The European Union Agency for Cybersecurity ('ENISA') announced, on 26 May 2021, that it had submitted its first candidate EU cybersecurity certification scheme v.1.1.1 ('EUCC Scheme') to the European Commision in accordance with Article 49 (6) and (7) of the Regulation (EU) 2019/881 on ENISA and on Information and Communications Technology Cybersecurity Certification ('the Cybersecurity Act'), following a publication consultation on the same last year. In particular, ENISA outlined that the EUCC Scheme aims to serve as a successor to the currently existing schemes operating under the Senior Officials Group Information Systems Security Mutual Recognition Agreement ('SOG-IS MRA') and covers the certification of ICT products, using the Common Criteria ISO/IEC 15408. In addition, ENISA highlighted that the EUCC Scheme covers the certification of ICT products, using the Common Criteria ISO/IEC 15408 and will be the foundation of a European Cybersecurity certification framework consisting of several schemes that it is expected to gradually increase trust in ICT products, services, and processes certified under these schemes and reduce costs within the Digital Single Market.

Additionally, ENISA outlined the key outcomes of the public consultation, including stakeholder desire for guidance to support the implementation and execution of the scheme, and the need for amendments to some elements of the scheme, such as conditions or timelines for the maintenance of certificates, the monitoring and handling of non-compliances, or vulnerabilities. Furthermore, ENISA outlined that, in order to support the EUCC Scheme, it has developed a communications plan targeting consumers to support the implementation of the same and ensure consumers are well informed about what cybersecurity certification of ICT products entail, among other things.

You can read the press release here, the EUCC Scheme here, and the report on the public consultation here.

Update (1 February 2024)

European Commission adopts EUCC scheme

On 31 January 2024, ENISA announced that the European Commission adopted the EUCC scheme. 

You can read the press release here and the European Commission's implementing regulation here.

UPDATE (14 February 2024)

Czechia: NÚKIB publishes website for EUCC Scheme information

The National Office for Cyber ​​and Information Security ('NÚKIB') announced, on 12 February 2024, that it had prepared a specialised website for the EUCC Scheme to provide a comprehensive overview and all relevant information to all interested. The NÚKIB also noted that an online seminar will be held, on 27 March 2024, to provide further details on the EUCC Scheme and its meaning.

You can read the press release here, access the specialised website here, and information on the seminar here, all only available in Czech.  

UPDATE (30 September 2024)

Czechia: NÚKIB announces consultation on implementing regulations for EUCC

The NÚKIB announced, on 25 September 2024, that the Commission had opened a public consultation on two implementing regulations under the EUCC Scheme.

The NÚKIB mentioned that the first regulation concerns the addition of implementing regulation 2024/484, which deals with specifying the use of common criteria and contains minor corrections and additions, while the second regulation establishes specific procedures for the notification of conformity assessment bodies, whereby the NÚKIB has this obligation towards the Commission.

Furthermore, the NÚKIB noted that the public consultation will be open until 18 October 2024.

You can read the press release, only available in Czech, here, and access the first regulation here and the second regulation here.