Common Criteria (ISO/IEC 15408)
Common Criteria (CC) is an international framework for evaluating the security functionality of IT products, including operating systems, firewalls, smart cards, and secure hardware.
Evaluation Framework
Products are tested against defined security requirements and assigned Evaluation Assurance Levels (EALs).
Assurance Levels
- EAL1–EAL2: Basic functional testing.
- EAL3–EAL4+: Structured design and vulnerability analysis (common for enterprise products).
- EAL5–EAL7: High-assurance and formal verification.
European Transition to EUCC
In the European context, Common Criteria is evolving into the EU Common Criteria (EUCC) scheme under the EU Cybersecurity Act. This transition aims to harmonize fragmented national certification schemes into a single, recognized European certificate.
The EUCC will streamline the process for manufacturers, allowing a certificate issued in one member state to be automatically recognized across the entire Union. From 2026 onward, traditional EALs will be mapped into EU-wide assurance levels such as Substantial and High, simplifying cross-border certification.
This modernization also places a stronger emphasis on patch management and conformity to the latest state-of-the-art attack methods, keeping the certification relevant in a rapidly changing threat landscape.