International hacking scandals are putting the spotlight on countries’ security loopholes and weaknesses. With many governments calling for higher security, their requirements for secure information technology (IT) products are becoming increasingly stringent.
UL Solutions was one of the first laboratories involved in the European common approval scheme for point-of-interaction devices. Fortune 1000 companies choose UL Solutions for our customer responsiveness, proven expertise and security knowledge.
Common Criteria, also known as ISO/IEC 15408
Formalized as ISO/IEC 15408, Common Criteria (CC) defines a hierarchical framework of security concepts and terminology. The CC defines an evaluation assurance level (EAL) that specifies predefined sets of security assurance components that may be referenced in Protection Profiles (PPs) and Security Targets (STs). These also specify the appropriate security assurances to be provided to a target of evaluation (TOE).
Under an EAL, there are seven levels that offer progressively greater certainty. From February 2026 onwards, EALs will no longer be used as a result of the implementation of the EU Cybersecurity Certification Scheme on Common Criteria (EUCC). Instead, vulnerability analysis (AVA_VAN) levels will be used to determine the assurance level for certification; levels up to two will be classified as “Substantial” and levels above that as “High.”
The European Commission established the EUCC under the legal framework of the EU Cybersecurity Act in order to harmonize the European framework for the EU cybersecurity certification of information and computer technology (ICT) goods, services and procedures. The CC also defines the PP construct, which is a product category-specific but product-agnostic requirements template. This allows prospective consumers, developers and regulatory groups to create standardized sets of security threats, objectives, requirements and assurance measures.
The TOE can be part of the product or system that is subject to evaluation if it complies with or refers to a PP. The ST contains the product-specific instantiation along with a summary specification of how the TOE satisfies the Security Functional Requirements (SFRs) and is used by the evaluators as the basis for evaluation.
The Common Criteria Recognition Agreement (CCRA) is an international cooperative agreement in which participating government organizations verify that certification bodies issuing CC certificates consistently meet the conditions for mutual recognition and all applicable standards.
Frequently asked questions regarding Common Criteria certification
- How does the new EUCC scheme differ from other schemes?
The EUCC scheme is a unified approach to testing ICT products and services. It is the first certification scheme developed under the Cybersecurity Act (CSA) and marks a significant evolution in how CC evaluations are conducted within the EU. While still based on CC and Common Methodology for Information Technology Security Evaluation (CEM) standards, EUCC now places more emphasis on vulnerability assessments and patch management. Products are now classified by vulnerability levels rather than traditional EALs.
As of Feb. 27, 2026, vendors targeting the EU market must align with the EUCC requirements.
- Why should I evaluate my products?
While it is important to comply with regulatory standards, Common Criteria (CC) certification is not just about that – it’s about strategic and competitive differentiation in a rapidly evolving digital landscape.
The strong security posture that comes with Common Criteria shows continuous security assurance, which for products meant to be used in regulated sectors like finance, healthcare and critical infrastructure. Given its global recognition, CC certification can help provide an entry point to the market.
Commit to higher security with UL Solutions
UL Solutions has been a leader in product testing and certification for over 100 years. Contact us to get the conversation started about your CC needs today.