Skip to content

CC - discovered, explained

Common Criteria

Common Criteria (CC) is a state-run certification system, which in Germany has the Federal Office for Information Security (BSI) as its certification body. Through the Arrangement on the Recognition of Common Criteria Certificates (CCRA), the certificates are recognised in 31 countries.

What are the Common Criteria?

The CCs provide a methodology and a catalogue of functional security requirements (SFRs) and assurance requirements (SARs), which are used to describe the functionality and assurance of the product to be tested. The trustworthiness is described in 7 different levels, Evaluation Assurance Level (EAL) 1-7, which, among other things, reflect the vulnerability to different attacker capabilities and corresponding test depths. This also results in comparability of the certifications in the different schemes.

The CCs were adopted by the EU and ENISA at European level in 2024 as a cybersecurity certification system under the CSA as the EUCC.

Functionality & trustworthiness

Common Criteria: Evaluation for successful certifications

Professionally tested

TÜVIT is one of the world's leading testing service providers for Common Criteria (CC) and is authorised to carry out tests according to a total of 5 different country schemes. With our 60 licensed testers, we have successfully completed over 700 evaluation projects according to CC (from EAL1 to EAL7). We have been supporting customers in the evaluation of IT components, products and systems since 1991, enabling us to offer you the best evaluation approach in each case.

Expertise and experience since 1991

TÜVIT has been recognised by the German Federal Office for Information Security (BSI) as a test centre for security evaluations in accordance with the international Common Criteria standard (ISO 15408) since 1991. In addition, the TÜVIT security experts develop protection profiles on behalf of the BSI and other interest groups, e.g. in the areas of biometric systems, eHealth, database management systems and smart metering.

In addition to CC certification in Germany by the BSI, TÜVIT also offers the option of completing CC certification in Japan (JISEC), Singapore (SCCS), Qatar (QCCS) or the Netherlands (NSCIB).

Officially recognised

Certificates of recognition

The most important facts summarised

Common Criteria – Services & Topics

Our services at a glance

  • CC evaluations of IT components and products at all evaluation levels (from EAL1 to EAL7)
  • Site certifications
  • Development and evaluation of protection profiles
  • Support in the creation of security specifications and manufacturer documents
  • Workshops on the security criteria and the scope of the evaluation (scoping)
  • Discussion of possible evaluation procedures
  • Training on criteria or threats, among other things

Our testing center covers the following subject areas

  • Operating systems
  • Payment systems (smart card components), software and hardware evaluations
  • database systems
  • Sovereign applications (e.g. passport, ID card, eHealth)
  • communication systems
  • Mobile systems, e.g. smartphones
  • Network devices (e.g. firewalls, VPN solutions, routers)
  • Security controllers
  • Security modules
  • Signature cards, terminals and applications
  • Smart card operating systems
  • Smart meter gateways (with conformity test for TR-03109)
  • Terminals (healthcare and payment)
  • Composite systems, e.g. hardware platforms, operating systems and applications

We will support you – no matter what

Get started at last!

We advise you


TÜV NORD IT Secure Communication I Berlin
Goal achieved?

We check it


TÜV Information Technology I Essen

Your benefits at a glance:

Experience & Experts

We have many years of experience in globally recognised testing of security-critical IT products and systems. Our experts offer the best evaluation approach - in English, Spanish, Chinese and Japanese, among others.

Workshop

Unique workshop concept for identifying and achieving business goals.

Test depth

Evaluation of hardware and software products according to the AVA_VAN.5 test module, the highest test depth.

Minimised security risks

Evaluations and certifications help to minimise security risks.

Proof of safety

With our Common Criteria evaluations, you can prove the necessary security properties of your IT products and systems.

Recognised standard

An evaluation according to Common Criteria brings you international advantages, as the standard is recognised worldwide.

Project examples

We have successfully completed over 600 CC evaluation projects (from EAL1 to EAL7):

Microsoft Corporation, USA

  • SQL Server (EAL4+)
  • Exchange Server (EAL4+)

SAP AG, Germany

  • NetWeaver (EAL4+)
  • ABAP Application Server (EAL4+)
Focus on Europe

European Union Common Criteria (EUCC)

Secure IT projects in Europe

EUCC stands for "European Union Common Criteria" and refers to a framework for assessing and certifying the security of IT products. The EUCC is part of the European Union's efforts to create uniform security standards for IT products used within the EU. This should help to increase confidence in the security of IT products and improve interoperability between different systems. EUCC certification can be beneficial for manufacturers of IT products as it facilitates access to markets within the EU and increases customer confidence in the security of their products.