After almost three decades at the core of European IT security certification, the SOGIS Mutual Recognition Agreement (MRA) has reached the end of its operational life, formally giving way to the EU Cybersecurity Certification Scheme on Common Criteria (EUCC). The transition marks not just a regulatory shift, but the conclusion of a formative era in how Europe built trust in secure digital products.
How SOGIS began
The roots of SOGIS go back to the early 1990s, when European governments recognized the need for a common approach to evaluating the security of information systems. The Senior Officials Group – Information Systems Security (SOGIS) was established in response to EU Council Decision 92/242/EEC and the 1995 Council Recommendation on common IT security evaluation criteria, aiming to harmonize national certification practices across Europe. The SOGIS MRA was approved in 1997, and two years later, SOGIS effectively began operating, enabling participating states to mutually recognize Common Criteria (ISO/IEC 15408) certificates issued by trusted national schemes.
Over time, SOGIS became particularly influential in high assurance‑ domains such as smartcards, secure elements, and hardware devices with security boxes, where recognition beyond the baseline CCRA levels was essential.
Participating schemes and authorities
Unlike a single centralized scheme, SOGIS functioned as an agreement between national authorities. Participants included certification bodies and government agencies from across the EU and EFTA, among them:
- Germany (BSI)
- France (ANSSI)
- The Netherlands (NSCIB)
- Spain (CCN)
- Italy (OCSI)
- Norway (SERTIT)
- Sweden (FMV)
- United Kingdom (NCSC)
- and others including Austria, Belgium, Denmark, Finland, Estonia, Poland, and Slovakia.
Through SOGIS, these schemes coordinated technical interpretations, protection profiles, and evaluation methodologies—most notably via the Joint Interpretation Working Group (JIWG)—creating a uniquely European layer of trust above the global CCRA framework.
NSCIB: The Dutch contribution
Within this ecosystem, the Netherlands Scheme for Certification in the Area of IT Security (NSCIB) played a prominent role. Established in 2004 to implement Common Criteria certification at national level, NSCIB operated under the oversight of the Dutch government.
From its inception, NSCIB issued Common Criteria certificates that were internationally recognized under both the CCRA and the SOGIS MRA, covering general IT products up to the Evaluation Assurance Level 4 (EAL4) and, under SOGIS, high assurance‑ hardware domains up to EAL7.
Brightsight, the CC pioneer and NSCIB co-founder
Probably not many people know that Brightsight is older than Common Criteria and NSCIB. It all started very small in 1984 – this is the year when Brightsight started under TNO (an independent Dutch research organization that focuses on applied research, bridging science, industry, and government) in the Netherlands as an independent technical evaluation lab, which is before NSCIB, and even well before Common Criteria became the predominant international framework. And we just wanted to make a meaningful contribution.
By the 1990s, our Dutch lab—based in Delft—was already active in government grade security evaluations, which positioned us naturally to become one of the core technical contributors when European and international certification frameworks (CCRA and later SOGIS) matured. The lab became particularly influential in SOGIS technical domains, including:
- Smartcards and similar devices
- Hardware devices with security boxes
These domains required deep hardware attack expertise and coordinated European interpretations—areas where our Dutch lab became a long‑standing contributor to Joint Interpretation Library (JIL) work and SOGIS technical practice. Hence, our technical knowledge and input allowed us to play a foundational role in setting up the NSCIB scheme.
Between 2003 and 2020, Brightsight obtained Common Criteria accreditation from BSI, NSCIB, SERTIT, and CCN, becoming the number one CC lab—the only evaluation laboratory worldwide recognized by four* governmental CC schemes simultaneously. Moreover, for the last five years, we have been recognized as the leading CC lab**, earning the first place with the highest score of 71 evaluated products in 2025. We are proud to uphold our outstanding position for so long.
The number one Common Criteria lab
*Schemes accreditation:
- 2003: BSI (DE)
- 2004: NSCIB (NL)
- 2018: SERTIT (NO)
- 2020: CCN (ES)
**The leading CC lab:
Brightsight institutional continuity
1984
Brightsight establishment as Dutch evaluation lab (TNO-ITSEF)
1993
CC standardisation committee participation
2000
First CC evaluations for the Dutch government
2004
First certificate under NSCIB, issued by TNO-Certification
2025
EUCC ITSEF
2025
EUCC Certification Body (CB)
The volume of certificates issues by NSCIB
Brightsight secured the very first NSCIB certificate in 2004. The first certified product was a host security module (HSM). And the second one we evaluated was a dual interface integrated circuit (IC) with antenna and an embedded smartcard OS. Going from 50 certificates between 2004 and 2017, the numbers of certificates secured by us started growing tremendously from 2018 (four times more in one year), ending with 71 evaluated products in 2025.
But it’s not about the volume. It’s about the values Brightsight stands for. We think from our client’s perspective. Under NSCIB, we implemented several innovations such as shortening time-to-market while keeping complete and correct compliance to CC. For example, we initiated the scheme involvement through their certifiers in the evaluation and certification process (also known as evaluation meetings). That is the presentations (evaluation meetings) between the certifier and the lab, delivering a strong collection of developer’s evidence. Our clients appreciate lab’s predictability, the attention we pay to security rather than the process, the feedback on their input, and our “can do” mentality—something that is common practice now, but in the early years, no other lab was doing that.
From SOGIS to EUCC
With the EU Cybersecurity Act and the launch of EU-wide schemes, SOGIS was never intended to be permanent. As of 27 February 2025, NSCIB stopped accepting new Common Criteria certification applications, with products transitioning to the EUCC scheme instead. The closing of the SOGIS chapter marks the end of a cooperative model that shaped European high assurance certification for more than 20 years. Its legacy, however, lives on—in the technical foundations, evaluation practices, and institutional expertise now embedded in EUCC.
