EUCC Certification for ICT Products in Europe

Demonstrate cybersecurity assurance, prepare for Cyber Resilience Act (CRA) requirements, and build trust with customers through accredited EUCC certification.

... > Common Criteria | Certification > EUCC Certification for ICT Products in Europe

EUCC Certification for ICT Products in Europe

Manufacturers of connected products are facing growing pressure to demonstrate cybersecurity assurance to customers, regulators, and procurement teams. At the same time, new European requirements, most notably the Cyber Resilience Act (CRA), are raising the bar for product security and lifecycle management.

As a result, manufacturers need a practical and credible way to demonstrate product security, support regulatory requirements, and build trust with customers.

The European Union Cybersecurity Certification (EUCC) provides that framework. Built on the internationally recognized Common Criteria (CC) framework, EUCC helps manufacturers demonstrate product security, meet customer and procurement requirements, and prepare for evolving regulatory expectations.

Whether you're pursuing your first certification or transitioning from Common Criteria, EUCC can help strengthen customer trust, support market access, and provide a structured approach to product cybersecurity.

Highlight-image

Need EUCC Certification for market access?

We help vendors navigate the entire certification process, from preparation and gap analysis to evaluation support and certification.

Talk to an EUCC Specialist

From Common Criteria to EUCC

For many years, Common Criteria (CC)  has been the internationally recognized framework for evaluating the security of ICT products. It provides manufacturers with an independent way to demonstrate that their products meet defined cybersecurity requirements and have undergone rigorous security testing and assessment.

While Common Criteria has been widely adopted, certification has traditionally been managed through national schemes. For manufacturers selling across Europe, this could mean navigating different certification bodies, varying processes, and country-specific requirements. The result was often added complexity, longer timelines, and uncertainty around how certifications would be recognized across markets.

The European Union Cybersecurity Certification (EUCC) was introduced to simplify this landscape. Building on the proven Common Criteria framework, EUCC establishes a harmonized European certification scheme that provides greater consistency, transparency, and predictability for manufacturers.

Why EUCC Matters

EUCC provides a harmonized European framework for evaluating and certifying the cybersecurity of ICT products. Built on the proven Common Criteria methodology, it gives manufacturers a consistent way to show product security across Europe.

As cybersecurity requirements evolve, manufacturers need more than a point-in-time certification. EUCC places greater emphasis on vulnerability management, security maintenance, and product lifecycle processes, making it a practical way to support broader Cyber Resilience Act (CRA) compliance efforts.

By creating a common certification framework across Europe, EUCC helps improve consistency, increase transparency, and simplify the certification journey for manufacturers.

Is EUCC Right for Your Product?

EUCC is relevant for ICT products that include security functionality and require an independently recognized level of cybersecurity assurance.

It is particularly valuable for manufacturers selling into regulated or security-sensitive sectors such as telecommunications, critical infrastructure, industrial systems, financial services, and government environments.

Certifications are available at both the Substantial and High assurance levels defined under the EU Cybersecurity Act (CSA). The right level depends on your product, its intended use, customer requirements, and regulatory expectations.

Preparing for EUCC Certification

EUCC certification requires more than a secure product. Manufacturers must also demonstrate the processes, documentation, and lifecycle practices needed to support cybersecurity throughout the product lifecycle.

Typical requirements include:

  • Security architecture and design documentation
  • Security testing and vulnerability assessment evidence
  • Vulnerability management and disclosure processes
  • Security update and patch management procedures
  • End-user security guidance
  • Ongoing lifecycle support and maintenance commitments

The appropriate assurance level depends on the product, its intended use, customer requirements, and regulatory expectations.

Bureau Veritas Cybersecurity helps manufacturers identify gaps early, determine the appropriate assurance level, and prepare the evidence needed for a successful evaluation.

The EUCC Certification Journey

A typical EUCC project includes:

  1. Scope and readiness assessment
  2. Documentation and evidence preparation
  3. Independent evaluation and testing
  4. Certification review and issuance
  5. Ongoing lifecycle and vulnerability management

Our experts guide you through each stage, helping reduce uncertainty, avoid unnecessary rework, and streamline the certification process.

Why choose Bureau Veritas Cybersecurity

We help manufacturers determine the appropriate assurance level, understand certification requirements, and prepare for a successful and efficient evaluation.

EUCC certification requires technical expertise, certification knowledge, and practical experience across complex technologies. Bureau Veritas Cybersecurity combines all three.

  • Accredited EUCC Evaluation Body authorized to perform EUCC evaluations under the Dutch certification scheme.
  • 25+ years of cybersecurity expertise supporting manufacturers across a wide range of industries.
  • 300+ cybersecurity professionals worldwide across IT, OT, IoT, embedded systems, industrial control systems, telecom infrastructure, medical devices, and automotive technologies.
  • Practical guidance throughout the certification journey, helping manufacturers understand requirements, prepare evidence, and reduce delays and rework.
  • Strong expertise in assurance levels where most commercial ICT products operate.
  • Support beyond certification, including guidance on vulnerability management, lifecycle obligations, and evolving cybersecurity requirements.

Proven Experience with EUCC and Common Criteria Certification

Bureau Veritas Cybersecurity has extensive experience evaluating and certifying ICT products across a wide range of technologies and industries.

Our experience includes:

  • Delivery of the first EUCC Substantial certificate for the Hikvision Network Camera Series.
  • Evaluation of network security products, including Hillstone Next-Generation Firewalls certified at EAL4+.
  • Support for repeat certification projects, including the AllWipe Data Erasure Tool, demonstrating long-term customer trust and ongoing compliance support.
  • Expertise across embedded systems, IoT devices, industrial technologies, telecom infrastructure, software platforms, and network security solutions.

As a licensed EUCC Evaluation Body operating under the Dutch certification framework, we help manufacturers navigate the certification process with confidence.

Common Criteria and EUCC: What is the difference?

Common Criteria (ISO/IEC 15408) is the internationally recognized framework used to evaluate the security of IT products. It defines the methodology, assurance components, Protection Profiles, Security Targets, and evaluation requirements used by laboratories worldwide.

EUCC is the European Union Cybersecurity Certification Scheme established under the Cybersecurity Act. It builds on Common Criteria principles and provides a harmonized certification framework for ICT products across the European Union.

Organizations seeking certification should evaluate which scheme best aligns with their target markets, customer requirements, and regulatory obligations.

Learn more about Common Criteria certification.

DOWNLOADS

USP

EUCC Certification Overview

Read more about the services we offer for EUCC certification.

Download
USP

Common Criteria Certification Overview

Overview of Common Criteria and our services.

Download

FREQUENTLY ASKED QUESTIONS ABOUT EUCC CERTIFICATION

What is EUCC certification?

EUCC (European Union Cybersecurity Certification Scheme) is the European cybersecurity certification scheme established under the EU Cybersecurity Act. It provides a harmonized framework for evaluating and certifying the cybersecurity of ICT products across the European Union.

EUCC is based on internationally recognized Common Criteria principles and methodologies, enabling manufacturers and technology providers to demonstrate the security assurance of their products through an independent evaluation process. The scheme aims to increase trust in certified products while supporting a consistent approach to cybersecurity certification across the European market.

What is the difference between EUCC and Common Criteria?

Common Criteria (CC) is the internationally recognized framework used to evaluate the security of IT and ICT products. It defines the methodology, assurance requirements and evaluation processes used by accredited laboratories worldwide.

EUCC (European Union Cybersecurity Certification Scheme) is the European cybersecurity certification scheme established under the EU Cybersecurity Act. EUCC builds on Common Criteria principles and methodologies while providing a harmonized certification framework for the European Union.

Organizations seeking certification should evaluate which scheme best aligns with their target markets, customer requirements and regulatory obligations. Bureau Veritas Cybersecurity supports both Common Criteria and EUCC certification projects.

Which products can be certified under EUCC?

EUCC applies to a broad range of Information and Communication Technology (ICT) products, including hardware, software and connected devices that require independent cybersecurity assurance. The scheme is particularly relevant for products where security is a key consideration for customers, regulators or procurement authorities.

Examples of products that may be evaluated under EUCC include network devices, software applications, operating systems, IoT and embedded products, secure elements and other ICT solutions requiring cybersecurity certification.

The suitability of a product for EUCC certification depends on factors such as its security functionality, intended use and certification objectives. Bureau Veritas Cybersecurity can help determine whether EUCC is the appropriate certification pathway for your product.

Is EUCC certification mandatory?

EUCC certification is generally voluntary unless required by specific regulations, procurement requirements or market expectations. However, certification can help organizations demonstrate cybersecurity assurance, support compliance objectives and meet customer or stakeholder requirements.

As European cybersecurity regulations continue to evolve, EUCC certification may become an increasingly important way for manufacturers to demonstrate the security of their products and support access to regulated markets.

How long does an EUCC certification project take?

The duration of an EUCC certification project depends on factors such as the complexity of the product, the target assurance level, the maturity of the product documentation and the scope of the evaluation.

Well-prepared projects may be completed within a few months, while more complex evaluations can take significantly longer. Early preparation and collaboration with an experienced evaluation laboratory can help streamline the certification process and reduce delays.

Bureau Veritas Cybersecurity can help organizations assess certification readiness, define the evaluation scope and develop an efficient certification roadmap.

Talk to an EUCC Expert

Ready to prepare for EUCC certification or understand how EUCC fits into your CRA strategy? Please fill out the form and we will contact you within one business day.

USP

Why choose Bureau Veritas Cybersecurity

Bureau Veritas Cybersecurity is your expert partner in cybersecurity. We help organizations identify risks, strengthen defenses and comply with cybersecurity standards and regulations. Our services cover people, processes and technology, ranging from awareness training and social engineering to security advice, compliance and penetration testing.

We operate across IT, OT and IoT environments, supporting both digital systems and connected products. With over 300 cybersecurity professionals worldwide, we combine deep technical expertise with a global presence. Bureau Veritas Cybersecurity is part of the Bureau Veritas Group, a global leader in testing, inspection and certification.