The EU Cybersecurity Act (Regulation 2019/881) created the legal frame for a unified European cybersecurity certification regime. Six years on, two schemes are in substantive production use: the European Cybersecurity Certification Scheme for ICT Products (EUCC), and the long-delayed European Cybersecurity Certification Scheme for Cloud Services (EUCS), which reached its first operational certifications in late 2025. A third scheme, the AI-specific certification drafted in response to the AI Act's conformity assessment requirements, is in Commission review.
This post gives the practitioner's view of what the two production schemes actually deliver in 2026, where they fall short of the original policy ambition, and how to think about them in procurement and in the entity's own certification strategy.
EUCC — Where It Has Landed
EUCC is the successor to the long-standing SOG-IS Common Criteria recognition arrangement, which it replaces across the EU. The scheme covers ICT products — hardware and software, including cryptographic modules, network equipment, secure elements, and smart cards. It preserves the Common Criteria Evaluation Assurance Level structure (EAL1 through EAL7) and adds the EU assurance level framing (Substantial and High).
Three aspects are worth noting in 2026.
Mutual recognition is working, mostly. A product certified under EUCC in one Member State is recognised across the EU without re-certification. This has materially shortened the time-to-market for vendors that previously sought separate national certifications. The remaining friction is in the recognition of legacy SOG-IS certificates during the transition; vendors with pre-2024 certificates should check the transition schedule in their target markets, because some of those certificates expire during 2026 and require migration to EUCC equivalents.
The certification body landscape is still concentrating. EUCC certifications are issued by Conformity Assessment Bodies accredited under the scheme. The number of active CABs has grown since 2024, but the bulk of high-assurance certifications still funnel through a handful of laboratories in France, Germany, the Netherlands, and Spain. For vendors, this means lead times of 12-18 months for EAL4+ and above, and very few options for compressed timelines. For buyers, it means that concentration risk in the certification supply chain is itself a consideration when relying heavily on EUCC evidence.
Procurement weight is mixed. In public procurement — especially defence-adjacent and critical infrastructure — EUCC at Substantial or High is increasingly a scoring criterion or a hard requirement. In private-sector procurement, EUCC matters for specific product categories (HSMs, network security appliances, identity products) but carries less weight than enterprise buyers sometimes assume for general software. Sales teams overselling EUCC as a universal procurement accelerant are setting up their own credibility for a fall.
EUCS — What the First Wave of Certifications Looks Like
EUCS had a long, politically contested drafting process. The version that went to production in late 2025 is narrower in scope than earlier drafts and avoids the most contested provisions around non-EU provider eligibility at the highest assurance level. The scheme now defines three assurance levels: Basic, Substantial, and High.
Basic level is broadly aligned with internationally recognised cloud security baselines, including ISO 27017 and ISO 27018. A provider with an up-to-date ISO 27001 and 27017 audit can reach Basic through a gap-focused assessment rather than a full re-evaluation.
Substantial level introduces additional EU-specific controls around transparency of processing, data location disclosure, and supply-chain security. Most European hyperscale providers are pursuing Substantial through 2026 as the primary target.
High level is the politically contested tier. The final scheme does not include the earlier draft's non-EU owner exclusions but does include enhanced requirements around protection against non-EU legal process, operational governance, and staff vetting. A limited number of EU-headquartered providers are pursuing High, and the first certifications at this level are expected in late 2026.
Three practical observations after the first several months of operational certifications:
Audit scoping is still unsettled. EUCS permits scoping by service, by region, and by customer segment. The first wave of certifications has taken widely different approaches to scope, which makes apples-to-apples comparison difficult. A procurement team receiving an EUCS Substantial certificate from a provider should always read the scope document, not just the certificate summary.
Continuous monitoring is real, and expensive. Unlike ISO 27001's triennial recertification rhythm, EUCS requires continuous monitoring of specific control indicators with reporting to the certification body. This has operational cost implications for providers and is partly why the rollout is gradual. For customers, it means that the EUCS certificate is a stronger ongoing signal than a traditional triennial audit.
The GDPR complementarity is not automatic. EUCS certification does not constitute a GDPR adequacy-equivalent mechanism, nor does it replace a Standard Contractual Clauses analysis for transfers. A provider with EUCS High may still require the buyer to perform a transfer impact assessment if any data leaves the EEA in the course of service delivery. The two frameworks overlap but do not substitute.
The AI Act Certification Scheme in Draft
ENISA is developing an AI-specific certification scheme that will interact with the conformity assessment requirements under the AI Act for high-risk AI systems. The scheme is not yet in operational form, but the draft has been circulated for comment and will likely move into adoption through 2026-2027.
The interaction between the AI certification scheme and the existing conformity assessment mechanism is not fully resolved. A voluntary EU-level certification could simplify cross-border market access for high-risk AI system providers, but it does not exempt them from the Annex VII conformity assessment path. Providers planning their August 2026 readiness should not rely on the certification scheme being available in time.
How to Use the Schemes in Procurement
The most common mistake in 2026 procurement is treating an EUCC or EUCS certificate as a binary signal — "has it or not" — without looking at the substance. A better procurement frame uses three questions per certification.
What is the scope? Does the certificate cover the specific product or service you are buying, in the specific deployment configuration, for the specific region of delivery? A certificate that covers the vendor's flagship product does not automatically cover the enterprise variant or the regional edition.
What is the assurance level? EUCC EAL2 and EAL4+ are very different statements about the rigour of the evaluation. EUCS Basic and Substantial are different control sets. The level must match the risk profile of the service being procured.
What is the validity status? Certifications have issue dates, validity periods, and ongoing monitoring requirements. A certificate issued three years ago under a predecessor scheme that has not been migrated is worth substantially less than a current certificate under the production scheme.
Beyond these, procurement teams should distinguish between certifications as a procurement filter (hard requirement to qualify) and as a procurement accelerant (reduces the depth of due diligence needed). Used as a filter, certifications are a blunt instrument that excludes good suppliers who have not pursued certification for commercial reasons. Used as an accelerant — combined with targeted due diligence on the residual risk not covered by the certification — they save real time.
Whether to Pursue Certification as a Supplier
For vendors selling into the EU, the build-or-buy logic on certification depends on three factors.
Customer concentration. If your pipeline is dominated by public-sector or regulated-industry customers that are starting to require certification in their RFPs, the investment makes commercial sense. The capital cost and the recurring cost of maintaining certification is substantial — 6-7 figures for a full EUCC or EUCS High certification — but the pipeline unlock is material.
Product maturity. Certification is painful for products that are still undergoing architectural change. The evaluation assumes a stable target of evaluation, and significant product changes during evaluation can invalidate the work done. Vendors in rapid iteration should delay certification until the architecture stabilises.
Regulatory alignment. For products that will fall under the Cyber Resilience Act's conformity requirements, certain certifications can be used as evidence of CRA conformity. This can make the certification investment dual-purpose, which changes the return calculation.
The Honest Assessment
Seven years after the Cybersecurity Act, the EU certification regime has matured enough to be operationally useful in specific domains and still falls short of the original policy ambition of a unified, widely adopted trust framework. EUCC works for the product categories it inherited from SOG-IS and is gradually expanding. EUCS is genuinely new, is landing in the market, and will become a meaningful differentiator in cloud procurement through 2026-2027. The AI-specific scheme is too early to evaluate.
For most regulated entities, the practical stance is: use the schemes where they match the risk, do not treat them as a substitute for your own due diligence, and do not oversell them internally as a procurement shortcut. For vendors, pursue certification when the commercial case is clear and the product architecture is stable enough to justify the investment. The schemes are not universal keys, but in their specific domains they are increasingly the minimum credible signal.