Strategic guide for manufacturers

CCN-STIC 2001: what it is and how it fits into LINCE certification

CCN-STIC 2001 sets out the LINCE certification framework: who is involved, how the process is ordered and what needs to be in place before certification can begin.

What CCN-STIC 2001 is

It is the guide that defines the national essential security certification (LINCE). It sets out the actors involved, the order of the process and how certification fits into product qualification within CPSTIC.

In practical terms, it helps answer an early question before any serious work starts: whether LINCE is genuinely the right route for the product.

What decision it helps make

The key question it helps answer is simple: is LINCE the right route for the product?

Quick answer

What it is

The CCN guide that defines the LINCE certification framework.

Who should read it

Manufacturers deciding whether their product should follow the LINCE route.

When it matters most

Before starting the certification process.

When to look elsewhere

If the product is cloud-delivered, CICLON is usually the better starting point.

Which products usually fit LINCE

On-premises software, customer-installed applications, hardware and IoT are the most common fits. When the product is delivered as a cloud service, the correct starting point is usually CICLON.

Relationship between LINCE and CPSTIC

LINCE is one of the routes into the CPSTIC Catalogue.

What this guide actually defines

  • The actors involved in the process: applicant or developer, evaluation laboratory and Certification Body.
  • The relationship between CPSTIC qualification and LINCE certification.
  • The certification phases, from initial preparation to certificate issuance.
  • The conditions required to start an evaluation, including prior approval of the Security Target.

What it makes clear about CPSTIC

The guide states that LINCE is used exclusively in the context of product qualification for CPSTIC. If CPSTIC does not validate the Security Target, certification cannot start.

Manufacturer decisions to lock first

  • Define the exact version and scope to be evaluated.
  • Separate genuinely on-prem behaviour from cloud dependencies.
  • Seek product qualification in the CPSTIC Catalogue.

Typical mistakes

  • Assuming LINCE applies to any cybersecurity product.
  • Starting a certification path that does not match the product type.

How CYBSER helps

We confirm the route is the right one, prepare the Security Target and evaluate the product.

We handle the full process so your team can stay focused on the product.

Request LINCE fit assessment See CCN-STIC 2002

Consult the official guide

If you need the full text or want to check the official wording, you can consult the CCN guide here.

View CCN-STIC 2001 →

Frequently asked questions about CCN-STIC 2001

Does CCN-STIC 2001 explain how testing is performed?
Not in detail. Its role is to define the LINCE certification framework. The guide that goes deeper into evaluation logic is CCN-STIC 2002.
If my product is cloud-based, should I start with CCN-STIC 2001?
It can help you understand LINCE, but if your solution is delivered as a cloud service you should normally review the CICLON route first.
Is CCN-STIC 2001 connected to CPSTIC?
Yes. The guide states that the LINCE methodology is used exclusively for product qualification in CPSTIC, so certification is tied to the qualification process and to the prior approval of the Security Target.

Want to validate whether LINCE is the right route?

We analyse your product to confirm whether LINCE is the right route.