What Common Criteria Consultation Means in Practice
QIMA supports organizations with Common Criteria (ISO/IEC 15408) consultation and readiness activities, helping them prepare for European Union Cybersecurity Certification Scheme (EUCC) and other national or international Common Criteria‑based certification schemes.
Common Criteria consultation supports organizations before and during a formal Common Criteria or EUCC certification project. It focuses on preparation, readiness, and risk reduction rather than independent evaluation.
The EUCC is the EU-wide cybersecurity certification framework based on Common Criteria. It harmonizes certification requirements across EU Member States and replaces national Common Criteria schemes for products within its scope.
For manufacturers, consultation helps translate Common Criteria and EUCC requirements into practical actions, ensuring that products, documentation, and development processes are ready for certification. It is often used to reduce project risk, shorten timelines, and avoid unnecessary rework during formal evaluation.
When Common Criteria Consultation Is Needed
Organizations typically seek Common Criteria consultation when preparing for an initial certification, updating an already certified product, or moving from national Common Criteria schemes to the EUCC framework.
It is especially useful when internal teams need guidance on interpreting protection profiles, preparing the necessary documentation, and aligning development practices with certification requirements.
What Common Criteria Consultation Covers
Common Criteria consultation services are tailored to the product, certification scope, and target assurance level, including EUCC evaluations at the Substantial (AVA_VAN.1 or 2) or High (AVA_VAN.3–5) levels, whose results are centrally published by ENISA.
Support may include readiness and gap assessments, guidance on selecting applicable protection profiles or the appropriate Evaluation Assurance Level (EAL), assistance with defining the Target of Evaluation (TOE), and help preparing Security Targets and developer documentation. It may also cover secure development practices, configuration management, and vulnerability handling processes expected during evaluation.
In all cases, the support is designed to complement, not replace, the role of the independent evaluation laboratory.
How Common Criteria Consultation Supports Certification
Effective preparation is one of the most important factors in a successful certification project.
By identifying gaps early and aligning documentation and processes before formal evaluation begins, consultation helps reduce the number of findings, iterations, and delays during certification. This leads to more predictable project timelines and lower overall certification effort.
Common Criteria consultation is often used in combination with cybersecurity evaluation and certification services as part of a structured certification journey.
How QIMA Supports Common Criteria Consultation
QIMA provides Common Criteria consultation through experienced cybersecurity and certification specialists.
Our consultants support product teams with interpretation of certification requirements, preparation of documentation, and alignment with EUCC expectations. We work collaboratively with development, security, and compliance teams to ensure readiness while maintaining the independence of formal evaluation activities.
QIMA’s integrated cybersecurity services allow organizations to move smoothly from preparation to evaluation and certification.
Relationship to Evaluation and Certification Services
Common Criteria consultation is distinct from evaluation and certification.
Consultation focuses on preparation and readiness. Evaluation involves independent assessment of the product against Common Criteria requirements. Certification results in formal recognition under a defined scheme.
Many organizations engage consultation first, followed by cybersecurity evaluation and then certification, to streamline the overall certification process.
Resources
Explore practical guidance on preparing for Common Criteria and EUCC certification:
Talk to Our Cybersecurity Experts
If you are planning a Common Criteria or EUCC certification project and want to reduce risk and improve readiness, QIMA can support you with targeted consultation services.
Contact us to discuss your requirements
FAQs
Is Common Criteria consultation mandatory?
No. Consultation is optional, but it is widely used to improve readiness and reduce risk during certification projects.
Does consultation replace evaluation?
No. Consultation supports preparation. Independent evaluation is still required for certification.
Can consultation help with EUCC transition?
Yes. Consultation can support organizations transitioning from national Common Criteria schemes to the EUCC framework.