In today’s rapidly evolving digital landscape, achieving the EU Cybersecurity Certification (EUCC) has become crucial for companies seeking to demonstrate the highest standards of product security and compliance across Europe. As the cybersecurity sector faces increasing regulatory complexity and pressure for swift market entry, selecting the right laboratory for your EUCC evaluation became more vital than ever.
What is EUCC?
EUCC is the European Union's certification scheme for all cybersecurity products, based on the international standard (ISO 15408), a Common Criteria (CC) methodology. As part of the EU Cyber Security Act (CSA) and linking to the Cyber Resilience Act (CRA), the EUCC represents a key step forward in strengthening European cybersecurity regulation through third-party certification.
EUCC is a successor of Senior Officials Group Information Systems Security (SOG-IS). Brightsight operates within the SOG-IS framework since 2002.
EUCC defines different roles such as:
IT Security Evaluation Facility (ITSEF)
ITSEF is a security evaluation laboratory that performs the compliance assessment on behalf of the CB.
Brightsight has been authorized as a Conformity Assessment Bodies (CAB) under the EUCC in the following roles:
ITSEF:
- Dutch NCCA: RDI (authorized in May 2025)
- Dutch Accreditation Council: RvA (accredited in April 2025)
- German NCCA: BSI
- Spanish NCCA: CCN
Certification Body (CB)
Issues the certificates for products that are compliant with the EUCC requirements.
- Dutch NCCA: RDI
- Dutch NCCA: RDI
National Cybersecurity Certification Authority (NCCA)
Monitors the process in place executed by Conformity Assessment Bodies (CABs)—CB and ITSEF—and ensures that these comply with quality standards (ISO 17025, ISO 23532 and ISO 19896 for the ITSEF; ISO 17065 for the CB), and additional impartiality and confidentiality requirements for both.
Brightsight operates under the NCCAs such as the Dutch RDI, the Spanish CCN, and the German BSI (with French ANSSI undergoing accreditation process).
 |  |  |
European Union Agency for Cybersecurity (ENISA)
Drives EUCC guidance and maintaines central website with scheme documents, protection profiles and certificates.
Brightsight supports the role of Enisa in strengthening the EUCC and other EU Cybersecurity developments wherever possible.
EU Common Criteria Information Sharing and Analysis Centre (EUCC ISAC)
Organizes harmonization of practices by aligning certification methodologies and interpretations across Europe.
Brightsight is represented in:
- Joint Harmonization and Assurance Scheme (JHAS)
- International Security Certification Initiative (ISCI)
- Joint Interpretation and Evaluation Scheme (JEDS)
EUCC scope
Brightsight operates under all technical domains defined by the EUCC. These are:
- generic software and network products
- hardware devices with security boxes
- smartcard and similar devices
Products
This translates to any product on any assurance assessment level, such as integrated circuits (IC), system-on-chip (SoC), microcontrollers, JavaCards, ePassport, hardware security module, digital tachograph or payment point of interaction, routers, switches and firewalls.
Recognition
Accurance levels within EUCC
Substantial - certifications that include AVA_VAN.1 or AVA_VAN.2 High - certifications that include AVA_VAN.3, AVA_VAN.4 or AVA_VAN.5
EUCC logo
Why EUCC certification matters
The EUCC scheme provides a unified framework for cybersecurity certification, ensuring that a single certificate is recognized throughout the EU. This harmonization simplifies the certification process, reduces costs, and accelerates market access for technology providers.
Brightsight support
Our EUCC services
Leveraging our extensive experience and expertise gained from the Common Criteria security evaluations, we have developed a comprehensive, step-by-step approach to guide you through each stage of the EUCC assessment and certification process.
We are ready to assist you with a full range of services, from training to pre-assessment and security evaluation, enabling you to fast-track your time to market.
Pre-evaluation
Risk mitigation by early pre-assessment to help you efficiently prepare for the formal security evaluation.
Security evaluation
Compliance assessment of security requirements, offered with smart re-use, where possible.
Post-evaluation
Includes alignment and assessment Impact Assessment Report.
Certification
Review of the assessment results to certify products.
Levels substantial and high (available by the end of November 2025)
Post-certification
Certificate maintenance services.
Training
EUCC introduction: explains the context, processes and implementation.
EUCC successor of SOGIS: highlights the differences between EUCC and SOGIS/CCRA.
EUCC tailored training: the session is dedicated to discussing the specific implications for your organization and products.
Professional advisory
Document creation support or Security Target writing.
Developer support activities.
Why choose Brightsight as your security laboratory
With Brightsight, you gain more than an evaluation lab—you secure a reliable partner who helps you navigate regulatory changes, anticipate compliance challenges, and achieve certification with confidence.
Leading Common Criteria lab
With more than 40 years of experience in Common Criteria, we are the leading security evaluation service provider with over 700 security evaluations completed every year.
For the last five years, Brighsight has been recognized as the leading Common Criteria laboratory. Earning the first place with the highest score of 71 evaluated products in 2025 as published in the “Global CC Statistics at the start of the EUCC era” report presented by jtsec at the ICCC in Songdo, Korea in October 2025.
All under one roof
What makes Brightsight different is that we offer both independent lab and certification services for the EUCC scheme. These are integrated for your convenience to be able to offer seamless collaboration between CB and ITSEF.
In May 2025, Brightsight got authorized by the Dutch NCCA as a Conformity Assessment Body (CAB) in the role of ITSEF at the assurance levels substantial and high. The authorization as a Certification Body (CB) will follow at the end of November 2025. These two roles operate impartially and independently, fully in line with the requirements of the EUCC Implementation Regulations (ISO 17065 and ISO 17025). Go to our CB services for more information.
Number one lab recognition
For the last five years, Brighsight has been recognized as the leading Common Criteria laboratory. Earning the first place with the highest score of 71 evaluated products in 2025 as published in the “Global CC Statistics at the start of the EUCC era” report presented by jtsec at the ICCC in Songdo, Korea in October 2025.
Facts and figures
Brightsight stands out as the preferred partner for organisations pursuing the EUCC certification. As one of the largest and most experienced laboratories in the field, Brightsight offers unparalleled capacity to handle diverse projects, ensuring that your certification process does not face unnecessary delays. Their labs are strategically located in Europe, North America and Asia, each accredited by relevant National Cybersecurity Certification Authorities (NCCAs) to streamline the evaluation process and offer flexibility tailored to your business needs.
40+
years of experience in Common Criteria
11
locations worldwide
700+
completed security evaluations every year
250+
evaluators
55+
testing setups in:
- Side Channel Analysis
- Perturbation Attacks
- Reverse Engineering & Physical Attacks
- IT Vulnerability Analysis
71
evaluated Common Criteria products in 2025 (highest number)
50+
scheme recognitions
Everything you need to know about EU Cybersecurity Certification Scheme on Common Criteria (EUCC)
Find out by signing up to our newsletter and getting our brochure emailed to you.
