From EUCC Certification to CRA Conformity: A Resilience-Oriented Path for Network Devices (A23c)
Common Criteria is not the problem: in many respects, it is already stricter than the likely CRA baseline. The real challenge is turning that rigor into regulatory evidence without restarting from zero. Based on an ENISA pilot applying EUCC to a real network product compliant to Network Devices Protection Profile, this session presents concrete findings in three areas: first, how EUCC methods, artefacts, and evaluation reasoning can support the CRA-mandated risk assessment; second, where alignment may be needed between CRA security expectations, including attack-potential assumptions, and the scope of the NDcPP – used in the pilot; and third, how an applicability-based technical analysis can justify a focused set of complementary tests in the domain of relevant vertical standards. The talk argues that CRA should not be seen only as an additional compliance burden, but as an opportunity to extend EUCC evaluations in a disciplined and granular way through targeted functional or assurance packages. Properly defined, such extensions can increase the practical resilience and assurance value of certified network products, while offering a credible pathway toward future presumption of conformity, without claiming that result prematurely.