European Union Cybersecurity Certification Scheme Statistics · Annual Edition ·
Volume I · Issue 01 Regulation (EU) 2024/482 Public observation · independent

EUCC: the certified Union, in figures and numbers.

On 27 February 2024, the EU Cybersecurity Certification Scheme based on the Common Criteria — EUCC — became the first scheme adopted under the Cybersecurity Act. With the EUCC scheme we made a big step towards a unified certification landscape in Europe.

The figures below describe the entire population of certificates issued under EUCC since the scheme entered into effect. They are compiled from the official ENISA list and presented here for public observation.

This publication is neither operated nor endorsed by ENISA. All certificate records are sourced from the public ENISA list. All information is served here without any warranty for correctness. In case of discrepancies, please always consult the list under certification.enisa.europa.eu.

Since the scheme entered into effect, certificates have been issued — at assurance level High and at Substantial — to distinct holders across countries, evaluated by accredited laboratories.

I

The cadence of issuance.

Figure 1

Certificates issued by month,

Volume has been irregular but accelerating. The scheme's first months were dominated by transition cases from pre-existing SOG-IS arrangements; later months show wider participation across bodies.

II

What level of assurance?

Assurance levels

The corpus skews toward High.

EUCC covers two assurance levels: Substantial and High as defined by the Cyber Security Act. Of certificates, reach High.

The skew reflects the population of products that historically carried Common Criteria certificates — secure elements, smart cards, cryptographic modules — for which only High is commercially meaningful.

Figure 2 · Assurance level
II

CC Version.

Figure 3 · Common Criteria version

Standard revision

The transition to CC:2022.

Common Criteria version 2022 (formally ISO/IEC 15408:2022) introduced streamlined assurance classes and updated attack-potential modelling. Certificates issued under EUCC reflect both the legacy 3.1 revision and the current 2022 edition. As evaluation bodies and developers complete their transition, the share of CC:2022 certificates is expected to grow.

III

The geography of certification.

Where certificates live

A continental concentration.

The holders of EUCC certificates concentrate in a handful of jurisdictions with established secure-products industries — France, the Netherlands, Germany — though non-EU manufacturers are increasingly visible.

The four NCCAs currently issuing — ANSSI, BSI, RDI and CCN — handle the full caseload between them; no other Member State has yet supervised an issuance under EUCC.

Figure 4 · Holder country
Figure 5 · Responsible NCCA
Figure 6 · Top protection profiles
IV

Who certifies, who evaluates.

Figure 7 · Certification body
Figure 8 · Evaluation laboratory (ITSEF)
V

The depth of evaluation.

Figure 9 · EAL distribution
Figure 10 · AVA_VAN distribution
VI

Holders and products.

Figure 11 · Top certificate holders
Figure 12 · Product type
Imprint

This website has been developed and is operated by
Konfidas GmbH · Fahnestr. 4 · 44229 Dortmund · Germany
Geschäftsführer: Nils Tekampe
Registergericht: Amtsgericht Dortmund · HRB 31354
USt-IdNr.: DE310354787
Tel.: 0231-586 92 412
E-Mail: contact@konfidas.de

Privacy Policy

This privacy policy will explain how Konfidas GmbH uses the personal data we collect from you when you use our website.

The only personal identification information that this website collects is your IP address.

We will not share this data with anyone but just use it to produce statistics about the use of our website.

Read more

Privacy Policy

This privacy policy will explain how Konfidas GmbH uses the personal data we collect from you when you use our website.

The only personal identification information that this website collects is your IP address.

We will not share this data with anyone but just use it to produce statistics about the use of our website.

How do we store your data?

Our Company securely stores your data on our server in Germany.

Our Company will keep your IP address for 3 months. Once this time period has expired, we will delete your data by overwriting it.

What are your data protection rights?

Our Company would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

The right to access – You have the right to request Our Company for copies of your personal data. We may charge you a small fee for this service.

The right to rectification – You have the right to request that Our Company correct any information you believe is inaccurate. You also have the right to request Our Company to complete the information you believe is incomplete.

The right to erasure – You have the right to request that Our Company erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that Our Company restrict the processing of your personal data, under certain conditions.

The right to object to processing – You have the right to object to Our Company's processing of your personal data, under certain conditions.

The right to data portability – You have the right to request that Our Company transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at our email:

Call us at: +49 (0) 231-586 92 412

Or write to us: contact@konfidas.de

Privacy policies of other websites

The Our Company website contains links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy.

Changes to our privacy policy

Our Company keeps its privacy policy under regular review and places any updates on this web page. This privacy policy was last updated on May, 9th 2026.

How to contact us

If you have any questions about Our Company's privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us (see contact information above).

How to contact the appropriate authority

Should you wish to report a complaint or if you feel that Our Company has not addressed your concern in a satisfactory manner, you may contact the Information Commissioner's Office. You can find more information under https://www.ldi.nrw.de/.