The Cyber Resilience Act gives manufacturers three routes to a presumption of conformity with its Annex I requirements. Two run through standards. The third can run through certification once the Commission recognises a usable European cybersecurity certification scheme. This page explains that route, where the European Common Criteria-based cybersecurity certification scheme (EUCC) fits as the live scheme, and what is and is not yet in force.
Summary
- Certification can be the CRA's third route to presumption of conformity. It sits alongside harmonised standards and common specifications.
- The route runs through a European cybersecurity certification scheme adopted under the Cybersecurity Act, Regulation (EU) 2019/881. EUCC is the live scheme.
- A certificate would count only as far as it covers the requirements. It would give presumption of conformity for the Annex I requirements the certificate covers, not automatically for all of them.
- A "substantial" certificate would remove third-party assessment for the covered requirements, but only once the delegated act that switches the route on is in force.
- It matters most for the critical products in Annex IV, where the Commission can make a certificate mandatory.
- It is not switched on yet. As of 15 June 2026, no act recognises usable schemes or makes a certificate mandatory. EUCC does not yet replace the CRA conformity route or remove third-party assessment.
What an EUCC certificate is, and its assurance levels
EUCC is the European Common Criteria-based cybersecurity certification scheme. ENISA prepared it, and the Commission adopted it as Commission Implementing Regulation (EU) 2024/482 of 31 January 2024. It has applied since 27 February 2025. It is the first scheme adopted under the Cybersecurity Act. It builds on Common Criteria, the long-standing international standard for evaluating the security of IT products, published as ISO/IEC 15408.
The scheme is already live. Certification bodies have issued EUCC certificates since April 2025, and the ENISA official certificate registry listed 37 of them as of 15 June 2026. None yet carries CRA presumption of conformity: they show the scheme works, not that a certificate already meets the CRA.
Many of the certificates issued so far are secure chips, smartcards and similar hardware, which overlap with the CRA's hardware-heavy critical categories. Not all do: network and software products are certified too, and those sit in the CRA's general scope rather than its critical list.
EUCC issues certificates at two assurance levels, "substantial" and "high". The two differ in how hard the product is tested. EUCC measures that on Common Criteria's vulnerability-assessment scale, written AVA_VAN, which runs from 1 to 5. The higher the number, the more thorough the independent testing of how the product withstands attack.
| EUCC level | AVA_VAN | Depth of testing | CRA effect |
|---|---|---|---|
| substantiallower of the two | AVA_VAN 1 to 2out of 5 | Independent vulnerability testing to a standard depth. | Would meet the waiver threshold. |
| highhigher of the two | AVA_VAN 3 to 5out of 5 | Deeper analysis, tested against attackers with significant skills and resources. | Would exceed the threshold. |
The CRA attaches its third-party-assessment waiver at "substantial" or above, so both EUCC levels would qualify once that waiver is in force.
Certification can be the CRA's third route to presumption of conformity
A presumption of conformity is a recognised shortcut. Meet one of the routes, and an authority presumes your product meets the requirements that route covers. The Cyber Resilience Act gives three possible routes, and certification is the third once it is recognised for CRA use.
The three routes, and where each stands today:
| Route | What it relies on | CRA status today |
|---|---|---|
| Harmonised standards | a standard whose reference is published in the Official Journal | no standard published |
| Common specifications | Commission implementing acts | none adopted |
| Certification scheme | an EU statement of conformity or certificate under a recognised scheme | no scheme recognised for CRA use |
The first two run through standards, and the harmonised standards tracker follows them in detail. The third runs through certification. Once that route is operational, a product holding an EU statement of conformity or a certificate under a European cybersecurity certification scheme can be presumed to conform. That presumption reaches only the requirements covered by the statement or certificate, not the whole of Annex I. The scheme has to be one adopted under the Cybersecurity Act, Regulation (EU) 2019/881.
How EUCC certification is obtained
EUCC is not a self-declaration. A manufacturer or vendor works with a certification body, and the evaluation is carried out by an accredited laboratory. It is also a material investment: a full evaluation through a certification body typically runs into six figures, which is part of why most teams sequence it after the Annex I evidence. For the "high" assurance level, EUCC adds authorisation requirements for the certification body and the laboratory.
Some of the evidence you build for the CRA overlaps with what an evaluation needs: a risk assessment, vulnerability-handling procedures, and technical documentation. EUCC asks for more on top, including a security target, the document that sets out exactly which product, configuration and security functions are evaluated, plus the detailed design and testing evidence Common Criteria requires for the chosen assurance level.
An EUCC certificate is not a one-off sign-off. A certification body sets its validity for up to five years, and while it is valid the holder has ongoing duties:
- Vulnerability handling: run vulnerability management and disclosure procedures.
- Impact analysis: assess the impact of new vulnerabilities as they surface.
- Assurance continuity: keep the product's assurance current through patching and re-assessment.
Much of that overlaps with the CRA's vulnerability-handling duties.
That process is separate from the CRA route. It can prepare useful evidence, but it does not create CRA legal effect until the Commission recognises the scheme.
How EUCC and the CRA fit together
The CRA and EUCC are different kinds of instrument, and they are easy to confuse. The CRA is a binding regulation: the law a product has to meet. EUCC is a voluntary certification scheme: one way to show a product meets part of it.
| Cyber Resilience Act | EUCC | |
|---|---|---|
| Nature | binding EU regulation | voluntary certification scheme |
| Legal basis | Regulation (EU) 2024/2847 | Cybersecurity Act (Regulation (EU) 2019/881), scheme in Regulation (EU) 2024/482 |
| Applies to | all products with digital elements on the EU market | ICT products evaluated against Common Criteria |
| Risk grading | default, important, critical | assurance levels "substantial" and "high" |
| Enforcement | mandatory, with penalties | voluntary, unless the CRA makes it mandatory for a critical category |
The two overlap where it counts. EUCC looks at a product's security functions and at how its maker handles vulnerabilities. Much of that lines up with the CRA's essential requirements. ENISA has published an EUCC-CRA mapping study to test how EUCC certification could support CRA conformity. That work is technical groundwork, not automatic legal effect.
What a "substantial" certificate would waive
One further piece of the law would give a certificate real weight under the CRA, and it is not yet in force. Once the Commission acts on it, it does two things:
- Recognises the schemes: by delegated act, the Commission specifies which certification schemes can demonstrate conformity. Until that act names a scheme, none is formally recognised for CRA conformity.
- Waives third-party assessment: a certificate at assurance level at least "substantial" would remove the obligation to run a third-party conformity assessment for the requirements it covers. That maps onto the Module B+C and Module H routes a notified body would otherwise run.
The conformity assessment guide explains those modules.
Critical products: when certification can be made mandatory
For most products, certification is optional. For the critical product categories, it can become mandatory.
The Commission can require those products to hold a European cybersecurity certificate at assurance level at least "substantial". It must do that by delegated act, and only once a scheme covering the category has been adopted and is available to manufacturers. The critical categories in Annex IV are:
- Hardware devices with security boxes
- Smart meter gateways and other devices for advanced security purposes, including secure cryptoprocessing
- Smartcards or similar devices, including secure elements
EUCC is the live scheme most relevant to that hardware-heavy list.
Until the Commission adopts such an act, these products are not required to certify. They follow the standard conformity-assessment procedures instead, the same third-party routes other regulated products use. The product classification guide shows where a product falls.
Current status: certification is not yet switched on for the CRA
Status, as of 15 June 2026: the certification route exists in the CRA, but it is not yet operational. The Commission has not adopted the delegated act that would recognise the schemes able to demonstrate CRA conformity, nor one making a certificate mandatory for any critical product category. An EUCC certificate is therefore valuable preparation, not a present-day CRA shortcut. It does not yet remove any third-party assessment.
There is no deadline for switching this route on. The Regulation lets the Commission act but does not require it by any date, and no act is adopted. The Cyber Resilience Act's own obligations apply from 11 December 2027 whether or not the route is live, and if a future act ever makes certification mandatory for a critical category, it has to allow at least a six-month transition first.
The Commission has adopted other CRA acts in the meantime, which is why the gap is easy to misread:
| Act | Date | What it does | Touches certification? |
|---|---|---|---|
| Commission Delegated Regulation (EU) 2025/1535 | 29 July 2025 | excludes certain Regulation (EU) No 168/2013 vehicles from the CRA's scope | no |
| Commission Implementing Regulation (EU) 2025/2392 | 28 November 2025 | sets the technical descriptions of the important and critical product categories | no |
| Commission Delegated Regulation (EU) 2026/881 | 11 December 2025, published 20 April 2026 | sets conditions for delaying dissemination of certain vulnerability and incident notifications | no |
ENISA has done the groundwork. Its report, Cyber Resilience Act Implementation via EUCC and Its Applicable Technical Elements, sets out how EUCC could carry the CRA's requirements. It also describes the technical mapping that would be needed. It is a proposal and a toolkit, not a switch. The legal effect still waits on the delegated act the Commission has not adopted.
Our take: pursue EUCC now, or wait?
The sections above are the regulatory position. The two boxes below are our reading as practitioners. They are opinion, not legal advice, and not a statement of what the Regulation requires.
An EUCC certificate is not the fastest CRA path today. The delegated act that would give it CRA effect is not adopted. For most manufacturers, the higher-value work is the Annex I evidence every route needs anyway: a risk assessment, an SBOM, vulnerability handling, and technical documentation. Certification can sit on top of that later. Three cases change the calculation. You are in a critical category likely to face a future mandate. You already hold or are pursuing Common Criteria certificates. Or your buyers ask for one. In those cases, starting now is reasonable.
The waiver everyone wants depends on a delegated act the Commission has not adopted. We read it as unavailable until that act lands, because the law ties the waiver to it. If someone tells you an EUCC certificate already removes CRA assessment, they are missing that condition, and we would not plan a conformity route on that basis. Of the three routes, we think certification is the most concrete piece of infrastructure under construction, and the EUCC bridge is the part to watch: at the 2026 EU cybersecurity certification conference the Commission signalled it aims to specify how the EUCC supports CRA conformity by the end of 2026. Treat that as a target, not a commitment: no act is adopted, and the date can move.
Frequently asked questions
Does an EUCC certificate already give CRA presumption of conformity?
Not for EUCC today. The certification route exists in the CRA, but the Commission still has to specify which schemes count for CRA conformity. That act is not adopted. An EUCC certificate can be strong preparation, but it does not yet stand in for the CRA conformity route.
What is the difference between the CRA and EUCC?
The CRA is a binding EU regulation that applies to every product with digital elements. EUCC is a voluntary certification scheme based on Common Criteria. You have to meet the CRA; getting an EUCC certificate is a choice. The two connect because a certificate can serve as one route to showing CRA conformity. That only works for the requirements it covers, and only once the scheme is formally recognised. That has not happened yet.
Is EUCC certification mandatory under the CRA?
Not at the moment. Certification is optional for most products. For the critical categories in Annex IV, the Commission can make a certificate mandatory by delegated act. It can only do that where a scheme covering that category is adopted and available. No such act exists yet, so no product is required to certify. Those products follow the standard third-party assessment routes until that changes.
What assurance level does the CRA need?
For the future waiver, at least "substantial". EUCC issues certificates at "substantial" and "high", so a "high" certificate would also qualify. The waiver itself still depends on the delegated act being in force, which it is not.
How is the certification route different from harmonised standards?
They are two routes to the same presumption. A harmonised standard works once its reference is published in the Official Journal. For an important Class I product, a published standard can unlock self-assessment. A certificate works once a scheme is recognised. At "substantial", it would waive third-party assessment for the requirements it covers. Today neither is fully operational for the CRA: no harmonised standard is published, and no certification scheme is recognised.
Does an EUCC certificate cover the Annex I Part II vulnerability-handling requirements?
It depends on the certificate's scope, and you cannot assume it does. The presumption reaches only the requirements a certificate actually covers. Annex I has two parts: product security properties and vulnerability-handling process requirements. A certificate scoped to product properties may not address the ongoing process duties. Check the covered requirements before relying on it.
If I get an EUCC certificate now, will it count toward the CRA once the route is switched on?
Not automatically. The act that would recognise schemes for CRA conformity is not adopted, and the law anticipates extra conditions for certificates issued before the route switches on. A certificate you hold now is strong preparation and evidence for the requirements it covers, but whether it carries CRA presumption later, and for which requirements, will depend on that act and on your certificate's scope. Treat it as a head start, not a guaranteed shortcut.
Have any EUCC certificates been issued, and where can I see them?
Yes. Certification bodies have issued EUCC certificates since April 2025, and ENISA publishes the official, filterable list. They prove the scheme is live, but they do not yet carry CRA presumption of conformity: that still waits on the delegated act.