Public Consultations on Cybersecurity Candidate Schemes

On this page you can find all the ongoing public consultation on the certification schemes under the EU Cybersecurity Certification Framework.

Public Consultation on Candidate Cybersecurity Certification Scheme, EUCC

The European Union Agency for Cybersecurity, ENISA, has opened a public consultation for interested parties to share feedback on the draft of the Common Criteria based European cybersecurity certification scheme (EUCC), which builds on the existing schemes operating under the Senior Officials Group Information Systems Security Mutual Recognition Agreement (SOG-IS MRA). The consultation is established in accordance with Article 49.3 of the EU Cybersecurity Act of 2019 (CSA), stating: "When preparing a candidate scheme, ENISA shall consult all relevant stakeholders by means of a formal, open, transparent and inclusive consultation process."

The consultation will remain open for contributions until July 31st, 12:00 CET.

To participate in the Public Consultation, please go to: EUCC Consultation Survey

The EUCC candidate scheme aims to replace the existing schemes operating under the SOG-IS MRA for ICT products, to add new elements and to extend the scope to cover all EU Member States. The EUCC is the first candidate scheme under the wider EU cybersecurity certification framework. A second candidate scheme is currently in preparation and relates to the certification of cloud services.

The EUCC candidate scheme is a Common Criteria-based scheme. Over the past two decades, the Common Criteria have proven efficient for the certification of chips and smartcards across Europe, and have enhanced the level of security of electronic signature devices, for means of identification such as passports, banking cards and tachographs for lorries. More recently, the criteria have been used intensively to certify the cybersecurity of ICT software products. This new candidate scheme aims to further improve the Union’s internal market conditions for ICT products, and positively affect the ICT services and ICT processes relying on such products. 

About the EUCC candidate scheme:

  • Built on the current SOG-IS MRA and Common Criteria with rules included for transition;
  • Applicable for ICT products;
  • Covers assurance levels ‘Substantial’ and ‘High’;
  • Certificate validity for five years, can be renewed;
  • Allows for composite certification;
  • Recognition in all EU Member States;
  • Voluntary scheme;
  • Harmonised conditions for vulnerability handling and disclosure;
  • Clearly defined rules on monitoring and handling non-compliance and non-conformity;
  • Introduces a new patch management mechanism to support vulnerability handling;
  • Use of a framework-based label and a QR code to ensure easy access to accurate certification information.

Under the CSA, ENISA set up the Ad Hoc Working Group, EUCC AHWG, late last year to support the preparation of this first candidate scheme. Chaired by ENISA, the group is composed of 20 appointed members representing industry (developers, evaluators), and 12 participants from Member States and accreditation bodies. The EUCC AHWG has worked in close collaboration with the European Commission and with the European Cybersecurity Certification Group (ECCG), which is composed of representatives of national cybersecurity certification authorities and representatives of other relevant national authorities of Member States. Following the conclusion of this public consultation, feedback will be processed and shared.

Participate in the Public Consultation

ENISA calls on all interested parties to provide feedback on the EUCC candidate cybersecurity certification scheme. To participate in the Public Consultation, please go to: EUCC Consultation Survey.

Before answering please consult the Draft of the EUCC Candidate Scheme.

Find more information about the EU cybersecurity certification framework and about ENISA’s role under the EU Cybersecurity Act, please visit ENISA Topic on Certification.


For any general related questions about the EU Cybersecurity Certification Framework, please contact certification (at)

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information