The European Commission has opened a public consultation on a draft Implementing Regulation amending Implementing Regulation (EU) 2024/482, which sets out the rules for the European Common Criteria-based cybersecurity certification scheme (EUCC).

This initiative aims to clarify, modernise, and expand the scheme so that it remains fit for purpose in a fast-evolving technological and threat landscape. The draft regulation is open for comment via the European Commission’s “Have Your Say” platform till 29th August 2025.

The proposed amendment therefore seeks to:

  • Clarify and modernise definitions to cover evolving technologies and product series;

  • Ensure assurance continuity, so that minor and major product changes are assessed consistently;

  • Incorporate updated State-of-the-Art (SotA) documents, reflecting technical progress in domains such as smartcards, secure hardware, and trust services;

  • Simplify certification identifiers for greater transparency; and

  • Strengthen documentation and reporting obligations, supporting ENISA’s role in monitoring and publishing certification outcomes.

 

Main Regulation Provisions

1. Key New Definitions

Article 2 is amended to introduce three new definitions:

Product series (Art. 2(16)): A set of ICT products built on the same functional basis, designed to meet the same security needs, but potentially differing in design, hardware, firmware, or software.

Minor change (Art. 2(17)): A change that does not adversely affect the assurance provided by the EUCC certificate.

Major change (Art. 2(18)): A change that could negatively impact the assurance and therefore requires re-evaluation.

2. Certification of Product Series

Article 5(3) is added, explicitly allowing certification bodies to certify a product series. This provision is designed to make the certification process more efficient for vendors producing related products with shared security characteristics.

3. Assurance Continuity

Amendments to Article 19 and Annex IV clarify how to determine whether a change is minor or major and how each type of change should be handled.

The text also sets out procedures for reassessing certifications when changes occur, including those triggered by evolving threats. In some cases, certification bodies may request partial evaluations – for example, when modifications are made to the development environment without altering the core product.

4. Updated State-of-the-Art (SotA) Documents

Article 48(4) is amended to ensure that updated or new SotA documents apply to certification, reassessment, and re-evaluation processes from the date they are formally incorporated.

Annex I is replaced in full, providing an updated list of SoTA documents relevant to technical domains such as smartcards, hardware security modules, composite product evaluations, and accreditation requirements for conformity assessment bodies.

5. Protection Profiles and Documentation Requirements

Article 42 is amended in two ways:

  • A new provision (Art. 42(1)(i)) requires ENISA to publish the security target for each certified product.
  • Art. 42(2) obliges certification bodies to supply ENISA with both the original and English versions of security targets and certification reports. Applicants must provide the English version upon request (linked to an amendment to Article 9(2)(a)).

6. Certificate Identification Simplification

Article 11(3)(b) is amended to remove the requirement to include the certification body’s name and the month of issuance in the certificate’s unique identifier. The identifier will now consist solely of the scheme name, the certification body’s ID number, the year of the initial certificate, and a unique number.

 

Focus on the Annexes

Annex I – SotA Documents

The annex lists updated technical documents used for evaluating ICT products in areas such as smartcards and similar devices, hardware security modules, and composite product evaluations. It also updates accreditation requirements for IT Security Evaluation Facilities (ITSEFs) and certification bodies.

Annex II – Certified Protection Profiles

This annex has been updated to present a more accurate and current list of high-assurance protection profiles. These profiles are used as mandatory reference points when certifying certain categories of products at AVA_VAN level 4 or 5. Examples include profiles for remote qualified signature creation devices and cryptographic modules for trust services.

A placeholder is reserved for PPs adopted as SotA documents in the future.

Annex III – Recommended Protection Profiles

The revised annex contains a broad list of recommended PPs for various product types. Annex III PPs are not legally mandatory – a product can be evaluated without one – but deviating from them requires the applicant to justify why no existing PP fits their product. The list includes PPs for:

  • Smartcards, Java Cards, and secure IC platforms;
  • eUICC for machine-to-machine and consumer devices;
  • HSMs for various cryptographic functions;
  • Trusted execution environments and TPMs;
  • Tachographs and payment terminals.

Annexes IV–VI – Process and Reporting Enhancements

These annexes refine the procedures for determining whether a change is major or minor, conducting reassessments, and carrying out partial evaluations. They also update the structure of certification reports to improve clarity, support better-informed decisions by ICT users, and ensure consistency across reports. In addition, they introduce a standardised EUCC mark and label to be used on certified products.