In our day-to-day consulting work, we are often asked whether a certain product group requires a European cyber security certificate or not.
The answer must be approached in different ways.
1) CRA - critical products
The CRA binds the placing on the market of critical products with digital elements to successful certification (EUCC). These three critical product categories are defined in Annex IV (in German): Hardware devices with security boxes, smart meter gateways in intelligent metering systems and smart cards.
A little more patience: By December 11, 2025, the Commission will adopt an implementing act in which it will define the technical description of the categories of products with digital elements in accordance with Annex IV.
→ Update: The announced Commission Implementing Regulation (EU) 2025/2392 was published in the Official Journal on December 1, 2025.
The Commission also has the power to add or delete categories of critical products with digital elements. Also subsequent to the aforementioned implementing act.
2) NIS 2 Directive - cybersecurity risk management
The NIS 2 Directive designates sectors for essential and important institutions (e.g. energy, transport, banking) which, among other things, must take measures for cyber security risk management. This cybersecurity risk management may result in only ICT products with a high-quality certificate of conformity in accordance with the CRA being used. It is therefore possible that the customers (essential and important institutions) of ICT product manufacturers will demand European cybersecurity certificates. The value of the conformity assessment procedures can be graded colloquially as follows, from high-value to low-value:
- European Cybersecurity Certificate according to EUCC
- Involvement of a Notified Body + EU Declaration of Conformity
- EU Declaration of Conformity, with OJEU-listed harmonized standard.
- EU Declaration of Conformity, without OJ listed harmonized standard.
3) National legal ordinances for the definition of "critical components"
The Federal Government's draft law on the implementation of the NIS 2 Directive is referred to below as E-NIS2UmsuCG**.
Status: On November 13, 2025, the Bundestag passed (in German) the Cybersecurity Act NIS2UmsuCG**, which is intended to implement the requirements of the European Network and Information Security Directive (NIS2). The next step is for the Federal Council to take action.
"Critical components" are classified as such in a separate ordinance. An ordinance (in German) is not issued by the Bundestag as the legislature, but by the executive, in this case the Federal Ministry of the Interior. The prerequisite for a statutory instrument is a statutory authorization pursuant to Section 56 (7) and (8) E-NIS2UmsuCG**.
The statutory order may designate a component as a critical component if:
1. the component is an ICT product,
2. the component is used in critical installations,
3. the component performs a critical function and
4. a disruption of the availability, integrity, authenticity or confidentiality of the component could lead to an impairment of the functionality of critical systems or to other impairments of public order or security.
The conformity assessment procedure for critical components is the European Cybersecurity Certificate according to EUCC.
Summary
There are therefore three directions from which the need for a cybersecurity certificate in accordance with the EUCC can arise.
EUCC: The European Cybersecurity Certification Scheme based on the Common Criteria
In the context of EUCC, there is the ISO/IEC 17025-accredited testing laboratory (ITSEF) on the one hand, and the ISO/IEC 17065-accredited certification body (CB) on the other. The specific vulnerability analysis methods and the penetration tests (e.g. "denial of service", "code injection"), which are within the ITSEF's area of competence, must be indicated for each technology type covered by the competence (e.g. hardware architectures (S1), databases (S6), network protocols (N1) and intrusion detection (N9)). In addition to the general vulnerability analysis methods and penetration tests, there are special attack techniques that laboratory staff need to master. For smart cards, for example, side channel attacks should be mentioned here. [Source: enisa]
Do you have any questions about the content of this article or other cybersecurity topics? We will be happy to provide you with more support. Simply send us an e-mail with your question or use our contact form.
Author's note
This article has been machine translated into English.
DEFINITIONS AND ABBREVIATIONS
ITSEF: Information Technology Security Evaluation Facility, see Accreditation of ITSEFs for the EUCC.
CRA :in German (EU) 2024/2847 [Cyber Resilience Act (CRA)]
NIS2: in German(EU) 2022/2555 [NIS-2 Directive]
EUCC: The European Cybersecurity Certification Scheme based on the Common Criteria
E-NIS2UmsuCG**
**"Draft Act on the Implementation of the NIS 2 Directive and on the Regulation of Essential Principles of Information Security Management in the Federal Administration"
(consideration (BT printed paper 21/1501 in German) taking into account the amendment by the CDU/CSU and SPD parliamentary groups(committee printed paper 21(4)096) in German)
ICT: Information and communication technology
