification Scheme

What is EUCC Certification Scheme?

The EU Common Criteria Certification (EUCC) scheme, established under the products, services, and processes across the European Union. This scheme is based on Common Criteria (ISO/IEC 15408) and Common Evaluation Methodology (ISO/IEC 18045) and ensures robust security, fosters trust, and facilitates the free movement of certified products within the EU.

DEKRA is a Conformity Assessment Body (CAB) consisting in an accredited Certification Body (CB) and Information Technology Security Evaluation Facility (ITSEF) operating under the EUCC scheme at substantial assurance level.

Our Services

The EUCC CAB provides certification for ICT products under the EUCC scheme, covering a wide range of products such as software, network devices, smart cards, and hardware devices. Focused on a "Substantial level" (AVA_VAN.3) of security, DEKRA offers the following services:

The certification activity is divided in several phases:

This part of the service ensures the continuity and the review of EUCC certificates. The certification activities are divided in two branches: Review of an EUCC certificate and suspension, re-activation, withdrawal and expiry of EUCC certificates.

Review of an EUCC certificate:

Renewal
Re-assessment
Maintenance
Patch Management

When one of these actions are selected, the standard certification process is followed as described in the previous section (KO Meeting, Evaluation, Coordination, Finalization).

The status of a certificate can be:

IN-FORCE (ACTIVE)
SUSPENDED
WITHDRAWN
EXPIRED

If the certificate has been suspended, it can be re-activated with an approved remedial action within a 30-day period.

This activity is an ongoing surveillance process. The objective is to identify potential issues of non-compliance or changes in the security requirements of the ICT product that might require further investigation or action, such as initiating an assurance continuity procedure.

EUCC monitoring activities conducted by the CB fall into two categories:

General Monitoring: Focuses on holder compliance and product conformity. Sources for this monitoring include applicant commitments, information from other authorities, complaints, and vulnerability information.
ITSEFs Monitoring: ITSEFs Monitoring focuses on the performance of ITSEFs included in the CB's list of accepted entities for evaluation outsourcing.

As a result of the surveillance activity carried out by the CB, the following could occur:

Consequences of non-compliance by the holder of the certificate related to a certified product.
Consequences of non-conformity of a certified ICT product.
Consequences of non-compliance by the conformity assessment body.

Non-conformities or non-compliances may lead to the suspension or withdrawal of the certificate.

The EUCC activities required for the CB are the following, in case it receives a Vulnerability impact analysis report from the holder of a certified product certified by the CB:

Vulnerability management: These activities cover the activities to be performed by the CB in the event of reception of a vulnerability impact analysis report of a EUCC certified product. This procedure addresses the activities to be performed by the CB when a vulnerability impact analysis report of a EUCC certified product is received.
Vulnerability disclosure: These activities cover the activities to be performed by the CB. This procedure describes the process for the disclosure of vulnerabilities information upon withdrawal of an EUCC certificate.

In addition to initial certification, DEKRA offers full coverage of the certification lifecycle including certificate’s maintenance and monitoring services (each 2 years), which help to maintain the validity of the certificate throughout the product lifecycle. These services include re-assessment, maintenance, patch management, and certificate review.

EUCC Certification Scheme Application Form

Ready for your certification?

A Holistic & Trusted Approach to Digital Security

Gain actionable insights from this panel discussion on how to demonstrate the cybersecurity of ICT products across the EU.

All the certificates will be publicly available in DEKRA's Certificates Directory.

Whilst DEKRA has its own laboratory to perform the evaluation activity, this labor can be externalized to another laboratory through legally binding agreements. Subcontractors (ITSEFs), must be independent, ISO/IEC 17025 accredited, and adhere to EUCC requirement. The CB oversees subcontractor activities via a Technical Manager, who monitors qualifications, collects records of assessments, addresses non-conformities, and ensures compliance with operational procedures.

Why DEKRA is the Right Partner for EUCC Certification

Proven Expertise in Common Criteria (CC) Evaluations

With years of hands-on experience in CC evaluations, we bring deep technical know-how and a robust certification process you can trust.

Quality You Can Rely On

Every evaluation is thorough, consistent, and aligned with both regulatory requirements and market expectations.

Client-Focused Support

We adapt the certification process to your product, business model, and timeline. Our approach makes EUCC certification clearer and faster.

Related Services