(fra kommisjonsforordningen)

(1) Commission Implementing Regulation (EU) 2024/482 (2) specifies the roles, rules and obligations, as well as the structure of the European Common Criteria-based cybersecurity certification scheme (EUCC) in accordance with the European cybersecurity certification framework set out in Regulation (EU) 2019/881.

(2) The Common Evaluation Methodology accompanying the Common Criteria (CC), an international standard for information security evaluation, allows the evaluation of the security of ICT products for certification purposes. In that context, some ICT products may be built upon the same functional basis in order to offer similar security functionalities on different platforms or appliances, also referred to as a product series. However, the design, hardware, firmware or software may vary from one ICT product to another. It is for the certification body to decide on a case-by-case basis whether certification of a product series can be carried out. The conditions for product series certification could be further illustrated in supporting EUCC guidelines.

(3) In order to maintain the reliability of certified products, it is essential to define what constitutes a major and minor change to the target of evaluation or its environment, including its operational or development environments. Therefore, it is necessary to specify those notions considering existing and widely used technical specifications from the Senior Officials Group - Information Systems Security (SOG-IS) and the participants of the Arrangements on the Recognition of Common Criteria Certificates in the field of IT Security (CCRA).

(4) Minor changes are often characterised by their limited effect on the product assurance statement provided by the issued EUCC certificate. Thus, minor changes should be managed under maintenance procedures and do not require a re-evaluation of the security functionalities of the product. Examples of minor changes that should be addressed through maintenance include, but are not limited to, editorial changes, changes to the target of evaluation environment that do not modify the certified target of evaluation, and changes to the certified target of evaluation that do not affect the assurance evidences. Changes to the development environment may also be considered minor, provided they have no follow-on impact on existing assurance measures. They may however in some cases require partial evaluation of the relevant measures.

(5) A major change is any change to the certified target of evaluation or its environment that may adversely impact the assurance expressed in the EUCC certificate, hence it should require re-evaluation. Examples of major changes include, but are not limited to, changes to the set of claimed assurance requirements, except for the assurance requirements of the CC ALC_FLR family (Flaw remediation); changes to the confidentiality or integrity controls of the development environment where such modifications could affect the secure development or production of the target of evaluation or changes to the target of evaluation to resolve an exploitable vulnerability. Additionally, a collection of minor changes that collectively exerts a significant impact on the security may also be qualified as a major change. It is also important to recognise that while a bug fix may only affect a specific aspect of the target of evaluation, its unpredictability and potential impact on the assurance may render it a major change if it compromises the security assurances provided by the certification.

(6) Changes in the threat environment of an unchanged certified ICT product, could require a re-assessment. The possible outcomes of such re-assessment process should be clearly established, in particular its impact on the EUCC certificate. If a reassessment is successfully completed, the certification body should confirm the certificate or issue a new certificate with an extended expiry date. If a reassessment process is not successful, the certification body should withdraw the certificate and possibly issue a new certificate with a different scope. Such provisions should apply mutatis mutandis to the reassessment of protection profiles.

(7) Annex I to Implementing Regulation (EU) 2024/482 lists applicable state-of-the-art documents for the evaluation of ICT products and protection profiles. Those state-of-the-art documents should be updated to reflect the latest developments, such as those related to technological developments, the cyber threat landscape, industry practices, or international standards. Such an update is opportune for the state-of-the-art documents relating to minimum site security requirements, application of attack potentials to smartcards, application of attack potentials to hardware devices with security boxes, application of common criteria to integrated circuits and composite product evaluation for smartcards and similar devices. Additionally, state-of-the-art documents relating to composite product evaluation and certification using the latest version of the Common Criteria standards, reuse of evaluation results of site audits and clarifications regarding the interpretation of protection profiles relating to qualified electronic signature creation devices, tachographs and hardware security modules are not included. In order to ensure a uniform evaluation of ICT products under the EUCC, Annex I should be amended to include those updated and new state-of-the-art documents following their endorsement by the European Cybersecurity Certification Group (ECCG).

(8) Additionally, the state-of-the-art document ‘ADV_SPM.1 interpretation for CC:2022 transition’ should be added to the scheme to ensure that certification processes relying on specific protection profiles can continue using formal modelling (ADV_SPM.1) until the corresponding protection profiles are updated, for instance with the addition of a CC:2022 conformant multi-assurance protection profile configuration that supports ADV_SPM.1. In order to provide sufficient time for the market to transition towards the updated Common Criteria standards, specific transition rules need to be foreseen for the protection profiles Security IC Platform PP with Augmentation Packages (v1.0), BSI-CC-PP-0084-2014, Java Card System – Closed Configuration (v3.1), BSI-CC-PP-0101-V2-2020, or Java Card System – Open Configuration (v3.1), BSI-CC-PP-0099-V2-2020. To avoid any market disruptions, it is appropriate to establish that the state-of-the-art document on ADV_SPM.1 interpretation for CC:2022 transition is applicable to certification processes that have been initiated before the adoption of this Regulation. The application of this document should be, however, strictly limited to what is necessary, considering the time needed to finalise the update of the corresponding protection profiles. More precisely, for certification processes using protection profiles Security IC Platform PP with Augmentation Packages (v1.0), BSI-CC-PP-0084-2014, or Java Card System – Closed Configuration (v3.1), BSI-CC-PP-0101-V2-2020, the state-of-the-art document should apply to those processes that have been initiated before 1 October 2026. For certification processes using protection profile Java Card System – Open Configuration (v3.1), BSI-CC-PP-0099-V2-2020, the state-of-the-art document should only apply to those processes initiated before the date of entry into force of this Regulation, in view that a new version of the Java Card System – Open Configuration protection profile is already available.

(9) A change in the state-of-the-art documents during a certification process could disrupt the evaluation of the product and delay the issuance of the certificate. Therefore, appropriate transition rules are necessary for new or updated state-of-the-art documents, to enable vendors, ITSEFs, certification bodies and other stakeholders to make necessary adjustments. Applicable updated and new state-of-the-art documents should concern applications for certification, including applications for reassessment and re-evaluation, while it should be possible for ongoing certification processes to keep using earlier versions of the state-of-the-art documents.

(10) Annex II and Annex III to Implementing Regulation (EU) 2024/482 list respectively the protection profiles certified at AVA_VAN level 4 or 5 and the recommended protection profiles. Several references are incomplete or obsolete, due to an update of the protection profiles. Those references should be completed and, in addition, new references should be included to ensure a more comprehensive coverage of secure integrated circuits, smartcards and related devices and trusted computing.

(11) It is necessary to make amendments to Article 19 of Implementing Regulation (EU) 2024/482 to clarify that Annex IV applies, with the necessary changes, to the review of EUCC certificates for protection profiles.

(12) In view that the security target is a key element to understand the scope of a certification process, it is also necessary for ENISA to publish the security target corresponding to each EUCC certificate on its website.

(13) Furthermore, certification bodies should provide ENISA with an English version of the security target and the certification report to enable the agency to make that information available in English on the corresponding website, pursuant to Article 42(2) of Implementing Regulation (EU) 2024/482. For that reason, applicants for certification should provide certification bodies with an English version of the security target, whenever requested.

(14) It is not necessary for the reference to the certification body name to appear in the unique identification of the certificate as the identification number of the certification body is sufficient to identify this body in a unique manner. The month of issuance does not need to appear either as the counting of the certificates is done on a yearly basis. Therefore, that requirement should be deleted for simplification purposes. Since the year of issuance of the certificate corresponds to the issuance of the first certificate, that same date should appear in the unique identification on certificates issued after a review, to ensure traceability.

(15) Implementing Regulation (EU) 2024/482 should therefore be amended accordingly.

(16) The measures provided for in this Regulation are in accordance with the opinion of the Committee established by Article 66 of Regulation (EU) 2019/881,