National template for IT product and system security and privacy assessment and certification compliant with Common Criteria (KSO3C)

  • Project name: National template for IT product and system security and privacy assessment and certification compliant with Common Criteria (KSO3C)
  • Website:
  • Source of funding: NCRD
  • Project goal: The purpose of the project is the development of methods and techniques for evaluating security and privacy with a high level of certainty, based on an innovative approach to the assessment of vulnerabilities related to advanced attacks, both non-invasive threats such as side-channel attacks and reverse engineering, as well as such invasive threats as perturbation attacks.


The project is a joint endeavour by several research units under the supervision of the Minister of Digital Affairs: IŁ, NASK and ITI EMAG. These units develop systems for assessing and certifying the security and privacy of ICT products and services in response to the EC initiative involving the development of the European Security Certification Framework for products and services, as proposed in the Cybersecurity Act bill, for example. The assessment system will be open and able to be extended to include new laboratories assessing CC compliance (ISO 15408). In order to become a participant, it is necessary to meet the requirements, which are equal for all ITSEFs (Information Technology Security Evaluation Facilities). These are assessed by a certification unit in a transparent and unbiased manner, in accordance with the EU rules of product, service and process compliance.


The final product will be a fully-functional programme of ICT product and service cybersecurity certification, which will involve the issuing of internationally-recognised certificates based on the SOG-IS and CCRA agreements. The SOG-IS (Senior Officials Group Information Systems Security) was created in response to the decision of the Council of the European Union of 31 March 1992 (92/242/EWG) on information systems security, and operates based on an MRA (Mutual Recognition Agreement). The SOG-IS MRA has been currently signed (in 2018) by fifteen countries, including Poland (since 2017). Eight countries are classed as Qualified/Authorising participants, which means that they are organisationally capable of assessing compliance and issuing certificates (in practice, this means that they possess a functioning national compliance assessment and certification programme). The remaining countries (including Poland) are designated as consuming participants, which means that they recognise certificates issued as part of existing certification programmes. As a result of the KSO3C project, Poland will achieve the organisational potential necessary to conduct research, assess compliance and issue certificates which are recognised by other SOG-IS members. The products and services certified for compliance are distinguished by the Common Criteria logo on their graphics.


  • Institute of Communications – National Research Institute (IŁ) – Project Leader
  • Research and Academic Computer Network – National Research Institute (NASK)
  • EMAG Institute of Innovative Technologies (ITI EMAG)