Arrow Cybersecurity Consultancy
Is a specialized consultancy
Focused on Common Criteria, EUCC, and Cyber Resilience Act (CRA) compliance. We help manufacturers, developers, and evaluation labs navigate complex certification processes with structure and clarity.
We focus on a small set of highly specialized services:
- Common Criteria consultancy
- CRA compliance guidance
- Site certification (Common Criteria and EMVCo) gap analysis
- Training (with a focus on in-person, hands-on sessions)
SERVICES
Common Criteria/EUCC consultancy
Navigating a Common Criteria (CC) or EUCC certification can be complex, especially when aiming for High assurance levels. I can support you throughout the process, by helping you:
- Draft or review certification evidence, including Security Targets, design documents, guidance, and vulnerability analysis.
- Interpret and apply Protection Profiles (PPs) correctly, ensuring your product’s design and documentation align with the chosen PP and its security objectives.
- Engage effectively with evaluation labs and certification bodies, avoiding common pitfalls and saving valuable time.
- Plan for Substantial or High EUCC assurance levels, identifying what additional rigour or documentation is needed to meet higher assurance expectations.
The goal is to make certification predictable and achievable, without unnecessary complexity.
SERVICES
CRA Compliance Consultancy
The Cyber Resilience Act (CRA) will make cybersecurity requirements mandatory for all Products with Digital Elements (PDEs) sold in the EU, starting in December 2027. That means security compliance will no longer be optional; it will be a legal requirement for placing products on the European market.
At Arrow Cybersecurity Consultancy, I help manufacturers and developers understand and prepare for these new obligations. My support covers:
- Gap analysis against CRA essential requirements and Annex I obligations.
- Alignment with existing certification schemes such as EUCC or ISO/IEC 62443, to reuse existing assurance work where possible.
- Support in defining vulnerability handling, patch management, and secure development processes that meet CRA expectations.
- Strategic planning to integrate CRA compliance into your existing product lifecycle and certification roadmap.
SERVICES
Site certificate consultancy based on Common Criteria/EMVCo
Whether you’re preparing for a Common Criteria (EUCC) site audit or an EMVCo site assessment, having the right structure and evidence in place makes all the difference. Site certification isn’t just about the physical environment, it’s about proving that your development, build, and delivery processes consistently protect sensitive assets and maintain product integrity.
My support includes:
- Gap analysis against EUCC site certification requirements (MSSR: Minimum Site Security Requirements).
- Mapping and alignment with EMVCo site security audit expectations.
- Preparation of site evidence and secure development process documentation.
- Mock interviews and on-site preparation to ensure your team is confident and audit-ready.
Whether your goal is to reuse site certification across multiple evaluations or to establish a recognized development environment, I’ll help you build a clear, compliant, and defensible site security framework.
SERVICES
Training
Certification and security evaluation can seem intimidating from the outside, but with the right training, it becomes structured and logical.
I offer tailored sessions for teams at all levels, covering topics such as:
- Common Criteria fundamentals – how evaluations work, what evidence is expected, and how to engage effectively with labs and certifiers.
- EUCC assurance levels (Substantial and High) – what changes with higher assurance, and how to prepare efficiently.
- Side-channel evaluation basics – understanding attack methods, countermeasures, and how evaluators assess resistance.
- Preparing for site or product evaluations – how to document and present your processes for certification success.
While I can adapt to remote formats when needed, I strongly prefer in-person training, where discussions flow naturally, teams stay engaged, and learning becomes truly hands-on.