EU Common Criteria for IT Security Vulnerabilities: Halving the Effort for Impact Assessment through Automation 

• First EU-wide certification scheme for products and systems with digital elements
• ENISA Executive Director: EUCC is part of the „puzzle of the EU cybersecurity certification framework“
• Automation is the key to optimised processes in impact assessment

Duesseldorf, April 17^th, 2024 – The European Cybersecurity Scheme on Common Criteria (EUCC) is the first systematic approach to cybersecurity certification. The criteria for the certification scheme have been drafted by the European Union Agency for Cyber Security (ENISA) and now need to be implemented in the member states – the necessary implementing legislation has recently been published. „The EUCC enables manufacturers to monitor the IT security of products such as technology components, hardware and software against a standard and analyse them for vulnerabilities. It also paves the way for manufacturers to implement the upcoming requirements of the Cyber Resilience Act (CRA). The Common Criteria’s goal of increasing the security of new IT products and devices with digital elements in the EU’s internal market also helps in the implementation of upcoming regulations such as the Cyber Resilience Act“, said Jan Wendenburg, CEO of ONEKEY. According to the EUCC, manufacturers must actively monitor the vulnerabilities of their products and perform a vulnerability impact analysis in accordance with Article 33.

Technology platform for automated impact assessment

When implementing the requirements, companies will need external support to carry out the risk analysis in a professional manner and to be certified accordingly. „In view of the major changes and the increased responsibility that manufacturers of digital systems and devices have today, automation is an important aspect of the implementation of the EUCC obligations. We have build ONEKEY’s analysis platform for automated CVE (Common Vulnerabilities and Exposures) impact assessment and can use this automation to reduce companies‘ vulnerability impact assessment efforts by up to 50 percent,“ adds Jan Wendenburg of ONEKEY. The Duesseldorf-based company operates a product cybersecurity & compliance analysis platform. In addition to an exact listing of all software and firmware components as a Software Bill of Materials (SBOM), ONEKEY enables a detailed analysis with risk assessment of possible known and unknown vulnerabilities of all devices and systems with digital elements. ONEKEY automatically checks and identifies critical security vulnerabilities and compliance violations in embedded software, especially in Internet of Things devices, and monitors and manages them throughout the product lifecycle.

EU certification framework for cybersecurity

ENISA’s executive director, Juhan Lepassaar, also stresses the importance of the Common Criteria (EUCC): It is part of the „jigsaw puzzle of the EU cybersecurity certification framework“ currently under construction. „The Common Criteria framework paves the way for the future. The sooner manufacturers and distributors of products with digital elements get to grips with it, analyse the risks and eliminate vulnerabilities, the easier it will be to move towards a future where systems and devices do not contain undetected security risks and hidden software,“ summarises ONEKEY CEO Jan Wendenburg. In addition to automated CVE impact assessment, the ONEKEY platform also supports the other processes required to comply with the Cybersecurity Act. Interested parties are invited to a demonstration of the automated impact assessment: https://onekey.com/demo/ 

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life. 

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. „Digital Cyber Twins“ enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle. 

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.