What is the difference between CSPN and Common Criteria certification?

CSPN (Certification de Securite de Premier Niveau, first-level security certification) is a French national scheme operated by ANSSI, designed to evaluate a product within bounded time and cost, with an evaluation workload framed by ANSSI. Common Criteria (ISO/IEC 15408) imposes a deeper evaluation, structured by EAL assurance packages, and recognised internationally through CCRA and SOG-IS. CSPN suits a first validation on a focused scope, CC is required for sensitive components (smart cards, cryptographic modules, identity platforms) or for export markets asking for international recognition.

What is the ANSSI Visa de securite?

The Visa de securite is an umbrella label under which ANSSI groups its evaluation and qualification deliverables, CSPN, Common Criteria certificates issued by ANSSI within the SOG-IS and EUCC frameworks, and Qualification of a product at one of three levels (Elementaire, Standard, Renforce). The Visa publicly states that a product has undergone a security evaluation by the agency, and guides public-sector and regulated buyers toward products whose trust is attested.

What are the ANSSI Qualification levels?

ANSSI defines three Qualification levels. Elementaire covers ordinary confidentiality and integrity needs. Standard answers a reinforced need, typically for protection of sensitive non-classified information and use within Operators of Vital Importance. Renforce addresses the highest needs, including protection of data subject to national defence secrecy at the Diffusion Restreinte level. The required level depends on the target field of use, defined by an associated set of requirements.

Is CSPN mandatory in France?

No, CSPN remains voluntary. It does however become a contractual prerequisite for access to certain public-sector markets, in particular those serving Operators of Vital Importance (OIV) under the Loi de Programmation Militaire, Operators of Essential Services (OSE) under NIS, administrations subject to the RGS, and healthcare hosting via the Hebergeur de Donnees de Sante (HDS) accreditation. Outside France, recognition is more limited than with an international Common Criteria certificate.

How long is a CSPN certificate valid?

A CSPN certificate is issued for a limited duration, generally renewable if the product has not undergone substantial change. The associated Qualification follows the certificate validity period. If the product is modified, ANSSI may require re-evaluation, surveillance, or an impact review before extending or withdrawing the Visa. The exact applicable duration is shown on each certificate published in the ANSSI catalogue.

What is a CESTI and who can run a CSPN evaluation?

A CESTI (Centre d'Evaluation de la Securite des Technologies de l'Information, Information Technology Security Evaluation Centre) is a laboratory accredited by ANSSI, placed under quality control by COFRAC, which performs CSPN evaluations and Common Criteria evaluations delivered by ANSSI. The official list of accredited CESTI is published by ANSSI. The manufacturer chooses a CESTI from this list and contracts directly with it, with ANSSI remaining the sole authority issuing the final certificate.

How does CSPN articulate with the EU CRA and RED 3.3?

The Cyber Resilience Act applicable in December 2027 and the RED article 3.3 in force since August 2025 impose cybersecurity requirements on products with digital elements and on radio equipment. A CSPN evaluation or an ANSSI Qualification does not substitute for these obligations, but can be added to the technical file to demonstrate the cybersecurity maturity of the product. For critical French public-sector markets, the ANSSI Visa remains the deciding selection criterion in addition to CE marking.

What are the PASSI and PVID qualifications?

PASSI (Prestataires d'Audit de la Securite des Systemes d'Information) is an ANSSI qualification for companies performing audits of architecture, configuration, source code, penetration testing or organisation. PVID (Prestataires de Verification d'Identite a Distance) qualifies remote identity verification providers under the eIDAS framework and the GDPR. These qualifications target services rather than products, and allow administrations and OIV to outsource these missions to providers whose trust is attested.

How does SecNumCloud relate to the Visa de securite?

SecNumCloud is a distinct ANSSI qualification scheme, applying to cloud services (SaaS, PaaS, IaaS). It targets sovereignty and protection of hosted data, imposing among other requirements an immunity to extra-European laws with extraterritorial reach. Although separate from the product Visa de securite, SecNumCloud shares the same attested-trust philosophy and appears in the wider panorama of ANSSI labels available to providers.

CSPN and ANSSI Visa: French cybersec certification

Author Hugues Orgitello Last updated 27 May 2026 ~14 min read

Guide · CSPN and ANSSI Visa de securite

Created in 2009 by decree, ANSSI (Agence nationale de la securite des systemes d'information, the French national cybersecurity agency) is the French authority for cybersecurity, the functional equivalent of Germany's BSI, the United Kingdom's NCSC and the cybersecurity arm of NIST in the United States. At the core of its product activity sits the Visa de securite, an umbrella label that groups three deliverables, the CSPN (first-level security certification, in place since 2008), Common Criteria certificates issued under the French scheme within SOG-IS and the new EUCC regulation, and three-level Qualifications (Elementaire, Standard, Renforce). This guide presents the mechanics of each instrument, the role of CESTI laboratories, the link with the Loi de Programmation Militaire for Operators of Vital Importance, and the place of the French scheme within the European landscape shaped by the Cyber Resilience Act and the RED article 3.3.

ANSSI, the French cybersecurity authority

ANSSI was established by decree n. 2009-834 of 7 July 2009, under the authority of the Secretariat general de la defense et de la securite nationale (SGDSN). Its mission covers four main axes, defence of state information systems, assistance to Operators of Vital Importance and to administrations, regulation through the RGS (Referentiel General de Securite) and sector-specific reference texts, and qualification of trust products and services.

In the chain of digital trust, ANSSI plays a role analogous to that of the Bundesamt fuer Sicherheit in der Informationstechnik (BSI) in Germany, the National Cyber Security Centre (NCSC) in the United Kingdom, the National Institute of Standards and Technology (NIST) in the United States for the standards branch, or the ENISA agency at European level. The French specificity lies in combining regulation, qualification, and operation of state capabilities within a single entity.

The agency does not itself perform technical evaluations. For that purpose it relies on a network of accredited laboratories, the CESTI (Centres d'Evaluation de la Securite des Technologies de l'Information, Information Technology Security Evaluation Centres), which run the tests under COFRAC quality control and under ANSSI methodological steering. The agency issues, refuses or withdraws certificates and qualifications.

ANSSI also acts as the National Cybersecurity Certification Authority (NCCA) of France under the Cybersecurity Act (EU) 2019/881. In that capacity it represents France in the European Cybersecurity Certification Group hosted by ENISA, and acts as the issuing body for European schemes adopted under the Act (EUCC, EUCS, EU5G as they enter into application). The agency thus operates two complementary roles, a national scheme inherited from the pre-2019 framework, and a European role embedded in the unified European certification landscape.

Visa de securite, an umbrella label

The term Visa de securite is not an evaluation scheme on its own. It is the name given by ANSSI to the public grouping of its deliverables. Three distinct families belong to it.

Family	Evaluation type	Recognition
CSPN	First level, framed evaluation workload	French national scheme
Common Criteria certificate	ISO/IEC 15408 with EAL assurance packages	International via SOG-IS and CCRA, migrating to EUCC
Qualification	Fit for purpose at a given level (Elementaire, Standard, Renforce)	French national scheme, embedded in regulatory reference texts

The Visa de securite fulfils two complementary functions. For the market, it publicly attests that a product has been evaluated by the French authority. For the regulated buyer, it provides an objective selection criterion to write into a tender or specification, without having to replicate the technical expertise in-house.

The catalogue is publicly accessible, organised by product category, and remains the reference to check the current validity of a certificate or qualification.

CSPN, an evaluation scheme bounded in time and budget

CSPN was introduced in 2008 to close a gap between no evaluation at all and the weight of Common Criteria. A CC evaluation, even at augmented EAL 2, typically requires several hundred evaluator-days and a significant budget. For products whose sensitivity does not justify that investment but which still need attested trust, CSPN offers a first-level format.

Structural choices

Three design choices distinguish CSPN.

Framed evaluation workload. ANSSI has defined a target evaluation volume, on the order of a few dozen person-days, which allows a CESTI to propose a firm quote before starting. This predictability is the main argument for manufacturers.
White-box evaluation. The CESTI receives the source code, the design documentation and direct access to the product. The objective is to quickly detect known vulnerabilities and common design faults, rather than to conduct an exhaustive attack-tree analysis.
Proportionate security target. The target (functional equivalent of the CC Security Target) is deliberately concise and readable. It describes the product, its security functions, the threats covered, the environment assumptions, and the assets protected. ANSSI publishes templates per domain.

Typical application domains

CSPN covers about a dozen technical domains regularly represented in the catalogue.

File, disk and communication encryption software and hardware
Firewalls, network filtering devices and industrial gateways
Identification and authentication solutions, privileged account management
Secure boot mechanisms, firmware integrity and protection
Electronic signature components, time-stamping and certificate issuance
Anti-virus, EDR, network probes
Secure messaging and file-sharing systems
Data-at-rest protection on workstations or servers

Each domain has an associated template security target, guiding the manufacturer's drafting and the CESTI evaluation. The exact list of available templates is published by ANSSI.

Six-step process

Step	Main actor	Deliverable
Scoping and CESTI selection	Manufacturer	Choice of CESTI, functional scope
Drafting the security target	Manufacturer, assisted by the CESTI	Security target (CSP)
Submission to CESTI and ANSSI	Manufacturer	Product file, contracts
Conducting the tests	CESTI	Technical evaluation report (RTE)
Analysis and ANSSI decision	ANSSI	Issuance or refusal decision
Publication in the catalogue	ANSSI	CSPN certificate, listing

Validity duration and updates

A CSPN certificate is issued with a validity duration shown on the document. Common practice is a three-year duration, possibly renewed after review of a surveillance or re-evaluation file. Any substantial functional or cryptographic change to the product leads ANSSI to assess whether a fresh CSPN is required or whether maintenance suffices. The exact applicable duration for a given product is systematically shown on its certificate.

Maintenance is treated through a structured review of the changes between the certified version and the new version. The CESTI examines the impact on the security functions, on the cryptographic primitives, and on the assets covered by the security target. Where the change is limited to non-security-bearing components, a simple statement of non-impact can suffice. Where security functions are touched, partial re-evaluation is required. This intermediate path avoids the cost of a full re-evaluation while keeping a documented trace of the product's evolution.

Common Criteria certification issued by ANSSI

ANSSI is the French issuing authority for Common Criteria certificates (ISO/IEC 15408), recognised internationally under two arrangements.

CCRA (Common Criteria Recognition Arrangement), a worldwide agreement signed by around thirty countries, which mutually recognises certificates up to augmented EAL 4.
SOG-IS MRA (Senior Officials Group Information Systems Security), a stricter European agreement that extends recognition up to EAL 7 in mastered domains (smart cards, cryptographic components).

With the progressive entry into application of Regulation (EU) 2024/482 establishing the European EUCC scheme (European Cybersecurity Certification scheme on Common Criteria), ANSSI is migrating its issuance toward EUCC for products falling in scope. EUCC reuses the CC assurance levels (substantial for EAL 1 to 4, high for EAL 5 to 7) under renamed labels and adds a post-market surveillance framework.

For a manufacturer, the choice between CSPN and CC rests on three criteria.

Criterion	CSPN preferred	CC preferred
Sensitivity of protected asset	Professional data, ordinary perimeters	Classified data, critical infrastructure
Target market	France and regulated French buyers	Multi-country, export, regulated foreign markets
Budget and schedule	Constrained, first certification	Available, second investment cycle

For the detailed CC normative framework, see our guide on Common Criteria ISO/IEC 15408.

Manufacturers should note that the migration from SOG-IS to EUCC is staged. Domains for which SOG-IS technical communities already maintain authoritative protection profiles (smart cards and similar devices, hardware security modules) are migrating first, with the existing SOG-IS protection profiles being absorbed into the EUCC framework. Other domains will follow as protection profiles are formally adopted under the European scheme. The expected outcome is unified recognition of CC certificates across the European Union, with assurance levels redenominated and a uniform post-market surveillance regime applied by national authorities.

Qualification, the decisive complement to the certificate

A certificate (CSPN or CC) attests that a product has passed a technical evaluation. It says nothing about the product's fit for a given use by an administration or an OIV. Qualification fills that gap, attaching to the certificate a level that characterises the use covered.

Three levels and their fields of use

Qualification level	Need covered	Typical field of use
Elementaire	Ordinary confidentiality and integrity	Standard administrations, non-OIV companies
Standard	Protection of sensitive non-classified information	OIV under the LPM, OSE under NIS, certain healthcare uses
Renforce	Protection of Diffusion Restreinte data and above	OIV for the most sensitive uses, critical state functions

Each level is associated with a set of requirements (RFS, Reglement Federal de Securite, or sector-specific reference texts). A manufacturer seeking qualification must demonstrate that the product satisfies not only the functional content of the certificate but also the operational, organisational and life-cycle requirements of the target level.

Articulation with LPM and OIV

The 2013 Loi de Programmation Militaire (amended since) imposes cybersecurity obligations on OIV, framed by sector-specific orders signed by the ministers of the concerned sectors. These orders list, for each category of vital-importance information system (SIIV), the applicable technical requirements, and impose the use of products qualified at least at the Standard level for certain critical functions (cryptography, authentication, detection).

The qualification at the appropriate level thus becomes a purchasing prerequisite for these operators. A product certified CSPN but not qualified can be sold outside this perimeter, but will be excluded from an OIV tender on that basis.

Renewal and maintenance

A qualification does not extend automatically with the renewal of the certificate. It requires ongoing oversight by ANSSI, including verification of the supply chain, the manufacturer's commitments on security maintenance, and periodic review. An expired qualification removes the product's access to the regulated market, even if the underlying certificate is still valid. Renewal management is therefore an important industrial point of attention.

In practice, manufacturers serving the regulated French market plan qualification renewal as a recurring milestone in the product roadmap. Anticipating the file by twelve to eighteen months ahead of expiry leaves room for the technical updates that may be required to align with new cryptographic recommendations published by ANSSI, with revised reference frameworks, and with the methodological updates of the CSPN scheme itself. Failing to plan this cadence is a frequent cause of temporary withdrawal of the product from public-sector catalogues.

The CESTI network

The CESTI is the operational link of the scheme. To be recognised, a CESTI must meet three cumulative conditions.

COFRAC accreditation under ISO/IEC 17025 for the security evaluation scope.
ANSSI recognition following review of the competency file, tools, procedures and role separation.
Listing in the ANSSI catalogue, updated regularly.

The official list is published by the agency. CESTI are specialised by domain, some laboratories cover the full CSPN spectrum, others focus on hardware components and cryptography. The manufacturer chooses a CESTI based on the technical domain and prior evaluation experience.

Beyond products, ANSSI also qualifies cybersecurity service providers. The mechanism is analogous, a reference framework defines the scope, a third-party body verifies conformity, and ANSSI grants or withdraws the qualification.

Qualification	Scope	Typical use
PASSI	Security audits (architecture, configuration, code, penetration, organisation)	Administrations, OIV requiring external audit
PDIS	Security incident detection providers (SOC, MDR)	OIV subject to detection obligation
PRIS	Security incident response providers	OIV in post-incident phase
PVID	Remote identity verification	Digital identity enrolment, regulated KYC
PACS	Design and integration of secure systems	Sensitive state markets

PVID deserves particular attention. The framework builds on eIDAS and the GDPR, and qualifies remote identity-verification processes using the passport or chip-based identity card, biometrics and liveness checks. It is the regulatory backbone of the French digital identity (FranceConnect+).

SecNumCloud, a parallel scheme for cloud services

SecNumCloud is a qualification scheme distinct from the product and audit-service schemes, dedicated to cloud computing services. It qualifies SaaS, PaaS and IaaS offerings on three main dimensions.

Technical security, equivalent to requirements expected at the Standard or Renforce level.
Organisational security, including incident management, business continuity and supply chain.
Sovereignty, requirement of immunity to extra-European laws with extraterritorial reach, effective hosting and control from within the European Economic Area.

The current reference is SecNumCloud V3.2, applicable since 2022. SecNumCloud is now a prerequisite for the hosting of sensitive state data and certain critical health data. It is not covered by the product Visa de securite but appears in the wider panorama of ANSSI labels under a distinct category.

At European level, SecNumCloud partly inspires the EUCS scheme (European Cybersecurity Certification scheme for Cloud Services) under development under the Cybersecurity Act (EU) 2019/881.

Articulation with the European framework

The French scheme operates within a moving European landscape. Three texts structure the environment.

Regulation Cybersecurity Act (EU) 2019/881 establishes the framework for European cybersecurity certification schemes, managed by ENISA. It supports EUCC for products, EUCS for cloud services, and EU5G for 5G.
The Cyber Resilience Act (EU) 2024/2847, applicable on 11 December 2027, imposes on every product with digital elements placed on the European market a baseline of cybersecurity requirements, with presumption of conformity through harmonised standards and optionally through EUCC certificates.
The RED article 3.3, applicable since 1 August 2025, imposes cybersecurity requirements on internet-connected radio equipment, met by default through the harmonised standards EN 18031.

For a French manufacturer's product sold in France and Europe, several scenarios coexist.

Product	CE marking / RED	ANSSI Visa
Consumer IP camera, French and European market	EN 18031 mandatory	None (market not OIV-regulated)
HSM module for an administration and an OIV	CE marking as per applicable directives	CSPN or CC, Qualification Standard or Renforce
Encryption software sold to administrations	Outside CE marking scope	CSPN and Qualification Elementaire or Standard
Detection probe for OIV	Possibly CE marking	CSPN and Qualification Standard
End-to-end solution for classified state services	Marking depending on scope	CC, Qualification Renforce

The Visa de securite does not substitute for CE marking, and vice versa. For regulated French markets, it comes as a complement and often forms the differentiating criterion. See also the EN 303 645 guide for the consumer-IoT cybersecurity dimension.

Common pitfalls in a CSPN project

Experience accumulated on CSPN projects reveals five recurring mistakes.

1. Treating CSPN as equivalent to CC in export markets. Abroad, CSPN has limited recognition. A product seeking access to German public-sector markets needs a BSI certificate or a CC certificate under SOG-IS. Confusing Visa with international recognition leads to a wasted investment.

2. Letting the Qualification lapse. The CSPN certificate extends more simply than the associated Qualification. A manufacturer who allows the qualification to expire without renewing it loses access to the regulated market, even if the product itself has not changed.

3. Miscalibrating the security-target scope. A target that is too broad makes the evaluation overflow the CSPN framework. A target that is too narrow fails to cover the functions actually used in operation and weakens trust. Correct scoping is done with the CESTI at the outset.

4. Underestimating the security target drafting time. The security target is the contractual artefact that structures the evaluation. For a manufacturer producing this document for the first time, drafting and review time reach several weeks. Planning must absorb this.

5. Conflating CE marking and ANSSI Visa. The two processes are independent. CE marking attests conformity to applicable European directives (LVD, EMC, RED, RoHS, CRA in the near future). The Visa attests evaluation by ANSSI. A product can be CE marked without a Visa, or hold a Visa without certain CE directives if its scope does not require them.

Practical approach for a manufacturer

A structured approach typically combines four phases.

1. Define the commercial and regulatory target. Identify target markets (administrations, OIV, OSE, healthcare, export), the applicable regulatory reference texts (LPM, NIS, RGS, HDS), and the useful Qualification level. This step determines whether CSPN suffices or whether CC is required.

2. Select the CESTI and frame the security target. Choose a laboratory whose domain expertise covers the product. Co-draft the security target with its methodological support, building on the templates published by ANSSI.

3. Run the evaluation and obtain the certificate. Provide the CESTI with source code, documentation and evaluation hardware. Follow the agreed schedule, address the CESTI's queries, fix the gaps identified.

4. Engage the qualification procedure. Once the certificate is granted, build the qualification file covering the security-maintenance commitments, the supply chain, and the internal organisation. Anticipate renewals and integrate their schedule into the product cycle.

Outlook and trends

Three evolutions are worth watching in the coming years.

Rise of EUCC. ANSSI is progressively shifting new CC issuance toward the European EUCC scheme, which brings harmonisation of assurance levels and a post-market surveillance obligation. Existing certificates remain valid for their original duration.
Articulation of CSPN and CRA. The Cyber Resilience Act introduces product cybersecurity obligations at European scale. CSPN does not substitute for CRA conformity, but will constitute a relevant piece of evidence for certain chapters of the CRA technical file, in particular on vulnerability management and life cycle.
Convergence of service qualifications. The PASSI, PDIS, PRIS, PVID, PACS landscape tends to consolidate in terms of portal and procedure. ANSSI regularly publishes status updates on the evolution of its reference frameworks.

For today, the Visa de securite remains the main trust instrument of the regulated French cybersecurity market. Mastering it, together with RED 3.3 and the CRA, structures the market-placement strategy of a cybersecurity product in France and beyond.

Going further

Cyber Resilience Act: EU product cybersecurity baseline
ETSI EN 303 645: consumer IoT cybersecurity
Common Criteria ISO/IEC 15408: international normative framework
RED directive: radio equipment and article 3.3 cybersecurity
Glossary: definitions of ANSSI, ENISA, CESTI, EUCC terms

Sources & references

ANSSI, French national cybersecurity agency , ANSSI cyber.gouv.fr/
ANSSI Visa de securite, overview , ANSSI cyber.gouv.fr/visas-de-securite
CSPN reference framework, first-level security certification , ANSSI cyber.gouv.fr/le-referentiel-cspn
Loi de Programmation Militaire and OIV obligations , ANSSI cyber.gouv.fr/operateurs-dimportance-vitale-oiv
SecNumCloud, qualification scheme for cloud service providers , ANSSI cyber.gouv.fr/secnumcloud-pour-les-fournisseurs-de-services-cloud
PASSI, qualified security audit providers , ANSSI cyber.gouv.fr/prestataires-daudit-de-la-securite-des-systemes-dinformation-passi-qualifies
EUCC, European Cybersecurity Certification scheme on Common Criteria , EUR-Lex eur-lex.europa.eu/eli/reg_impl/2024/482/oj