Common Criteria Certification—Looking at Technical and Legal Requirements and Sustainability (C22b)
CC Certification (under EUCC scheme) has been made mandatory by several national legislations, especially in the area of identity documents, critical infrastructure or national security interests. Now, EU legislation is poised to not only introduce harmonised certification within the bloc, but also create areas where EUCC Certification could be mandatory (actually or de facto). The Cyber Resilience Act as well as the NIS 2 Directive contain several instances where certification pays a pivotal role. The talk will show the key areas where the legal framework currently creates opportunities to further CC Certification (e.g. Articles 8, 27 of the CRA; Art. 24 NIS2 directive), but also highlight the challenges that stakeholders face in order to actually be able to use an EUCC certificate in order to show compliance to regulation. Furthermore, even where an EUCC certificate can be used in this manner, several challenges remain to be addressed: Foremost, the problem of updatability of the certificate, meaning especially TOE that undergo many updates over a relatively short period of time. (Software in general, but more specifically cloud based applications and other products that are continuously integrated and deployed to customers). The talk will focus on these instances and show – from the perspective of an EU member states’ national Certification Body – how methods like ALC_PAM could be used to mitigate some of the challenges and keep certificates valid in the face of legislation. Furthermore, the talk will explore how AI models might lead to an opportunity regarding automated testing of updated TOE and which parties in the certification would need to carry what amount of risk.