Common Criteria Certification

Common Criteria is an international standard that evaluates and certifies the security of IT products and services, many of which are used in sensitive environments like government. Certification recognizes that these products have been rigorously tested against specific security targets and meet the requirements. Being on the Common Criteria certified list demonstrates operational excellence and makes it simpler for entities that demand security assurances to choose a product or service. This certification opens up new opportunities for small businesses or other organizations that want to offer the best solutions for secure technology needs.

EUCS Certification Schemes

European Cybersecurity Certification Schemes (EUCS) is a security framework established by the EU to create a unified level of security for IT products, services, and processes that are used throughout the EU.

The different schemes apply to varied aspects of cybersecurity.

EUCS: Cloud services are assessed at different security levels (basic, substantial, high).
EUCC: Assessing and implementing the common security of products, such as smartphones.
EU5G: Certification for 5G technologies.
EUDIW: Security certification for the European Union Digital Identity Wallet.

Having EUCS for products and services related to ICT builds trust and confidence in them.

FAQ

Why is EU compliance important for businesses?

Being in compliance with the secure technology demanded by the EU is essential for any business doing business in that region of the world. It ensures you’re covered legally and better able to avoid financial penalties. It also builds trust among customers and stakeholders, and enhances your reputation.

Why is EUCS important for cloud service providers?

This unified security framework ensures that a business offering cloud services has the technology and checks in place to protect the most sensitive information. That business is demonstrating a commitment to cybersecurity which builds trust and ensures compliance, even with changing EU standards. It also provides a competitive advantage.

Who needs to comply with the EUCS?

Currently, EUCS compliance is voluntary. However, EU states are moving towards classifying an entity as “essential” or “important,” only using certified cloud service providers. These areas include finance, energy, or infrastructure. Public companies and other commercial users may soon be required to comply with EUCS, depending on their country’s requirements.

What are the assurance levels in the EUCS framework?

There are three security assurance levels in the EUCS framework.

Basic: essential security measures against known risks. This works for a cloud service with a lower risk profile.
Substantial: Suitable for a business with a medium risk profile. More rigorous security measures.
High: Protects against the highest-level cyber attacks. Uses automation to constantly monitor and address threats. Focus is on organizations with a very high risk profile.

How can EU compliance audits help businesses?

Beyond meeting legal requirements and preventing potential data breaches, a compliance audit can ensure a business is following regulations that make international or cross-border data transfers easier. It streamlines processes, clarifying the best solutions for data protection and management. It improves communication among employees and builds customer confidence.

How does an EU audit ensure compliance with the EU VAT rules?

EU VAT reviews cover accounting records, invoices, and import/export documentation to ensure they’re accurate and that correct VAT amounts are collected and reported. Having an EU audit for internal systems and record-keeping makes sure that these figures and documents are in line with these financial rules.

What are you waiting for?

You are just a conversation away from putting the power of Continuum GRC to work for you.

About this standard

The European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) is a voluntary framework established under the EU Cybersecurity Act (Regulation (EU) 2019/881) to enhance the cybersecurity of cloud services across the European Union. Managed by the European Union Agency for Cybersecurity (ENISA), EUCS aims to standardize security requirements, promote trust, and ensure interoperability for cloud services (IaaS, PaaS, SaaS, and XaaS). Below is a compliance overview based on the latest available information, including Royal Decree 311/2022 and related sources.

Purpose of EUCS

The EUCS seeks to:

Harmonize cybersecurity standards for cloud services across EU member states.
Enhance trust in cloud services by ensuring robust security measures.
Facilitate compliance with EU regulations (e.g., GDPR, NIS2 Directive).
Provide a transparent certification process to help customers make informed decisions.
Support the EU’s digital sovereignty and resilience against cyber threats.

It applies to:

Cloud service providers (CSPs) offering services in the EU, including Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), and other cloud models.
Public and private sector organizations are using cloud services, particularly those handling sensitive data.

Key Components of EUCS Compliance

The EUCS framework is structured around security levels, requirements, and certification processes:

Security Assurance Levels: EUCS defines three assurance levels based on the sensitivity of data and associated risks:
- Basic: For low-risk cloud services, requiring automated vulnerability testing and compliance checks. Focuses on essential protections against common threats.
- Substantial: For services with moderate risk, requiring enhanced security measures and assessments of operational effectiveness over a defined period.
- High: For services handling highly sensitive data or critical operations, requiring stringent controls, including separate penetration testing. (Note: Earlier drafts included a “High+” level, which was removed in the March 2024 draft.)
- The level is determined by factors such as data sensitivity, attacker profiles, scope, rigor, and depth of evaluation.
Security Requirements: EUCS outlines security objectives and measures, drawing from standards like ISO 27001, C5:2020, and SecNumCloud. Key areas include:
- Organizational Measures: Security policies, roles, and incident management.
- Operational Measures: Secure configurations, access controls, and monitoring.
- Protection Measures: Data encryption, backups, and physical security.
- Transparency Requirements: CSPs must disclose data processing and storage locations, as well as applicable jurisdictions, via an International Company Profile Attestation (ICPA) for High-level certification.
Sovereignty and Transparency:
- Earlier drafts mandated strict sovereignty requirements (e.g., EU-based headquarters, data localization). The March 2024 draft removed these, replacing them with the ICPA, which requires CSPs to declare jurisdictions they are subject to, verified by a Conformity Assessment Body (CAB).
- Individual EU member states may still impose national sovereignty requirements in contracts, but these do not affect certification.

EUCS Compliance Process

Achieving EUCS compliance involves a structured process:

Risk Assessment:
- CSPs assess risks based on data sensitivity and system criticality to determine the applicable assurance level (Basic, Substantial, High).
Gap Analysis:
- Evaluate current security measures against EUCS requirements to identify gaps.
Implementation:
- Upgrade infrastructure, policies, and processes to meet EUCS standards (e.g., encryption, access controls, audit trails).
- Train staff on security practices and EUCS requirements.
Certification Process:
- Engage an ENAC-accredited Conformity Assessment Body (CAB) to conduct the evaluation.
- Submit documentation, undergo audits, and, for High-level certification, provide an ICPA.
- Certification is valid for three years, with periodic audits to ensure ongoing compliance.
Monitoring and Renewal:
- Conduct regular internal audits and address findings.
- Renew certification every three years or upon significant system changes.

Key Regulations and Standards

EU Cybersecurity Act (Regulation (EU) 2019/881): Establishes the framework for EUCS and other certification schemes.
NIS2 Directive (2022/2555): Requires critical sector entities to use EUCS-certified providers, making certification practically mandatory for certain markets.
ISO 27001/27002: EUCS aligns with these standards for information security management.
National Schemes: Incorporates elements from Germany’s C5:2020 and France’s SecNumCloud.
GDPR: Ensures compliance with data protection requirements for personal data.

Benefits of EUCS Compliance

Enhanced Trust: Certified CSPs demonstrate robust security, increasing customer confidence.
Market Access: Certification is often required for public sector contracts and critical infrastructure providers under NIS2.
Risk Mitigation: Reduces the likelihood of data breaches and cyber incidents.
Interoperability: Harmonizes standards across the EU, simplifying compliance for multi-country operations.
Competitive Advantage: Signals commitment to cybersecurity, attracting discerning customers.

Challenges and Considerations

Resource Intensity: Compliance requires significant investment in technology, training, and audits, particularly for smaller CSPs.
Technical Complexity: Upgrading systems to meet High-level requirements can be challenging.
Regulatory Navigation: Keeping up with evolving EUCS drafts and member state requirements demands dedicated resources.
Sovereignty Debate: While sovereignty requirements were removed, some member states (e.g., France) may still impose national restrictions, creating uncertainty.
Market Impact: Non-EU CSPs may face transparency requirements via ICPA, potentially affecting their competitiveness.

Certification and Accreditation

Accreditation: CABs must be accredited by national accreditation bodies (e.g., ENAC in Spain) to issue EUCS certificates.
Certification Validity: Certificates are valid for three years, with periodic audits to ensure compliance.
Adoption Timeline: The latest draft (March 2024) is under review by the European Cybersecurity Certification Group (ECCG), with possible adoption in 2025. First certificates are expected mid-2025.

Best Practices for EUCS Compliance

Conduct Regular Risk Assessments: Identify and prioritize risks to tailor security measures.
Align with Standards: Leverage ISO 27001 or national frameworks to streamline compliance.
Engage Accredited CABs: Work with ENAC-accredited auditors for credible certification.
Transparent Communication: Clearly document and disclose data processing locations and jurisdictional obligations.
Proactive Engagement: Monitor ENISA updates and participate in industry forums to stay informed.
Foster a Security Culture: Train employees and integrate security into organizational processes.

Current Status (as of August 2025)

The EUCS is still in the draft phase, with the latest version dated March 22, 2024. Adoption by the ECCG is expected in 2025, following delays due to debates over sovereignty requirements.
The removal of strict sovereignty rules (e.g., EU headquarters, data localization) in the 2024 draft addressed concerns from non-EU CSPs and some member states (e.g., Ireland, Sweden, Netherlands).
Major CSPs like AWS, Microsoft, and Google Cloud are preparing for EUCS compliance, with some already aligning with similar frameworks like SecNumCloud.

Sources

ENISA: EUCS – Cloud Services Scheme (December 2020 draft and updates)
R Street Institute: Cybersecurity Score – EUCS (April 2024)
Continuum GRC: What is EUCS? (January 2024)
Dutch NCCA: Cloud Services (EUCS)
U.S. Chamber of Commerce: Issue Briefing on EUCS (December 2022)

Your Roadmap to Risk Reduction!

European Union Cybersecurity Certification Scheme for Cloud Services (EUCS)