The EUCC Scheme is a successor to the existing CC scheme, operating under the SOG-IS MRA (Senior Officials Group Information Systems Security Mutual Recognition Agreement). The scheme will improve the European Union Internal Market conditions for ICT products, and as a result, will also have positive effects for ICT services and ICT processes relying on such products. This scheme includes specific conditions for issuing, maintaining, continuing, and renewing certificates, as well as conditions for extending or reducing the scope of certification.

In this article, we will discuss the top 3 conditions for issuing a certificate, as well as the top 3 conditions for maintaining, continuing, and renewing it.

A certification body (CB) will only issue a certificate when :

1. the applicant has committed to all required obligations in order to obtain the certificate

2. the evaluation of the ICT product is in line with the scheme’s evaluation requirements for the requested selection of assurance components (and is successful)

3. the review by the CB of the evaluation results is successful and in line with the requirements of ISO/IEC 17065.

During the validity period of a certificate, the certified ICT product may remain stable and benefit from an unchanged threat environment. In that case, the certificate will continue until its expiration date. For all other cases, the certified ICT product will be subject to maintenance activities in response to changes affecting its certification.

The maintenance activities can be initiated on the request of the owner of the certificate under these conditions:

1. If the validity period of the certificate is expired
2. If there was a change of the certified ICT product
3. If the owner requested a refreshed vulnerability assessment

The maintenance can also be initiated upon the following conditions:

1. If the ICT product is selected through the sampling rule installed for the general monitoring of certified ICT products
2. If there is a potential or actual non-conformity with security requirements
3. If a non-compliance with the accreditation requirements was identified

Upon review and decision of the CB, the maintenance activities may result in:

• Continuing the certificate, without change
• Renewing the certificate with a new validity period
• Issuing a certificate with either extended or reduced scope or a reduced assurance level
• Suspending the certificate pending the remedial action
• Withdrawing the certificate.

In the case that no maintenance was requested for a certificate that has reached its expiration date, the certificate will be archived. This means that access to the certificate will still be provided with a clear indication that it has expired. If maintenance is initiated with no action taken by any responsible party in due time, the certificate will be withdrawn.

If you want to learn more about the EUCC Scheme and certificate life-cycle process, get in touch with EUCC experts.