CCN-STIC 2001
Defines the LINCE certification framework and helps manufacturers understand when this route really fits a product.
Understand CCN-STIC 2001 →National Essential Security Certification
LINCE Certification: Your Agile Route to the Spanish Public Sector
Fast-track the entry of your on-premises software, customer-installed application, hardware, or IoT product into the Spanish public sector. We manage the entire LINCE evaluation end-to-end, turning a complex process into your clear path to market.
Methodology Experts
Deep knowledge of the LINCE methodology to guide and advise you throughout the entire process.
Collaborative Approach
We work with your team as a true security partner, not just as an auditor.
Agile & Transparent Process
Clear communication and a process with no surprises for a successful and predictable outcome.
What is the LINCE Methodology?
LINCE is the security evaluation methodology from Spain's National Cryptologic Center (CCN), designed to be an agile and cost-effective path to certification.
Our role is to act as your expert partner, handling all necessary preparations and conducting a comprehensive evaluation of your product. We manage the entire process so you can focus on your product.
See the official CCN methodology →
LINCE
Agile cybersecurity certification
Key CCN-STIC guides for LINCE
Two documents explain when LINCE fits and how it is evaluated
If you are assessing LINCE as your route towards CPSTIC, it helps to separate the certification framework from the evaluation methodology.
CCN-STIC 2002
Explains the evaluation methodology, minimum evidence and practical workflow behind a LINCE evaluation.
Understand CCN-STIC 2002 →CICLON or LINCE?
Choose the right certification path according to how your product is deployed.
Choose CICLON
CloudThe right fit for cloud-native products that need to prove security in SaaS, PaaS or IaaS environments.
- ✓ Cloud deployment and shared-responsibility model
- ✓ Continuous monitoring of the SBOM, relevant dependencies, CICLON evaluation of integration components, and cloud-provider ENS or EUCS certification
- ✓ Frequent fit for CPSTIC ambitions in regulated cloud scenarios
Choose LINCE
Software on-premisesThe better fit for products deployed on customer infrastructure, installed on-premises or delivered outside a cloud service model.
- ✓ Point-in-time evaluation instead of iterative monitoring
- ✓ Useful for on-premises software, installed applications and on-prem products
- ✓ Clear path when the cloud model is not central to the product
LINCE vs. Common Criteria
A practical comparison for companies targeting the Spanish public sector.
| LINCE |  Common Criteria / EUCC | |
|---|---|---|
| Primary Goal | Fast CPSTIC Inclusion & Spanish Market Access | International Recognition |
| Core Focus | Functional Tests and Vulnerability Analysis | Exhaustive Process & Documentation Audit |
| Time & Effort | Low (Weeks) | High (Months/Years) |
| Cost | Affordable | Significant Investment |
Key Benefits of LINCE Certification
Access the Public Sector
LINCE is your key to unlocking public administration tenders and contracts in Spain.
Gain a Competitive Edge
Differentiate your product in a crowded market with an official security seal recognized by the Spanish government.
Build Customer Trust
Demonstrate compliance with ENS, increasing confidence among your customers.
Improve Product Security
The evaluation process provides valuable insights to identify and remediate vulnerabilities, making your product stronger.
Our Process, Your Peace of Mind
We guide you step-by-step, from the initial analysis to obtaining the certificate. A clear path with no surprises.
1
Initial Analysis, No Commitment
We discuss your product and goals. We provide a clear, no-cost assessment to define the best path forward together.
2
Preparation and Strategy
We prepare key documentation, such as the Security Target, ensuring everything is aligned with LINCE requirements from the start.
3
Technical Evaluation
Our evaluation team tests your product. We conduct a thorough analysis, including vulnerability scanning and penetration testing, to identify any security gaps.
4
Findings Report and Support
We provide a clear report with our findings and work side-by-side with your team to ensure they understand how to effectively address them.
5
Verification and Report Issuance
Once corrections are applied, we verify that everything has been resolved and issue the evaluation report to the Certification Body.
6
Objective Achieved: Certification
The Certification Body reviews our report and issues the official certificate. Your product is now visible in the CPSTIC Catalogue, opening doors to new opportunities.
The Direct Path to LINCE Certification
Certification doesn't have to be a maze. We offer a direct, predictable route so you can focus on your product, not the bureaucracy.
- ✓
No surprises or cost overruns: We anticipate. We perform a pre-evaluation that brings issues to light before they become an obstacle. Your team will have our support to solve them, saving time and money.
- ✓
Access new opportunities sooner: Time is crucial when public tenders are on the line. Our streamlined process is built for speed, helping you get certified and ready to bid without unnecessary delays.
- ✓
We Steer the Process: We handle everything from start to finish. We prepare the documentation, perform the evaluation, and manage all communication with the CCN to ensure a direct journey to certification.
- ✓
Expert and Continuous Support: We work side-by-side with your development team to ensure they understand and effectively remedy every finding.
Is LINCE for my product?
Our evaluation is the ideal first step for:
- On-premises software and application developers
- Manufacturers of hardware or IoT devices
- Products needing CPSTIC inclusion for tenders
- Companies looking for a first step before Common Criteria
Frequently Asked Questions
Who issues the official LINCE certificate?
The official certificate is granted by the Certification Body (CB) of the National Cryptologic Center (CCN). We manage the entire technical evaluation, delivering a comprehensive report directly to the CB that is meticulously designed to make final validation a seamless formality
How long does the LINCE evaluation process take?
Although it varies depending on the product's complexity, the technical evaluation part usually takes 4 to 8 weeks. This timeframe can vary based on the results. We ensure the process is as agile and efficient as possible.
Is our product a good fit for LINCE?
LINCE is ideal for on-premises software, installed applications, IoT devices, and hardware that need a robust yet agile security validation. It's the most direct path to getting listed in the CPSTIC (ICT Security Product Catalogue). For cloud products, the designated path is CICLON certification. Contact us for a no-cost feasibility analysis.
What happens if vulnerabilities are found in my product?
This is a normal and expected outcome. Our goal is to improve your product. We will provide you with a clear and detailed report with the identified vulnerabilities and work with your team so they understand the findings and can effectively remediate them before issuing the final report to the CCN.
What is the Security Target?
The Security Target is the core document of the evaluation. It defines the product, its security features, and how it meets the requirements. Don't worry about its complexity, our team handles the entire process of writing the Security Target for you. It is a fundamental part of our service, ensuring the document is robust and perfectly aligned with the CCN's expectations.
What is the validity period of the certification?
The LINCE certification is valid for 2 years, after which it needs to be renewed. This renewal process includes a new evaluation to ensure the product continues to meet the established security requirements.
What if we update our certified product?
A LINCE certification is tied to a specific product version. To list a new version in the CPSTIC Catalogue, just contact us. We will perform a gap analysis to assess the changes and, if needed, conduct targeted testing to issue the updated report for the new version.
How much does a LINCE certification cost?
The cost depends on the type of product. However, our process is designed to be the most cost-effective on the market. We provide fixed-price projects with no hidden fees. Contact us for a free, no-obligation quote tailored to your product.
Is LINCE certification a direct path to the CPSTIC Catalogue?
Yes. For most on-premises products, LINCE is the fastest and most direct route to being listed in the CPSTIC Catalogue, which is essential for selling to the Spanish Public Administration. For cloud-based products, the appropriate path is CICLON certification.
Ready to Certify Your Product?
Schedule a free, no-obligation consultation to analyze your product and get a clear roadmap.