������Ƶ

Estimated reading time: 5 minutes

How can Europe’s tech firms prove their products meet the highest cybersecurity standards? They can apply for an EUCC certificate. This new scheme will make ICT products more cyber resilient than ever. In fact, the first certificates have already been awarded…

Every year, the scale of cybercrime reaches new levels. This year, . And every region is affected. In Europe for example, in the six months to April 2024, across 556 incidents. 

Regulators know the best way to respond is with unity. Stakeholders must coordinate their actions, adopt the highest technical standards and share information.

This is certainly the approach of lawmakers in the European Union. 

In 2019, the EU introduced a new to harmonise member states’ fight against the threat. The Act reinforced the mandate of the   (ENISA), which was formed in 2005 to build a high common level of cybersecurity across Europe. In 2019, ENISA became a permanent EU body and was assigned a central role in developing cybersecurity certification schemes. Its remit is to:

•    Implement EU policy 
•    Assist security incident response teams
•    Collect information on emerging technologies, cyber threats and incidents
•    Raise public awareness of cybersecurity risks
•    Promote good practice
•    Help the EU to cooperate with international partners

In addition to the above aims, ENISA also applied itself to the certification process for cybersecurity-related products across the EU. 

EUCC: one certification scheme for all EU countries 

When ENISA was formed, the certification landscape was a patchwork of fragmented national schemes, each with their own guidelines and processes. ENISA wanted to create a harmonised approach – a single market for ICT products, services and processes. 

The result was the (EUCC). This voluntary scheme applies to information, communication and technology (ICT) products such as technological components (chips, smartcards), hardware and software. It introduces a certificate to show that stakeholders have followed .

The EUCC relies on the framework, which 17 EU Member States already use. EUCC will replace SOGIS (which was an agreement between national schemes) following a transition period ending in January 2026.

ENISA developed the scheme with the support of an Ad Hoc Working Group composed of cybersecurity specialists including Thales. It went live on February 27, 2025. Shortly after, ENISA unveiled the and testing labs.

Six weeks after the EUCC officially launched, the French National Cybersecurity Agency (ANSSI) issued the scheme’s first two certificates, one for a Thales product: its .
 

EUCC certification in action: the Thales Tachograph G2 smart card

By receiving the first ever EUCC certificate, Thales kickstarted a new era for cybersecurity assurance in Europe. The Smart Tachograph G2 is fitted in trucks to record driving time, speed, distance, and driver activities. It’s like an electronic logbook regulators can use to make sure professional drivers get enough rest and breaks.

Digital tachographs are configured to comply with EU rules that prevent driver fatigue, boost road safety and ensure fair competition between transport firms. They are currently fitted in six million trucks and buses.

Over the years, the technology underpinning the tachograph has improved. The EU mandated a digital version in 2006, and then a smart upgrade in 2019. A second version arrived in 2023. These support real-time tracking, link to satellites, and ramp up security. 

Today’s systems comprise four smart cards:

•    A driver card to store driving activity over four weeks
•    A card for the fleet management company 
•    A card for the firm that installs the motion sensors
•    A card for the authorities performing checks

Since tachographs can be vulnerable to cyber-attack, they fall within the scope of the EUCC and must attain the highest level of security assurance.

While the EUCC assessment process is harmonised across the EU, the participating bodies differ by country. In the case of France, the hierarchy is as follows. The National Certification Centre of the (ANSSI) issues EUCC certificates on behalf of ENISA. 

Certificates are valid for five years, subject to maintenance and surveillance conditions.

Thales’ commitment to EUCC certification reflects its leading role in digital security. The need for harmonised certification is even greater now that EU governments are migrating to digital processes. Citizens must be able to prove their identities and access their data safely – at home and as they travel. Thales has emerged as a key player in delivering secure digital identities. It has developed a range of innovations to secure the identities of people and things – and to protect data and processes from emerging threats. 

Christine Crippa Martinez, Senior Cyber Security Manager at Thales, says: “EUCC certification marks the culmination of our commitment to cybersecurity standards in Europe – from our experience with SOG-IS to our contribution to the scheme’s definition within the ENISA ad-hoc group and now, being among the first to be certified by ANSSI. For Thales, EUCC certification represents a major technical recognition, which will make a meaningful contribution to Europe’s digital sovereignty.”