Home SecurityEUCC: The “New” Standard for IoT/OT Security
Security

EUCC: The “New” Standard for IoT/OT Security

by
written by
EUCC The New Standard for IoT OT Security

The digital landscape is in constant flux, with cyber threats growing in sophistication and frequency. In response, regulatory bodies worldwide are striving to create more secure environments. The European Union, a major player in this global effort, has introduced a significant new framework that is poised to reshape product security evaluations: the EU Common Criteria (EUCC). This standard is not merely an incremental update; it represents a fundamental shift in how Information and Communications Technology (ICT) products, particularly within the burgeoning Internet of Things (IoT) and Operational Technology (OT) sectors, will be assessed and recognized within European markets.

For manufacturers of IoT and OT devices, the EUCC is more than just another regulation to navigate. It’s a critical evolution that directly impacts market access, product development, and consumer trust. By standardizing and elevating cybersecurity baselines, the EUCC aims to create a more secure digital environment for all. Understanding these changes now is crucial for proactive adaptation and sustained success in a rapidly evolving connected world.

The Genesis of EUCC: A Unified Vision for Cybersecurity

For years, the European Union has recognized the urgent need for a cohesive approach to cybersecurity. The proliferation of digital products, coupled with the increasing interconnectedness of systems, created a complex web of vulnerabilities. Historically, fragmented national frameworks led to inefficiencies, increased compliance costs for businesses, and confusion for consumers regarding the security of their digital products. The lack of a unified standard made it challenging for manufacturers to enter multiple EU markets without undergoing redundant and often conflicting certification processes.

This fragmented landscape not only hindered market entry and innovation but also left gaps in product protection, exposing critical infrastructure and user data to potential threats. The drive towards harmonization became increasingly evident, laying the groundwork for initiatives like the EU Cybersecurity Act, which ultimately gave birth to the EUCC.

Addressing Fragmentation and Enhancing Trust

The primary objective behind the EUCC is to address the historical fragmentation of cybersecurity standards across the EU. By establishing a single, unified benchmark, the scheme aims to:

  • Simplify compliance for businesses: Manufacturers can now strive for one certification that is recognized across all EU member states, reducing costs and accelerating time-to-market.
  • Enhance consumer trust: A standardized and rigorous certification process provides consumers with greater assurance about the security of the digital products they use.
  • Strengthen the EU’s digital single market: By fostering a more secure and predictable environment, the EUCC promotes legitimate trade and innovation within the Union.
  • Elevate cybersecurity baselines: The scheme pushes for higher security requirements, encouraging manufacturers to embed security by design in their products.

What is the EUCC? Decoding the New Standard

The European Cybersecurity Certification Scheme on Common Criteria (EUCC) is a voluntary cybersecurity certification scheme launched under the framework of the EU Cybersecurity Act (Regulation (EU) 2019/881). It officially came into effect on January 31, 2024. Spearheaded by the European Union Agency for Cybersecurity (ENISA), the EUCC aims to create a unified security benchmark for a wide array of Information Communications Technology (ICT) products and services.

Building on the Common Criteria Framework

At its core, the EUCC is built upon the well-established SOG-IS Common Criteria (CC) evaluation framework. The Common Criteria is an international standard (ISO/IEC 15408) for information security evaluation that has been widely adopted by 17 EU Member States and numerous other countries globally. This reliance on an existing, recognized standard is a strategic move, ensuring a degree of familiarity and continuity while introducing EU-specific enhancements.

The CC framework provides a structured and transparent assessment process for evaluating the security features of IT products. It utilizes a concept of “Evaluation Assurance Levels” (EALs), which define the rigor and depth of the cybersecurity assessment. The EUCC specifically leverages the Common Criteria’s vulnerability assessment family (AVA_VAN), components 1 to 5, which are crucial for a thorough security evaluation.

Scope: What Products Does it Cover?

The EUCC primarily targets ICT products, including:

  • Hardware: This encompasses a vast range of physical devices, from microcontrollers and sensors to network equipment and industrial control systems.
  • Software: Operating systems, applications, firmware, and other software components fall under the scheme’s purview.
  • Components: Individual modules or parts that contribute to the overall functionality and security of a larger ICT product.

This broad scope ensures that a significant portion of the connected devices that form the backbone of the IoT and OT landscape are subject to the new security benchmark. Examples of features that might be assessed include user authentication, encryption, network security, software security, and access control.

The “New” Aspect: EU-Specific Requirements and Governance

While building on the Common Criteria, the EUCC introduces several “new” elements, primarily concerning EU-specific requirements and governance:

  • Unified EU Governance: Instead of relying on individual national certification bodies, the EUCC establishes a harmonized process overseen by ENISA, ensuring consistent application across the EU.
  • Tailored Security Objectives: The EUCC integrates specific security objectives relevant to the EU’s digital agenda and risk landscape, potentially introducing requirements beyond the generic CC framework.
  • Certification Bodies: The framework streamlines the accreditation and operation of Conformity Assessment Bodies (CABs) within the EU, making it easier for them to offer certification services.
  • Alignment with Broader EU Initiatives: The EUCC is not a standalone initiative. It is an integral part of the broader Cyber Resilience Act, an overarching legislative effort focused on securing the collection, storage, and transfer of data across the EU. This interconnectedness ensures a coherent and comprehensive approach to cybersecurity.

Why This Matters: Impact on IoT and OT Manufacturers

The operational rollout of the EUCC represents a pivotal moment for manufacturers operating within the IoT and OT sectors. This isn’t just another layer of bureaucracy; it’s a fundamental shift that will redefine how products are designed, developed, and brought to market in Europe.

Maintaining Market Access

Perhaps the most immediate and critical impact of the EUCC is its influence on market access. While the EUCC is currently voluntary, its integration within the broader Cyber Resilience Act (CRA) hints at a future where such certifications could become a de facto, or even mandatory, requirement for certain product categories to be sold in the EU. Even as voluntary, products with EUCC certification will likely gain a significant competitive advantage. Without it, manufacturers might find their products at a disadvantage compared to certified alternatives, potentially leading to exclusion from key markets or reduced sales.

Elevating Cybersecurity Baselines

The EUCC aims to standardize and elevate cybersecurity baselines across the board. This means manufacturers will need to consider security not as an afterthought, but as a core component of their product development lifecycle. The scheme emphasizes a “security by design” approach, encouraging the integration of robust security features from the initial stages of product conceptualization. This will push manufacturers to:

  • Implement stronger security controls: This includes features like secure boot, cryptographic modules, robust authentication mechanisms, and secure update procedures.
  • Conduct more thorough security testing: Products will undergo rigorous evaluations, including vulnerability assessments and penetration testing, to ensure they meet the EUCC’s stringent requirements.
  • Prioritize secure development practices: Manufacturers will need to adopt secure coding practices, implement secure software development lifecycles (SSDLCs), and conduct regular security audits of their codebases.

Building and Maintaining Consumer Trust

In an increasingly connected world, consumer trust is paramount. High-profile data breaches and cyberattacks have eroded public confidence in digital products. The EUCC provides a credible and transparent mechanism for manufacturers to demonstrate their commitment to cybersecurity. A product bearing the EUCC certification mark signals to consumers, businesses, and regulators that it has undergone a rigorous, independent security assessment and meets a recognized standard of excellence. This can translate into:

  • Increased brand reputation: Manufacturers known for producing secure, certified products will build stronger brands and customer loyalty.
  • Competitive differentiation: In a crowded market, EUCC certification can be a powerful differentiator, attracting security-conscious customers.
  • Reduced liability: By adhering to a recognized security standard, manufacturers can potentially mitigate legal and financial risks associated with security incidents.

Key Standards and Regulations Intersecting with EUCC

The EUCC does not operate in isolation. It is part of a broader, interconnected ecosystem of EU regulations and standards designed to enhance cybersecurity and data protection. Manufacturers need to understand how the EUCC interacts with these other crucial frameworks to ensure comprehensive compliance.

The Cyber Resilience Act (CRA)

The Cyber Resilience Act is a landmark piece of legislation that mandates cybersecurity requirements for digital products throughout their entire lifecycle. The CRA aims to ensure that hardware and software products in the EU market are secure by design and remain secure over time. The EUCC is intrinsically linked to the CRA, serving as a key mechanism for demonstrating compliance with certain CRA requirements. While the CRA sets the legal obligation for cybersecurity, the EUCC provides a concrete certification pathway. The CRA will eventually include other components like cloud computing (EUCS) and 5G mobile networks (EU5G), signifying a holistic approach.

NIS2 Directive (Network and Information Security Directive 2)

The NIS2 Directive significantly strengthens cybersecurity requirements for essential and important entities across various sectors, including energy, transport, health, and digital infrastructure. While NIS2 focuses on the security of networks and information systems operated by these entities, the security of the IoT and OT products they deploy is directly relevant. Certified EUCC products can contribute to an organization’s overall compliance with NIS2 by ensuring the security of the components within their infrastructure.

Radio Equipment Directive (RED Directive)

For radio-enabled IoT devices, the Radio Equipment Directive (RED Directive) is a critical regulation. It sets essential requirements for radio equipment, including health and safety, electromagnetic compatibility, and efficient use of the radio spectrum. Recent amendments to the RED Directive have introduced specific cybersecurity requirements for internet-connected radio equipment. Manufacturers of such devices must ensure compliance with both the RED Directive’s security provisions and, where applicable, the EUCC for a comprehensive security posture.

EN 303 645 for Consumer IoT Security

EN 303 645 is a European standard for consumer IoT security benchmarks. It provides a baseline for cybersecurity for internet-connected consumer devices, covering aspects like secure updates, robust authentication, and data protection. While not a certification scheme itself, adherence to EN 303 645 can significantly aid manufacturers in meeting the security objectives of the EUCC, particularly for consumer-facing IoT products.

EN 18031

EN 18031 is another standard that may be relevant, depending on the specific nature and application of the IoT or OT device. This European standard often pertains to security measures within specific industrial or critical infrastructure contexts. Aligning with EN 18031, where appropriate, can further bolster the security evaluation required for EUCC certification.

General Data Protection Regulation (GDPR)

Data protection remains paramount under the General Data Protection Regulation (GDPR). The GDPR sets stringent requirements for the processing of personal data, including principles of data protection by design and by default. The security measures implemented to achieve EUCC certification will intrinsically support GDPR compliance, especially where IoT and OT devices collect, process, or transmit personal data. Secure data handling, encryption, access control, and privacy-enhancing technologies are all areas where EUCC and GDPR requirements converge.

The EU Cybersecurity Certification Framework: A Tiered Approach

The EUCC is a product of the broader EU Cybersecurity Certification Framework, which was introduced by the European Parliament in 2019. This framework lays the foundation for a standardized approach to cybersecurity across the EU, ensuring that ICT products, services, and systems meet strict cybersecurity regulations.

Levels of Assurance: Basic, Substantial, and High

The EU Cybersecurity Certification Framework, and by extension the EUCC, incorporates a tiered system of assurance levels:

  • Basic: This level is designed for products, services, or processes that present a low risk of cyber threats. The evaluation focuses on basic cybersecurity provisions and aims to confirm adherence to minimum security requirements.
  • Substantial: This level is for items that pose a significant risk. The evaluation is more rigorous, employing advanced testing methods to ensure a higher level of confidence in the product’s security features.
  • High: Reserved for products, services, or processes that carry a high risk of cyber threats, this level demands the most comprehensive and stringent evaluations. It aims to provide the highest level of assurance that the product can withstand state-of-the-art cyberattacks.

Manufacturers will need to determine the appropriate assurance level for their specific IoT/OT products based on their intended use, the data they handle, and the potential impact of a security compromise. This tiered approach allows for proportionate security measures, ensuring that certification efforts are aligned with actual risk profiles.

ENISA’s Central Role in Scheme Development

ENISA (European Union Agency for Cybersecurity) plays a pivotal role in the development and implementation of the EUCC and other certification schemes. Upon request from the European Commission or EU Member States, ENISA develops draft certification schemes, collaborating closely with various stakeholders, including Ad-Hoc Working Groups (AHWGs), to ensure the schemes are robust, widely accepted, and reflect the latest cybersecurity best practices. This collaborative approach ensures that the EUCC remains relevant and effective in the face of evolving cyber threats.

Navigating the Certification Process

For IoT and OT manufacturers, understanding the certification process is paramount. While the full specifics will be detailed in official guidance, the general steps involved in obtaining EUCC certification will likely include:

Initial Assessment and Gap Analysis

The first crucial step is to conduct a thorough assessment of your current product security frameworks against the new EUCC requirements. This involves:

  • Understanding the specific security requirements: This will involve delving into the technical specifications and evaluation methodologies outlined in the EUCC.
  • Identifying product scope: Clearly define which of your IoT/OT products fall under the scope of the EUCC.
  • Performing a gap analysis: Compare your existing security measures and documentation with the EUCC requirements to pinpoint any discrepancies or areas needing improvement. This might involve reviewing design specifications, source code, testing procedures, and operational security policies.

Engaging with Experts

The nuances of EU-specific certification processes can be complex. Engaging with cybersecurity experts and consultants who specialize in EU cybersecurity regulations is highly recommended. These experts can:

  • Provide guidance on interpretation: Help decipher the technical and legal jargon of the EUCC and its associated standards.
  • Assist in gap remediation: Offer expertise in implementing necessary security controls, redesigning architectures, or updating development processes to meet compliance.
  • Facilitate the certification journey: Guide you through the selection of a Conformity Assessment Body (CAB) and help prepare the necessary documentation for evaluation.

Preparation for Evaluation

Once gaps have been identified and addressed, manufacturers will need to prepare their products and documentation for formal evaluation by a recognized Conformity Assessment Body (CAB). This preparation phase includes:

  • Developing robust security documentation: This includes security targets, protection profiles (if applicable), and detailed descriptions of the product’s security architecture and functionalities.
  • Conducting internal audits and pre-assessments: Simulate the formal evaluation process to identify and rectify any remaining weaknesses.
  • Ensuring traceability: Be prepared to demonstrate how each security requirement has been met and how the implementation has been verified.

The Evaluation Process

The formal evaluation will be conducted by a Conformity Assessment Body (CAB) accredited to perform EUCC assessments. The evaluation typically involves:

  • Document review: Assessment of all provided security documentation to ensure it aligns with EUCC requirements.
  • Technical testing: In-depth technical analysis and testing of the product, which may include vulnerability assessments, penetration testing, and analysis of cryptographic implementations.
  • Process assessment: Evaluation of the manufacturer’s development and maintenance processes to ensure security is embedded throughout the product lifecycle.
  • Evidence collection: The CAB will gather objective evidence to support its findings and conclusion.

Certification and Maintenance

Upon successful completion of the evaluation, the CAB will issue the EUCC certificate. However, certification is not a one-time event. Manufacturers will need to:

  • Maintain compliance: Continuously monitor their products for new vulnerabilities, issue security updates, and ensure that changes to the product do not compromise its certified security posture.
  • Undergo surveillance audits: Periodically, the CAB may conduct surveillance audits to ensure ongoing adherence to the EUCC requirements.
  • Re-certification: Certificates will have a validity period, at the end of which re-certification will be necessary to ensure continued compliance with evolving security landscapes.

Proactive Strategies for IoT/OT Manufacturers

Given the critical implications of the EUCC, a proactive approach is not just advisable but essential for continued success in the European market.

Embed Security by Design

Integrate cybersecurity considerations from the very initial stages of product design and development. This means:

  • Threat modeling: Identify potential threats and vulnerabilities early in the design phase.
  • Secure architecture: Design systems with security in mind, incorporating principles like least privilege, defense-in-depth, and secure defaults.
  • Secure coding practices: Train developers in secure coding techniques and incorporate security checks into the development pipeline.
  • Dependency management: Understand and manage the security risks associated with third-party components and open-source libraries.

Invest in Talent and Training

Ensure your R&D, engineering, and cybersecurity teams are well-versed in the EUCC requirements and the broader EU cybersecurity landscape. Provide continuous training on secure development practices, vulnerability management, and incident response.

Leverage Automation and Tools

Utilize automated security testing tools, such as static application security testing (SAST) and dynamic application security testing (DAST), to identify vulnerabilities early and efficiently. Implement security orchestration, automation, and response (SOAR) solutions to streamline security operations.

Stay Informed and Engaged

The EU cybersecurity landscape is dynamic. Manufacturers must stay informed about official guidance, implementation timelines, and any updates to the EUCC and related regulations. Engage with industry associations, participate in relevant working groups, and subscribe to official EU cybersecurity publications.

Embrace a Culture of Continuous Security

View cybersecurity as an ongoing process, not a one-time project. Establish a culture within your organization that prioritizes security, encourages continuous improvement, and fosters collaboration between development and security teams. Implement regular security audits, penetration testing, and vulnerability management programs.

The Future: EUCS, EU5G, and EUDI Wallets

The EUCC is the first of several planned certification schemes under the EU Cybersecurity Certification Framework. ENISA is actively developing additional schemes, including:

  • EUCS (Cloud Services): This scheme will focus on the cybersecurity of cloud computing services, providing a unified standard for cloud providers operating within the EU.
  • EU5G (5G Mobile Networks): As 5G networks become the backbone of critical infrastructure, this scheme will address the unique security challenges associated with this transformative technology.
  • EUDI Wallets (EU Digital Identity Wallets): With the increasing push for digital identities, this scheme will ensure the highest levels of security and privacy for digital identity solutions.

These upcoming schemes underscore the EU’s comprehensive strategy to secure the entire digital ecosystem. For IoT and OT manufacturers, this implies a future where a broader range of their products and services, particularly those interacting with cloud environments or 5G networks, will eventually be subject to EU-wide cybersecurity certification.

Conclusion: A Secure Foundation for Industrial Intelligence

The EUCC marks a significant milestone in the EU’s journey towards a more secure and trustworthy digital environment. For IoT and OT manufacturers, it presents both a challenge and an immense opportunity. While compliance requires investment and adaptation, the rewards are substantial: enhanced market access, stronger competitive positioning, increased consumer trust, and ultimately, a more resilient and secure foundation for the future of industrial intelligence. By proactively understanding and addressing the requirements of the EUCC, manufacturers can not only ensure their continued success in the European market but also cement their reputation as leaders in cybersecurity innovation.

Is your IoT or OT product portfolio ready for the new era of EU cybersecurity?

Navigating the complexities of the EUCC and other evolving regulations can be daunting. At IoT Worlds, our team of experts is dedicated to helping manufacturers like you understand, assess, and achieve compliance with the latest cybersecurity standards. From initial gap analyses to strategic guidance and preparation for certification, we provide tailored solutions that ensure your products meet the highest security benchmarks. Don’t let compliance hurdles slow your innovation. Reach out to us today to secure your market position and build unparalleled trust in your connected solutions.

Email us at info@iotworlds.com to learn how we can help you thrive in the new cybersecurity landscape.

You Might Be Interested In

You may also like

IEC 62443 Zones and Conduits – Explained with...

Types of Firewalls – The Foundation of Network...

Advanced SOC Architecture: Building a Modern Security Operations...

SOC plus SIEM plus SOAR: The Architecture of...

Threat Hunting Methodologies: Unearthing the Unseen in Modern...

Edge vs Cloud in AIoT: Embracing Hybrid Intelligence...

WP Radio
WP Radio
OFFLINE LIVE