Industry groups across Europe are urging swift adoption of the EU Cybersecurity Certification Scheme on Common Criteria (EUCC), which is set to roll out in February 2025. The EUCC, a voluntary certification framework, aims to harmonize cybersecurity standards for ICT products and processes across member states. Businesses that achieve certification will benefit from a pan-European label indicating compliance with substantial or high assurance levels. Proponents argue that the EUCC will enhance cross-border trust and simplify market access by eliminating national-specific requirements. However, critics highlight concerns that the scheme may disproportionately favor large technology companies, which are better equipped to navigate its rigorous compliance requirements.

The EUCC builds upon the internationally recognized Common Criteria framework (ISO/IEC 15408), which has been a cornerstone of cybersecurity evaluations for decades. By aligning with this standard, the EUCC seeks to provide a unified approach to certifying ICT products such as software, hardware, and smart devices. Industry advocates emphasize that the certification will not only improve cybersecurity but also offer commercial advantages by boosting consumer confidence in certified products. However, smaller businesses have raised concerns about the financial and administrative burden of obtaining certification, fearing it could create barriers to entry in an already competitive market.

This push for rapid adoption coincides with broader legislative efforts under the EU’s Cyber Resilience Act (CRA) and Digital Operational Resilience Act (DORA), which impose mandatory cybersecurity requirements on manufacturers and service providers. While the EUCC remains voluntary, industry groups argue that aligning with its standards will help companies demonstrate compliance with these stricter regulations. Furthermore, they believe the certification will foster innovation by encouraging manufacturers to prioritize cybersecurity throughout product lifecycles. Yet, some stakeholders worry that these benefits may primarily accrue to well-resourced organizations, leaving smaller firms at a disadvantage.

The European Union Agency for Cybersecurity (ENISA) is tasked with overseeing the implementation of the EUCC and providing guidance to stakeholders. ENISA has published best practices and technical annexes to assist businesses in meeting certification criteria. Despite these efforts, critics argue that the complexity of the framework could discourage participation among smaller enterprises. Additionally, concerns have been raised about potential conflicts of interest if large tech companies dominate certified product categories. As debates continue, industry groups maintain that accelerating adoption of the EUCC is essential for bolstering Europe’s cybersecurity resilience and ensuring a level playing field in an increasingly interconnected digital economy.