BAKGRUNN (fra kommisjonsforordningen)

(1) Commission Implementing Regulation (EU) 2024/482 (2) specifies the roles, rules and obligations, as well as the structure of the European Common Criteria-based cybersecurity certification scheme (EUCC) in accordance with the European cybersecurity certification framework set out in Regulation (EU) 2019/881.

(2) Implementing Regulation (EU) 2024/482 is based on established international standards that are the Common Criteria and the Common Evaluation Methodology maintained by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Implementing Regulation (EU) 2024/482 makes reference to ISO/IEC standards, but it does not specify the applicable version of those standards. It should therefore be specified which version of the standards applies for certificates issued under the EUCC.

(3) The governmental organisations that contributed to the development of the Common Criteria and the Common Evaluation Methodology through the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security (CCRA) are joint holders, together with the ISO/IEC of the copyrights to them. Those governmental organisations retain the right to use them. In view of the importance of those documents originating from the CCRA, they should also be a basis for certification under the EUCC.

(4) The Common Criteria and the Common Evaluation Methodology standards are subject to interpretations done by the CCRA that facilitate their implementation and that may be considered by Information Technology Security Evaluation Facilities (ITSEFs) and certification bodies.

(5) International standards related to the Common Criteria might be subject to updates. To ensure an orderly and timely transition, it is appropriate to define transition rules to give vendors, ITSEFs and certification bodies, and other relevant actors enough time for the necessary adjustments. Such transition rules should align to the appropriate extent with global practices, such as those set out by the CCRA.

(6) Implementing Regulation (EU) 2024/482 does not specify until when an ICT product certification might be based on the previous versions of the Common Criteria and the Common Evaluation Methodology standards. Technical domains and protection profiles listed in Annexes I, II and III to that Implementing Regulation are based on previous versions of standards ISO/IEC 15408 and 18045. Implementing Regulation (EU) 2024/482 should therefore specify under what circumstances the previous version of the Common Criteria and the Common Evaluation Methodology still applies and how the transition to the latest version of the international standards will operate.

(7) During the transition period, it should be a priority for relevant stakeholders to update the relevant technical domains and protection profiles. Implementing Regulation (EU) 2024/482 should provide that security targets based on a previous version of the standards would be accepted up to 31 December 2027 in line with the transition policy adopted by the CCRA. However, it is to be noted that the CCRA transition policy covers initial evaluations of products and protection profiles starting no later than 30 June 2024, date at which the EUCC was not yet applicable. Furthermore, in accordance with the CCRA transition policy, Implementing Regulation (EU) 2024/482 should provide that security targets conformant to that Implementing Regulation claiming conformance to protection profiles based on a previous version of the standards would be accepted up to 31 December 2027. Furthermore, where a new certificate is issued under Implementing Regulation (EU) 2024/482 in the context of a review process of a national certificate that starts within two years from the initial certificate, it should be possible to use a previous version of the standards. This would not be relevant for a review process that does not require the issuance of a new certificate under Implementing Regulation (EU) 2024/482 and where the certificate remains valid.

(8) With a view to ensuring an orderly transition to the latest version of the standards, Implementing Regulation (EU) 2024/482 should provide for specific transition rules and continue to allow for the issuance of certificates under that Implementing Regulation claiming conformance to protection profiles that are based on previous versions of the standards published by the CCRA where the use of such protection profiles is required under Union legislation. This is the case for Commission Implementing Regulation (EU) 2016/799 (3) as well as Regulation (EU) No 910/2014 of the European Parliament and of the Council (4) and Commission Implementing Decision (EU) 2016/650 (5).

(9) Annex I to Implementing Regulation (EU) 2024/482 lists applicable state-of-the-art documents for the evaluation of ICT products and protection profiles. However, it does not specify the version of the documents. It should therefore be specified which version of the documents applies for certificates issued under the EUCC. Those versions build on documents endorsed by the European Cybersecurity Certification Group (ECCG), while having undergone further review for their inclusion in the EUCC. Furthermore, Annex I should be amended to include updated and new state-of-the-art documents following their endorsement by the ECCG, thus ensuring a uniform accreditation of conformity assessment bodies under the EUCC. The accreditation requirements related to the accreditation of ITSEFs should be updated to clarify the application of the criteria of independence and impartiality, and a new state-of-the-art document should be established for the accreditation of certification bodies.

(10) State-of-the-art documents might be added to the EUCC or might be subject to updates in the context of its maintenance activities. For new or updated state-of-the-art documents, appropriate transition rules might need to be laid down to enable vendors, ITSEFs, certification bodies and other stakeholders to make necessary adjustments. For the update of the state-of-the-art document related to the accreditation of ITSEFs, the updated document should apply to accreditations issued before 8 July 2025 only when they are reviewed, such as in the context of an assessment or re-assessment procedure. Furthermore, the updated document should apply to all accreditations for ITSEFs issued after 8 July 2025.

(11) Further corrections to Articles 5, 8, 16, 29 and 44 and Annex IV of Implementing Regulation (EU) 2024/482 contribute to ensuring a uniform wording and clear legal interpretation.

(12) The rules for notifications of the conformity assessment bodies should be established horizontally for all schemes under the European cybersecurity certification framework. Commission Implementing Regulation (EU) 2024/3143 (6) covers such notification rules. Therefore, Articles 23 and 24 of Implementing Regulation (EU) 2024/482 should be deleted from the date Implementing Regulation (EU) 2024/3143 becomes applicable.

(13) Implementing Regulation (EU) 2024/482 should therefore be amended and corrected accordingly.

(14) The measures provided for in this Regulation are in accordance with the opinion of the Committee established by Article 66 of Regulation (EU) 2019/881,