Home
Back to overview

Common Criteria / EAL

Common Criteria (CC) is an international standard for evaluating the security properties of IT products and systems, published under the ISO/IEC 15408 standard. It was developed in the 1990s jointly by Germany, the United States, Canada, France, and the United Kingdom to establish a unified and internationally recognized basis for IT security assessments. The aim is to have independent testing laboratories verifiably confirm that a product effectively delivers the security functions it claims to provide. In Germany, the Federal Office for Information Security (BSI) is the responsible certification body.

The core evaluation framework within Common Criteria is the Evaluation Assurance Levels, or EAL, which range from EAL1 to EAL7. As the level increases, so does the depth, scope, and methodological rigor of the evaluation. While EAL1 represents a basic functional check, EAL4 already requires source code analysis by specialized evaluators. Levels from EAL5 onwards are, due to their complexity, primarily relevant in practice for high-security applications in the military and government sectors. Internationally, certificates up to EAL2 are mutually recognized; within Europe, mutual recognition extends to EAL4 under the SOG-IS agreement.

In enterprise environments, Common Criteria certification is particularly relevant when IT products are to be deployed in security-critical areas such as government agencies, critical infrastructure, or healthcare. Many public sector clients in Germany require CC certification for certain product categories as a prerequisite for procurement. For manufacturers of security software, firewalls, or MDM solutions, Common Criteria certification also serves as an important quality signal to demanding customers in the public sector.

A key advantage of Common Criteria certification is the objective, independently verified trustworthiness it provides for a product. Rather than relying on vendor claims, procurement decision-makers and IT managers receive a neutrally assessed statement about a product's actual security performance. Especially in times of growing cyber threats and increasingly stringent compliance requirements under frameworks such as NIS2, this independent verification is gaining in importance.

For organizations evaluating IT products for use in security-critical environments, Common Criteria certification is a central selection criterion. The role it plays in choosing a suitable device management solution can be explored there.