The independent EUCC evaluation of a smartcard controller from Infineon underscores the role of TÜV Informationstechnik as an established testing centre for complex IT security products.

TÜV Informationstechnik GmbH has made a key contribution to the practical implementation of the new European certification framework EUCC as an independent testing centre. As part of the first EUCC certification issued by the German Federal Office for Information Security (BSI), a security‑critical smartcard controller from Infineon Technologies AG was comprehensively assessed in terms of security technology.

With EUCC, the European Union is establishing a binding, Europe‑wide recognised certification scheme for IT products with security functionality for the first time. For manufacturers, users and public clients, this provides a consistent assessment framework that increases transparency and significantly improves the comparability of security evaluations.

A key differentiating feature of the EUCC scheme is the multi‑assurance concept. In addition to an overarching overall assurance level (EAL) for the entire product, it also allows the security levels of individual components – such as specific hardware modules – to be labelled separately. This approach enables a realistic and comprehensible assessment, particularly for complex and modular systems such as those used in 5G infrastructures or highly integrated security solutions.

In contrast to previous procedures, which often focused on a single evaluation level (e.g. EAL4), multi‑assurance is now increasingly used in EUCC processes. The security requirements are divided into functional subgroups (sub‑TSFs). Each subgroup can achieve its own detailed assurance level, which is transparently stated in the certificate. This allows the security architecture of a product to be represented in a more differentiated manner rather than being reduced to a single level.

This further development of the assessment logic is specifically supported by the current Common Criteria standards (CC 2022) and the introduction of the EUCC scheme. The aim is to present the trustworthiness of ICT products in a more granular, comprehensible and therefore more reliable way – both for regulatory decisions and for market and procurement processes.

“EUCC enables a new quality of IT security assessment in Europe,” explains Karsten Herwig, Security Evaluation and Audit at TÜVIT. “As a testing body, we contribute our many years of Common Criteria expertise and support manufacturers in having complex products evaluated transparently and recognised throughout the EU.”

With the successful implementation of this first EUCC test, TÜVIT is underlining its position as a competent partner for demanding certification procedures and making a concrete contribution to strengthening trust and security in European digitalisation.