法律人 LawPlayer logo

資料由法律人 LawPlayer整理提供·EU law / curated by LawPlayer from EUR-Lex

Regulation

Commission Implementing Regulation (EU) 2025/2462 of 8 December 2025 amending Implementing Regulation (EU) 2024/482 as regards definitions, ICT product series certification, assurance continuity and state-of-the-art documents

CELEX
Implementing Regulation (EU) 2025/2462
Date of document
Articles
8
Source
EUR-Lex
Article 1

Implementing Regulation (EU) 2024/482 is amended as follows:

(1)

in Article 2, the following points (16), (17) and (18) are added:

‘(16)

“product series” means a set of ICT products by an applicant, built upon the same functional basis in order to address the same security needs, having a design, hardware, firmware or software which may vary from an ICT product to another;

(17)

“minor change” means any change in the certified target of evaluation or its environment that does not adversely impact the assurance expressed in the EUCC certificate;

(18)

“major change” means any change in the certified target of evaluation or its environment that may adversely impact the assurance expressed in the EUCC certificate.’;

(2)

in Article 5, the following paragraph 3 is added:

‘3.   A certification body may allow the certification of a product series.’

;

(3)

in Article 9, paragraph 2, point (a) is replaced by the following:

‘(a)

to provide the certification body and the ITSEF with all the necessary complete and correct information, and to provide additional necessary information if requested, including an English version of the security target;’;

(4)

in Article 11, paragraph 3, point (b) is replaced by the following:

‘(b)

the unique identification of the certificate, consisting of:

(1)

the name of the scheme;

(2)

the identification number, in accordance with Article 3 of Implementing Regulation (EU) 2024/3143, of the certification body that has issued the certificate;

(3)

year of issuance of the initial certificate;

(4)

identification number assigned by the certification body that has issued the certificate.’;

(5)

in Article 19, paragraph 1 is replaced by the following:

‘1.   Upon request of the holder of the certificate or for other justified reasons, the certification body may decide to review an EUCC certificate for a protection profile. The review shall be carried out in accordance with Annex IV. The certification body shall determine the extent of the review. Where necessary for the review, the certification body shall request the ITSEF to perform a re-evaluation of the certified protection profile.’

;

(6)

Article 42 is amended as follows:

(a)

in paragraph 1, the following point (i) is added:

‘(i)

the security target corresponding to each EUCC certificate;’;

(b)

paragraph 2 is replaced by the following:

‘2.   The information referred to in paragraph 1 shall be made available at least in English. For that purpose, certification bodies shall provide ENISA with the original language versions of the certification reports and security targets, and in addition they shall also provide the English version of such documents without undue delay.’

;

(7)

in Article 48, paragraph 4 is replaced by the following:

‘4.   Unless specified otherwise in Annex I or II, state-of-the-art documents shall apply to certification processes, including reassessment and re-evaluation, initiated from the date of application of the amending act by which the state-of-the-art documents have been incorporated in Annex I or II.’

;

(8)

Annex I is replaced by the text in Annex I to this Regulation;

(9)

Annex II is replaced by the text in Annex II to this Regulation;

(10)

Annex III is replaced by the text in Annex III to this Regulation;

(11)

Annex IV is amended in accordance with Annex IV to this Regulation;

(12)

Annex V is amended in accordance with Annex V to this Regulation;

(13)

Annex IX is replaced by the text in Annex VI to this Regulation.

Article 2

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union .

Schedules & Appendices

ANNEX I

ANNEX I

‘ANNEX I

State-of-the-art documents supporting technical domains and other state-of-the-art documents

1.

State-of-the-art documents supporting technical domains at AVA_VAN level 4 or 5:

(a)

the following documents related to the harmonised evaluation of technical domain “smart cards and similar devices”:

(1)

“Minimum ITSEF requirements for security evaluations of smart cards and similar devices”, version 1.1;

(2)

“Minimum Site Security Requirements”, version 2;

(3)

“Reusing evaluation results of site audits (STAR)”, version 1;

(4)

“Application of Common Criteria to integrated circuits”, version 2;

(5)

“Security Architecture requirements (ADV_ARC) for smart cards and similar devices”, version 1.1;

(6)

“Certification of ‘open’ smart card products”, version 1.1;

(7)

“Composite product evaluation for smart cards and similar devices for CC3.1”, version 2;

(8)

“Composite product evaluation and certification for CC:2022”, version 1;

(9)

“Application of Attack Potential to Smartcards and Similar Devices”, version 2;

(10)

“Security Evaluation and Certification of Qualified Electronic Signature/Seal Creation Devices”, version 1;

(11)

“ADV_SPM.1 interpretation for CC:2022 transition”, version 1.1, applicable for certification processes using protection profiles as follows:

(a)

protection profiles Security IC Platform PP with Augmentation Packages (v1.0), BSI-CC-PP-0084-2014, or Java Card System – Closed Configuration (v3.1), BSI-CC-PP-0101-V2-2020, initiated before 1 October 2026;

(b)

protection profile Java Card System – Open Configuration (v3.1), BSI-CC-PP-0099-V2-2020, initiated before 29 December 2025.

(b)

the following documents related to the harmonised evaluation of technical domain “hardware devices with security boxes”:

(1)

“Minimum ITSEF requirements for security evaluations of hardware devices with security boxes”, version 1.1;

(2)

“Minimum Site Security Requirements”, version 2;

(3)

“Reusing evaluation results of site audits (STAR)”, version 1;

(4)

“Application of Attack Potential to hardware devices with security boxes”, version 2;

(5)

“Hardware assessment in EN 419221-5 (HSM PP)”, version 1;

(6)

“JIL Tachograph MS PP Clarification”, version 1.

2.

State-of-the-art documents related to the harmonised accreditation of conformity assessment bodies:

(a)

“Accreditation of ITSEFs for the EUCC”, version 1.1 for accreditations issued before 8 July 2025;

(b)

“Accreditation of ITSEFs for the EUCC”, version 1.6c, for accreditations that are newly issued or reviewed after 8 July 2025;

(c)

“Accreditation of CBs for the EUCC”, version 1.6b.

ANNEX II

ANNEX II

‘ANNEX II

Protection profiles certified at AVA_VAN level 4 or 5

1.

For remote qualified signature and seal creation devices:

(a)

EN 419241-2:2019 – Trustworthy Systems Supporting Server Signing – Part 2: Protection Profile for QSCD for Server Signing (v0.16), ANSSI-CC-PP-2018/02-M01;

(b)

EN 419221-5:2018 – Protection profiles for Trust Service Provider Cryptographic modules – Part 5: Cryptographic Module for Trust Services (v0.15), ANSSI-CC-PP-2016/05-M01.

2.

Protection profiles that have been adopted as state-of-the-art documents:

[BLANK].

ANNEX III

ANNEX III

‘ANNEX III

Recommended protection profiles

Protection profiles used in certification of ICT products including products in the technical domains:

1.

Smartcards and similar devices:

(a)

passport:

(1)

PP Machine Readable Travel Document with ‘ICAO Application’ Basic Access Control (v1.10), BSI-CC-PP-0055-2009;

(2)

PP Machine Readable Travel Document using Standard Inspection Procedure with PACE (PACE_PP) (v1), BSI-CC-PP-0068-V2-2011-MA-01;

(3)

PP Machine Readable Travel Document with ‘ICAO Application’ Extended Access Control with PACE (v1.3), BSI-CC-PP-0056-V2-2012-MA-02;

(b)

Secure Signature Creation Devices (SSCD):

(1)

EN 419211-2:2013 – Protection profiles for secure signature creation device – Part 2: Device with key generation (v1.03), BSI-CC-PP-0059-2009-MA-02;

(2)

EN 419211-3:2013 – Protection profiles for secure signature creation device – Part 3: Device with key import (v1.0.2), BSI-CC-PP-0075-2012-MA-01;

(3)

EN 419211-4:2013 – Protection profiles for secure signature creation device – Part 4: Extension for device with key generation and trusted channel to certificate generation application (v1.0.1), BSI-CC-PP-0071-2012-MA-01;

(4)

EN 419211-5:2013 – Protection profiles for secure signature creation device – Part 5: Extension for device with key generation and trusted channel to signature creation application (v1.0.1), BSI-CC-PP-0072-2012-MA-01;

(5)

EN 419211-6:2014 – Protection profiles for secure signature creation device – Part 6: Extension for device with key import and trusted channel to signature creation application (v1.0.4), BSI-CC-PP-0076-2013-MA-01;

(c)

tachograph: Digital Tachograph – Tachograph Card (TC PP) (v1.0), BSI-CC-PP-0091-2017;

(d)

secure IC, Java Card platform and eUICC:

(1)

Universal SIM Java Card Platform Protection Profile Basic and SCWS Configurations (v2.0.2), ANSSI-CC-PP-2010/04 (Basic), ANSSI-CC-PP-2010/05 (Basic and SCWS);

(2)

Security IC Platform PP with Augmentation Packages (v1.0), BSI-CC-PP-0084-2014;

(3)

Embedded UICC (eUICC) for Machine-to-Machine Devices (v1.1), BSI-CC-PP-0089-2015;

(4)

Cryptographic Service Provider – CSP (v0.9.8), BSI-CC-PP-0104-2019;

(5)

Cryptographic Service Provider – Time Stamp Service and Audit (PPC-CSP-TS-Au) Version 0.9.5, BSI-CC-PP-0107-2019;

(6)

Configuration Cryptographic Service Provider – Time Stamp Service, Audit and Clustering (PPC-CSP-TS-Au-Cl) Version 0.9.4, BSI-CC-PP-0108-2019;

(7)

Java Card System – Closed Configuration (v3.1), BSI-CC-PP-0101-V2-2020;

(8)

Secure Element Protection Profile – GPC_SPE_174 (v1.0), CCN-CC-PP-5-2021;

(9)

Secure Sub-System in System-on-Chip (3S in SoC) Protection Profile (v1.8), BSI-CC-PP-0117-V2-2023;

(10)

Java Card System – Open Configuration (v3.2), BSI-CC-PP-0099-V3-2024;

(11)

Embedded UICC for Consumer Devices Protection Profile (v2.1), BSI-CC-PP-0100-V2-2025;

(e)

Trusted Platform Module: Protection Profile PC Client Specific Trusted Platform Module Specification Family 2.0; Level 0; Revision 1.59 (v1.3), ANSSI-CC-PP-2021/02.

2.

Hardware Devices with Security Boxes:

(a)

points of (payment) interaction and payment terminals (POI):

(1)

Point of Interaction ‘POI-CHIP-ONLY’ (v4.0), ANSSI-CC-PP-2015/01;

(2)

Point of Interaction ‘POI-CHIP-ONLY and Open Protocol Package’ (v4.0), ANSSI-CC-PP-2015/02;

(3)

Point of Interaction ‘POI-COMPREHENSIVE’ (v4.0), ANSSI-CC-PP-2015/03;

(4)

Point of Interaction ‘POI-COMPREHENSIVE and Open Protocol Package’ (v4.0), ANSSI-CC-PP-2015/04;

(5)

Point of Interaction ‘POI-PED-ONLY’ (v4.0), ANSSI-CC-PP-2015/05;

(6)

Point of Interaction ‘POI-PED-ONLY and Open Protocol Package’ (v4.0), ANSSI-CC-PP-2015/06;

(b)

Hardware Security Module:

(1)

Cryptographic Module for CSP Signing Operations with Backup – PP CMCSOB 14167-2 (v0.35), ANSSI-CC-PP-2015/08;

(2)

Cryptographic Module for CSP Key Generation Services – PP CMCKG 14167-3 (v0.20), ANSSI-CC-PP-2015/09;

(3)

Cryptographic Module for CSP Signing Operations without Backup – PP CMCSO 14167-4 (v0.32), ANSSI-CC-PP-2015/10;

(c)

tachograph:

(1)

Digital Tachograph – Motion Sensor (MS PP) (v1.0), BSI-CC-PP-0093-2017;

(2)

Digital Tachograph – Vehicle Unit (VU PP) (v1.15), BSI-CC-PP-0094-V2-2021;

(3)

Digital Tachograph – External GNSS Facility (EGF PP) (v1.10), BSI-CC-PP-0092-V2-2021.

3.

Others: Trusted Execution Environment Protection Profile – GPD_SPE_021 (v1.3), ANSSI-CC-PP-2014/01-M02.

ANNEX IV

ANNEX IV

Annex IV to Implementing Regulation (EU) 2024/482 is amended as follows:

1.

in point IV.2, point 4 is replaced by the following:

‘4.

The certification body shall review the updated evaluation technical report and establish a re-assessment report. The status of the initial certificate shall then be modified in accordance with Article 13 or Article 19. If the re-assessment process is successful, Article 13 paragraph 2 points (a) or (c) applies in the case of the certification of a product and Article 19 paragraph 2 point (a) or (c) applies in the case of the certification of a protection profile. If the re-assessment process is not successful, Article 13 paragraph 2 point (b) or (d) applies in the case of the certification of a product and Article 19 paragraph 2 point (b) or (d) applies in the case of the certification of a protection profile.’;

2.

point IV.3 is amended as follows:

(a)

Title IV.3 is replaced by the following:

‘IV.3    Changes to a certified ICT product – Maintenance and re-evaluation ’;

(b)

points 4 and 5 are replaced by the following:

‘4.

Following the examination, the certification body determines the scale of a change as minor or major in correspondence to its impact on the assurance expressed in the EUCC certificate.

5.

Where the changes have been confirmed by the certification body to be minor, no new certificate shall be issued for the modified ICT product in accordance with Article 13 paragraph 2 point (a) or Article 19 paragraph 2 point (a) and a maintenance report to the initial certification report shall be established.’;

(c)

the following point 5a is inserted:

‘5.a

In case of any changes to the assurance measures in the development environment, including the addition of assurance requirements from the CC ALC_FLR family (Flaw remediation), the certification body may request the ITSEF to perform a subset evaluation of the affected assurance measures. The ITSEF shall issue a partial evaluation technical report, based on which the certification body confirms the changes to be either minor or major. Where the changes have been confirmed by the certification body to be minor, Annex IV.3 point 5 shall apply. Where the changes have been confirmed by to the certification body to be major, Annex IV.3 point 7 shall apply.’.

ANNEX V

ANNEX V

Point V.1 of Annex V to Implementing Regulation (EU) 2024/482 is replaced by the following:

‘V.1    Certification report

1.

Based on the evaluation technical reports provided by the ITSEF, the certification body establishes a certification report to be published together with the corresponding EUCC certificate and security target.

2.

The certification report is the source of detailed and practical information about the ICT product and about the ICT product’s secure deployment. It shall therefore include all publicly available and sharable information of relevance to users and interested parties. Publicly available and sharable information may be referenced by the certification report.

3.

The certification report shall contain at least the following information:

(a)

executive summary;

(b)

identification of the ICT product;

(c)

contact information related to the evaluation of the ICT product;

(d)

security policies;

(e)

assumptions and clarification of scope;

(f)

architectural information;

(g)

supplementary cybersecurity information, if applicable;

(h)

ICT product evaluation summary and evaluated configuration;

(i)

results of the evaluation and information regarding the certificate;

(j)

comments and recommendations if applicable;

(k)

annexes, if applicable;

(l)

reference to the security target of the ICT product submitted to certification;

(m)

when available, the mark or label associated to the scheme;

(n)

glossary, if applicable;

(o)

bibliography.

4.

The executive summary referred to in paragraph 3, point (a) shall be a brief summary of the entire certification report. It shall provide a clear and concise overview of the evaluation results and shall include the following information:

(a)

name of the evaluated ICT product;

(b)

name of the ITSEF which performed the evaluation;

(c)

completion date of evaluation;

(d)

date of issuance of the certificate;

(e)

where applicable, date of issuance of the initial certificate;

(f)

validity period;

(g)

unique identification of the certificate as described in Article 11;

(h)

brief description of the certification report results, including:

(i)

the version and if applicable release of the Common Criteria applied to the evaluation;

(ii)

the Common Criteria assurance package or list of security assurance components, the AVA_VAN level applied during the evaluation and the corresponding assurance level as set out in Article 52 of Regulation (EU) 2019/881 to which the EUCC certificate refers to;

(iii)

where applicable, the Protection Profile(s) to which the ICT product is claiming compliance to;

(iv)

reference to the security policy of the evaluated ICT product;

(v)

disclaimer(s), if applicable.

5.

The identification referred to in paragraph 3, point (b) shall clearly identify the evaluated ICT product, including the following information:

(a)

the unique identification of the evaluated ICT product;

(b)

enumeration of the ICT product’s components that are part of the evaluation with version number of each component;

(c)

reference to additional requirements to the operational environment of the certified ICT product.

6.

The contact information referred to in paragraph 3, point (c) shall include at least the following information:

(a)

name of the developer;

(b)

name and contact information of the holder of the EUCC certificate;

(c)

name of the certification body that issued the certificate;

(d)

responsible national cybersecurity certification authority;

(e)

name of the ITSEF which performed the evaluation, and, where applicable, the list of subcontractors.

7.

The security policy referred to in paragraph 3, point (d), shall contain the description of the ICT product’s security policy as a collection of security services and the policies or rules that the evaluated ICT product shall enforce or comply with. It shall also include the following information:

(a)

a description of the vulnerability management and vulnerability disclosure procedures of the certificate holder, to be completed solely with information that can be made publicly available;

(b)

the assurance continuity policy of the holder of the certificate, including, where applicable, the description of the certificate holder’s lifecycle management or production processes in accordance with Section IV.1 of Annex IV;

(c)

where applicable, the presence of patch management procedure and the outcome of its assessment in accordance with Section IV.4 of Annex IV.

8.

The assumptions and clarification of scope referred to in paragraph 3, point (e), shall contain information regarding the circumstances and objectives related to the intended use of the product as referred to in Article 7(1), point (c) and shall include the following:

(a)

assumptions on the ICT product’s usage and deployment in the form of minimum requirements, such as proper installation and configuration and hardware requirements being satisfied;

(b)

assumptions on the environment for the compliant operation of the ICT product;

(c)

description of any threats to the ICT product that are not countered by the evaluated security functions of the product according to the intended use, if deemed relevant for a potential ICT product user.

The information referred to in the first subparagraph shall be as clear and understandable as possible to enable potential users of the certified ICT product to make informed decisions about the risks associated with its use.

9.

The architectural information referred to in paragraph 3, point (f), shall include a high-level description of the ICT product and its main components, based on the deliverables defined in the Common Criteria assurance family: Development – TOE Design (ADV_TDS).

10.

The supplementary cybersecurity information referred to in paragraph 3, point (g) shall include the link to the website of the holder of the EUCC certificate referred to in Article 55 of Regulation (EU) 2019/881.

11.

The ICT product evaluation and configuration referred to in paragraph 3, point (h), shall describe both the developer and evaluator testing effort, outlining the testing approach, configuration and depth. It shall include at least the following information:

(a)

an identification of the used assurance components from the standards referred in Article 3;

(b)

the version of the state-of-the-art documents and further security evaluation criteria used in the evaluation;

(c)

the settings and configuration of the TOE used for the testing and vulnerability analysis;

(d)

any protection profile that has been used, including the following information: the protection profile name, version, date and certificate.

12.

The results of the evaluation and information regarding the certificate referred to in paragraph 3, point (i) shall include information on the attained assurance level as referred to in Article 4 of this Regulation and Article 52 of Regulation (EU) 2019/881.

13.

The comments and recommendations referred to in paragraph 3, point (j), are used to impart additional information about the evaluation results. Those comments and recommendations may take the form of shortcomings of the ICT product discovered during the evaluation or mentions of features which are particularly useful.

14.

The Annexes referred to in paragraph 3, point (k), are used to outline any additional information that may be useful to the audience of the report but does not logically fit within the prescribed sections of the report, including in cases of a complete description of security policy.

15.

The security target referred to in paragraph 3, point (l), shall reference the evaluated security target. The evaluated security target shall be provided with the certification report for the purposes of publication on the website referred to in Article 50(1) of Regulation (EU) 2019/881. Where sanitisation of the evaluated security target is necessary prior to publication, it shall be done in accordance with point V.2 of Annex V to this Regulation.

16.

The marks or labels associated to the EUCC scheme referred to in paragraph 3, point (m), shall be inserted in the certification report in accordance with the rules and procedures laid down in Article 11.

17.

The Glossary referred to in paragraph 3, point (n), is used to increase the readability of the report by providing definitions of acronyms or terms of which the meanings may not be readily apparent.

18.

The bibliography referred to in paragraph 3, point (o), shall include references to all documents used in the compilation of the certification report. That information shall include at least the following:

(a)

the security evaluation criteria, state-of-the-art documents and further relevant specifications used;

(b)

the evaluation technical report;

(c)

the evaluation technical report for composite evaluation, where applicable;

(d)

technical reference documentation;

(e)

developer security guidance;

(f)

developer configuration list.

In order to guarantee the reproducibility of the evaluation, all documentation referred to has to be uniquely identified with the proper release date and proper version number.’.

ANNEX VI

ANNEX VI

‘ANNEX IX

Mark and label

1.

The form of mark and label:

2.

If the mark and label are reduced or enlarged, the proportions given in point 1 shall be respected.

3.

Where physically present, the mark and label shall be at least 5 mm high.

’.

8 articles

Cite this act

Commission Implementing Regulation (EU) 2025/2462 of 8 December 2025 amending Implementing Regulation (EU) 2024/482 as regards definitions, ICT product series certification, assurance continuity and state-of-the-art documents (EUR-Lex). Retrieved via LawPlayer, https://lawplayer.com/eu/act/32025R2462

© European Union, https://eur-lex.europa.eu, 1998-2026. Reuse authorised under Commission Decision 2011/833/EU, provided the source is acknowledged.

EU-EurLex-Reuse-2011-833

本頁資料來源:EUR-Lex·整理提供:法律人 LawPlayer· lawplayer.com