Mandatory, externally verified cybersecurity certificates are approaching
EUCC (EU Common Criteria) and the Cyber Resilience Act
There were two inconspicuous developments in February and March 2025 which, on closer inspection, are major milestones for product security:
- The first EU-wide cybersecurity certification scheme based on Common Criteria (EUCC) has been in force since 27.02.2025.
- The German Federal Office for Information Security (BSI) was notified as the sole German national certification body for this certification scheme on 20.03.2025.
While the second milestone is more relevant to Germans, the implications behind both milestones are worth knowing for every digital product manufacturer who wants to sell into the European union.
So, what do these two things mean and what do they have to do with the Cyber Resilience Act? For that we need to expand a little. I hope you’re sitting comfortably and your coffee cup is still full, because this is going to take a little patience and brain juice.
The problem with mandatory security certificates
In the past, cybersecurity certificates and labels, such as the German IT security label, have often been met with long faces and sighs of relief in the security community: “Yet another voluntary certificate! And a manufacturer’s self-declaration! This won’t get us anywhere….
The problem is that we live in the EU and have a single European market, and the same rules must apply to all market participants. So one country cannot simply introduce a mandatory cybersecurity certificate on its own.
That is why there is the Cybersecurity Act (EU 2019/881). Among other things, it regulates how uniform European cybersecurity certificates can be issued. The Cybersecurity Act is not to be confused with the Cyber Resilience Act (EU 2024/2847), which defines mandatory security requirements and a CE mark for products with digital elements.
Cybersecurity Act: EU-wide certificates and assurance levels
So, the Cybersecurity Act describes how and from whom products in the EU can obtain an EU-wide cybersecurity certificate.
In this context, you need to know an important term: The assurance level. It indicates how thoroughly the product has been tested.
The idea is that the higher the assurance level, the greater the certainty that the product can withstand cyber attackers with high capabilities and resources. If this sounds familiar, the same idea is behind the “security level” of ISA/IEC 62443.
Unlike the security level of ISA/IEC 62443, however, the Cybersecurity Act does not tighten the requirements themselves with a higher assurance level, but rather their verification.
At a low assurance level, only technical documentation is checked and, depending on the certification scheme, a self-assessment is sufficient.
At medium and high levels, an external assessment must be carried out, the product must be tested for vulnerabilities and the correct implementation of security functions must be checked.
For the high level, a penetration test simulating a competent attacker must also be carried out, and the security functions must correspond to the latest state of the art. The certification authorities must also meet special requirements before they can award this level of assurance.
Certification schemes and certification body
It has been and still is a long way from the Cybersecurity Act to the certificate.
This is because a certificate requires a certification scheme — it specifies which requirements products must meet and how these can be checked, conformity assessment bodies that check conformity with these requirements and, for the highest assurance level, certification bodies that issue the certificate.
And now we can also put the milestones mentioned earlier into perspective:
The first certification scheme, which was published as an implementing regulation (2024/482) for the Cybersecurity Act, has been in force since February 27, 2025. It is based on Common Criteria, a catalog of criteria and procedures for cybersecurity certification internationally standardized as ISO/IEC 15408 and therefore called “EUCC” for short — EU Cybersecurity Certification Scheme on Common Criteria.
Under the EUCC, there are only the assurance levels “medium” and “high”, and self-assessment is not possible. Manufacturers must therefore undergo an assessment by an external conformity assessment body and a certification body for the “high” level. And on 20 March 2025, the German Federal Office for Information Security (BSI) was notified as the sole certification body for the EUCC certification scheme in Germany.
What does this mean? Companies in Germany can now obtain an EUCC certificate for a product with the highest assurance level, which is recognized in all EU member states, from the BSI (in other countries from other certification bodies).
And what does all this have to do with the Cyber Resilience Act?
A Cybersecurity Certificate in accordance with the Cybersecurity Act is one way to comply with the Cyber Resilience Act.
For most products with digital elements that fall under the CRA, this is not relevant as the manufacturer’s self-declaration is sufficient. But for “important” or “critical” products in Annex 3 or 4 of the CRA, a conformity assessment with an external assessment is mandatory. And one possibility for such an external conformity assessment is the certificate.
An important term in the Common Criteria world is protection profiles, which define the security requirements for a specific product type. This is why, in addition to the general Common Criteria standards (ISO/IEC 15408), there are also a number of standards that define protection profiles for specific products.
Such protection profiles and certifications already exist for some “critical” products according to the CRA, such as hardware security modules or microprocessors — so it makes sense to be able to prove CRA conformity with them. The preamble to the CRA (Recital 83) therefore states precisely this: In a delegated act, the EU Commission could determine whether an EUCC certificate fulfills the presumption of conformity for the CRA in whole or in part, i.e. products with such a certificate automatically fulfill the CRA.
It is possible (as stated in Recital 46 and Article 8) that this certificate will even become mandatory for critical products according to the CRA for which there is an EUCC certificate or another EU certification scheme in accordance with the Cybersecurity Act. And with an assurance level of at least “medium” — because this is the only reason why the external audit is required.
And there you go: This would be a cybersecurity certificate that is no longer voluntary but mandatory, and with mandatory external testing for certain products.
Now we’ve come full circle. Because for this — as we learned at the beginning — there must be a standardized EU-wide certificate.
The Cybersecurity Act is needed to enable a standardized EU-wide certificate with a standardized external audit.
And the Cyber Resilience Act is needed to make such a certificate mandatory for certain products.
Sometimes progress does happen — it’s just not as simple as we groaners in our cybersecurity ivory tower would like it to be…
This article was part of the monthly Security Briefings for Hard Hats” [in German].
Cyber Resilience what? Read a 5-minute introduction to the EU Cyber Resilience Act here.
