Common Criteria for Information Technology Security Evaluation
5.6 MB
UL Solutions Common Criteria certification helps safeguard systems
International hacking scandals are putting the spotlight on countries’ security loopholes and weaknesses. With many governments calling for higher security, their requirements for secure information technology (IT) products are becoming increasingly stringent.
UL Solutions was one of the first laboratories involved in the European common approval scheme for point-of-interaction devices. Today, UL Solutions is an accredited Common Criteria IT Security Evaluation Facility — providing advisory and evaluation services to help IT vendors successfully complete security evaluations.
Fortune 1000 companies choose UL Solutions for our customer responsiveness, proven expertise and security knowledge.
Common Criteria, also known as ISO/IEC 15408
Formalized as ISO/IEC 15408, Common Criteria (CC) defines a hierarchical framework of security concepts and terminology. The CC defines an evaluation assurance level (EAL) that specifies predefined sets of security assurance components that may be referenced in Protection Profiles (PPs) and Security Targets (STs). These also specify the appropriate security assurances to be provided to a target of evaluation (TOE).
Under an EAL, there are seven levels that offer progressively greater certainty. From February 2026 onwards, EALs will no longer be used as a result of the implementation of the EU Cybersecurity Certification Scheme on Common Criteria (EUCC). Instead, vulnerability analysis (AVA_VAN) levels will be used to determine the assurance level for certification; levels up to two will be classified as “Substantial” and levels above that as “High.”
The European Commission established the EUCC under the legal framework of the EU Cybersecurity Act in order to harmonize the European framework for the EU cybersecurity certification of information and computer technology (ICT) goods, services and procedures. The CC also defines the PP construct, which is a product category-specific but product-agnostic requirements template. This allows prospective consumers, developers and regulatory groups to create standardized sets of security threats, objectives, requirements and assurance measures.
The TOE can be part of the product or system that is subject to evaluation if it complies with or refers to a PP. The ST contains the product-specific instantiation along with a summary specification of how the TOE satisfies the Security Functional Requirements (SFRs) and is used by the evaluators as the basis for evaluation.
The Common Criteria Recognition Agreement (CCRA) is an international cooperative agreement in which participating government organizations verify that certification bodies issuing CC certificates consistently meet the conditions for mutual recognition and all applicable standards.
Frequently asked questions regarding Common Criteria certification
- How does the new EUCC scheme differ from other schemes?
The EUCC scheme is a unified approach to testing ICT products and services. It is the first certification scheme developed under the Cybersecurity Act (CSA) and marks a significant evolution in how CC evaluations are conducted within the EU. While still based on CC and Common Methodology for Information Technology Security Evaluation (CEM) standards, EUCC now places more emphasis on vulnerability assessments and patch management. Products are now classified by vulnerability levels rather than traditional EALs.
As of Feb. 27, 2026, vendors targeting the EU market must align with the EUCC requirements.
- Why should I evaluate my products?
While it is important to comply with regulatory standards, Common Criteria (CC) certification is not just about that – it’s about strategic and competitive differentiation in a rapidly evolving digital landscape.
The strong security posture that comes with CC certifications shows continuous security assurance, which for products meant to be used in regulated sectors like finance, healthcare and critical infrastructure. Given its global recognition, CC certification can help provide an entry point to the market.
- What is the Common Criteria certification process?
UL Solutions validation includes assistance with ST authoring to confirm that your evaluation begins smoothly. It is critical to start with an accurate ST in order to align the developer, evaluator and certifier on what the product is supposed to do, what level of assurance is expected and what evaluation activities are needed.
UL Solutions begins an evaluation with an extensive workshop to review the requirements for the TOE design, which helps highlight compliance concerns and kick-start the ST documentation authoring.
Once all documentation has been evaluated and is deemed compliant, UL Solutions will accept delivery of the product and perform testing. This testing is typically done at UL Solutions facilities and may leverage some vendor-specific testing tools, depending on the testing required. This is a collaborative process, and UL Solutions may reach out to the vendor to address functional issues, typically related to the product’s configuration. Once all products pass, the testing is complete, and the project can move to the last phase.
The final phase requires all project findings to be submitted to the scheme during a specific meeting known as the Evaluation Review Meeting (ERM). This meeting will include a brief summary of activities performed during the evaluation. Upon formal validation, the ST and the Certification Report (CR) will become public record and be posted on the Common Criteria website and the TrustCB website.
Commit to higher security with UL Solutions
UL Solutions has been a leader in product testing and certification for over 100 years. We conduct Common Criteria certifications under multiple schemes and evaluate products against various cybersecurity, safety and performance standards to fully align with Common Criteria certification.
Contact us to get the conversation started about your CC needs today.
X
Contact us today to learn more about UL Solutions Common Criteria services or to speak to a UL Solutions expert.
Please wait…
Characters remaining