atsec is thrilled to announce it is the first accredited conformity assessment body (CAB) for the new EU Common Criteria (EUCC) certification scheme. With this accreditation, atsec can provide evaluations for the Substantial assurance level immediately, the High assurance level once authorization is received shortly, as well as post-certification compliance support.
This harmonized approach to security certification is a major milestone, as the EUCC represents an evolution in cybersecurity regulations in the EU and a crucial requirement for ICT product manufacturers.
atsec is a Conformity Assessment Body that provides both Information Technology Security Evaluation Facility (ITSEF) and Certification Body (CB) services, resulting in a seamless end-to-end EUCC certification process for manufacturers.
atsec provides:
- Security evaluations and certification services at the assurance level Substantial and High.
- Post-certification compliance support to help manufacturers maintain their certification status.
By offering both evaluation and certification, we eliminate unnecessary complexity and streamline the certification journey for manufacturers.
As you consider EUCC certification, here’s an overview of the four-step process to receive one:
1. Determine the Required Assurance Level
- Substantial – cover vulnerability analysis at AVA_VAN level 1 or 2.
- High – cover vulnerability analysis AVA_VAN level 3, 4 or 5.
2. Prepare Security Documentation
Each assurance level has requirements for security documentation, including providing guidance documentation, development & lifecycle evidence, test documentation. The manufacturers will need to provide the Security Target (ST) which can claim compliance to a Protection Profile (PP).
3. Conduct Independent Evaluation
The EUCC-approved ITSEF performs evaluation of your product against security assurance requirements defined in the ST. This includes:
- Vulnerability Analysis & Penetration Testing
- Functional Testing
- Evaluating design and guidance documentation
4. Certification
Once the evaluation is completed, the EUCC-approved CB issues an EUCC certificate, allowing your product to be recognized across the EU market.
EUCC certification is an ongoing commitment. Certified manufacturers must:
- Provide security guidance for end users
- Commit to providing security updates
- Establish a vulnerability disclosure process
- Monitor and address publicly disclosed vulnerabilities
Failure to meet these requirements could impact the validity of the EUCC certificate.
For manufacturers looking to navigate EUCC certification smoothly, atsec provides expert guidance every step of the way. Contact us at [email protected] to learn more.
