India chairs CCDB (April 2026 – April 2028) — the technical heart of the global IT-security certification treaty (CCRA), confirmed at the Tokyo Q1 meeting; India has been a Certificate Authorising Nation since Sept 2013
Why in News
On May 14, 2026, the Ministry of Electronics and Information Technology (MeitY) confirmed that India has been nominated Chair of the Common Criteria Development Board (CCDB) for a two-year term running from April 2026 to April 2028. The decision was finalised at the First Quarter Meeting of the Common Criteria Recognition Arrangement (CCRA) held in Tokyo from April 14 to 16, 2026. The CCDB is the technical core of the CCRA — an international treaty for mutual recognition of IT-security certificates — and is responsible for developing and maintaining the Common Criteria standard (ISO/IEC 15408) and the Common Methodology for Information Technology Security Evaluation (CEM).
India's claim to the chair is institutionally grounded. India has been a Certificate Authorising Nation (CAN) under the CCRA since September 16, 2013, joining the small group of countries empowered not only to consume but also to issue Common Criteria certificates accepted worldwide. The Indian nodal agency is the Standardisation Testing and Quality Certification (STQC) Directorate under MeitY, which operates the Indian Common Criteria Certification Scheme (IC3S). Through IC3S, India runs the Indian Common Criteria Test Laboratories (CCTLs) that evaluate IT products against Protection Profiles and Security Targets — and the Common Criteria Certification Body (CCCB) that issues the final certificates.
Why this matters strategically: the CCRA's mutual-recognition arrangement allows a certificate issued in one member country to be valid across 38+ member nations without re-testing, dramatically reducing time-to-market for security-sensitive IT products. By chairing the CCDB, India influences technical decisions on how the world evaluates firewalls, operating systems, smart cards, biometric devices, hardware security modules and the new generation of AI/cloud security products. The two-year chairmanship runs concurrently with India's larger digital push — Digital Personal Data Protection Act, 2023; CERT-In's evolving role; the Bharat NCX (National Cyber Exercise); and the policy debate around Trusted Telecom Equipment lists. For UPSC and SSC aspirants, the CCDB chair sits squarely at the intersection of cyber security, international standards diplomacy, and India's growing role in global technology governance.
At a Glance
- Body chaired
- Common Criteria Development Board (CCDB)
- Term
- April 2026 – April 2028 (two years)
- Decision venue
- CCRA Q1 Meeting, Tokyo, April 14–16, 2026
- MeitY confirmation date
- May 14, 2026
- Parent treaty
- Common Criteria Recognition Arrangement (CCRA)
- India joined CCRA
- September 16, 2013 (Certificate Authorising Nation)
- Nodal agency
- STQC Directorate, MeitY
- Indian scheme
- Indian Common Criteria Certification Scheme (IC3S)
- Standards managed
- ISO/IEC 15408 (Common Criteria) and CEM
- Coverage
- firewalls, OS, smart cards, HSMs, biometric devices
- Member nations
- 38+ in the CCRA
- Indian agency on Aadhaar/biometrics
- UIDAI (closely linked to CC-certified devices)
What India is now chairing
The Common Criteria Development Board (CCDB) is the technical management body of the Common Criteria Recognition Arrangement (CCRA), an international treaty for mutual recognition of IT-security evaluation certificates. While other CCRA committees handle policy and management, the CCDB owns the technical work: maintaining and evolving the Common Criteria (CC) standard — published as ISO/IEC 15408 — and the Common Methodology for Information Technology Security Evaluation (CEM). It also runs the international work programme for new Protection Profiles, manages technical working groups, and maintains the integrity of the Common Criteria Portal, the global authoritative repository of certified IT-security products.
How India qualified
India became a Certificate Authorising Nation (CAN) in the CCRA on September 16, 2013 — a small, prestigious club whose members can both issue and recognise Common Criteria certificates accepted across 38+ member nations. The Indian Nodal Agency is the Standardisation Testing and Quality Certification (STQC) Directorate under MeitY. The Indian scheme is the Indian Common Criteria Certification Scheme (IC3S), under which: (a) accredited Common Criteria Test Laboratories (CCTLs) evaluate products against Protection Profiles and Security Targets; and (b) the Common Criteria Certification Body (CCCB) issues the final EAL (Evaluation Assurance Level) certificate. Indian-certified products are valid across all CCRA members without re-testing.
Why the chair matters
Three reasons. First, technical influence: chairing the CCDB lets India shape Protection Profiles for emerging technologies — AI/ML systems, post-quantum cryptography, cloud and zero-trust architectures, 5G/6G network elements, IoT devices and hardware security modules. Second, market access: faster acceptance of Indian-certified products in defence, banking and telecom markets of CCRA members. Third, strategic positioning: India's chairmanship runs alongside the Digital Personal Data Protection Act, 2023, CERT-In's expanded reporting mandate, the Trusted Telecom Equipment regime, and the proposed Digital India Act — all of which can be aligned with CC standards for export competitiveness.
How it links to India's domestic stack
The CCDB chair directly reinforces several Indian initiatives. (1) UIDAI's biometric devices (Aadhaar L0/L1 PIDs) reference international evaluation standards. (2) RBI's regulations for HSMs in banking core systems and digital-rupee infrastructure depend on certified hardware. (3) Defence procurement under the DPP/DAP requires CC-evaluated network security devices for critical systems. (4) The proposed Digital India Act and the Trusted Telecom Equipment list under DoT — both rely on internationally recognised security evaluation. Chairing the CCDB lets India translate its own technical and policy priorities into international Protection Profiles, rather than always being a rule-taker.
Must Remember
- •India has been nominated Chair of the Common Criteria Development Board (CCDB) for a two-year term — April 2026 to April 2028.
- •The decision was taken at the First Quarter Meeting of the Common Criteria Recognition Arrangement (CCRA) held in Tokyo from April 14 to 16, 2026.
- •MeitY (Ministry of Electronics and Information Technology) confirmed the appointment publicly on May 14, 2026.
- •India has been a Certificate Authorising Nation (CAN) under the CCRA since September 16, 2013.
- •Indian Nodal Agency: STQC (Standardisation Testing and Quality Certification) Directorate under MeitY — through the Indian Common Criteria Certification Scheme (IC3S).
- •CCDB is the technical core of the CCRA — develops and maintains the Common Criteria (ISO/IEC 15408) and the Common Evaluation Methodology (CEM).
- •Common Criteria is the international standard for evaluating the security of IT products — firewalls, operating systems, smart cards, biometric devices etc.
- •The CCRA is an international treaty for mutual recognition of IT-security certificates across member countries — a certificate issued by one member is accepted by all.
Static GK
- •: MeitY (Ministry of Electronics and Information Technology) — created in 2016 by bifurcation of the Department of Electronics and Information Technology.
- •: STQC Directorate established in 1980; operates labs across India and runs IC3S since 2009.
- •: ISO/IEC 15408 — the international standard published jointly by ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission).
- •: CCRA has 38+ member countries — split into Certificate Authorising Nations (issue + recognise) and Certificate Consuming Nations (only recognise).
- •: Digital Personal Data Protection Act, 2023 — India's flagship data-protection law, notified August 2023.
- •: CERT-In (Indian Computer Emergency Response Team) — under MeitY, established 2004; under Section 70B of the IT Act, 2000.
- •: UIDAI's Aadhaar biometric devices (Public Devices, Registered Devices) reference Common Criteria evaluation in their L0/L1 PID specifications.
- •: Information Technology Act, 2000 — primary cyber-law in India; amended in 2008 (Section 66A among others); CERT-In notified under Section 70B.
Glossary
- Common Criteria (CC)
- International standard (ISO/IEC 15408) for evaluating the security of IT products against defined Protection Profiles, producing an Evaluation Assurance Level (EAL) certificate.
- Common Criteria Recognition Arrangement (CCRA)
- International treaty under which CCRA member nations mutually recognise each other's Common Criteria certificates — a single certificate is valid across 38+ countries.
- Common Criteria Development Board (CCDB)
- The technical management body of the CCRA — develops and maintains the CC standard and the CEM; coordinates technical working groups.
- Common Evaluation Methodology (CEM)
- The companion document to ISO/IEC 15408 that prescribes the actual methods evaluators use to test IT products against the CC standard.
- STQC Directorate
- Standardisation Testing and Quality Certification — a body under MeitY that runs India's national infrastructure for product testing, certification and Common Criteria evaluation.
- IC3S
- Indian Common Criteria Certification Scheme — operated by STQC, comprising accredited CCTLs and the CCCB that issues certificates.
- Protection Profile (PP)
- An implementation-independent set of security requirements for a class of products (e.g., firewalls, smart cards) against which actual products are evaluated.
- Evaluation Assurance Level (EAL)
- A graded confidence rating from EAL1 (lowest) to EAL7 (highest) on the depth and rigour of security evaluation a product has undergone under the CC.
Timeline
- 1998Common Criteria v1.0 released as an international standard — successor to TCSEC (Orange Book), ITSEC and CTCPEC.
- 1999ISO publishes ISO/IEC 15408 — the Common Criteria standard.
- 2000Information Technology Act, 2000 enacted in India — provides legal foundation for cyber-security and electronic governance.
- 2009Indian Common Criteria Certification Scheme (IC3S) launched by STQC Directorate.
- Sept 16, 2013India becomes a Certificate Authorising Nation (CAN) in the CCRA.
- 2014CCRA Vision Statement — moves towards collaborative Protection Profiles (cPPs) over evaluator-defined EALs.
- 2023Digital Personal Data Protection Act, 2023 enacted in India; CERT-In tightens incident-reporting rules under Section 70B.
- April 14–16, 2026CCRA First Quarter Meeting in Tokyo nominates India as Chair of CCDB.
- May 14, 2026MeitY publicly confirms India's CCDB chairmanship for April 2026 – April 2028.
- →CCDB = Technical heart of CCRA: CCRA is the treaty, CCDB does the engineering — maintains the Common Criteria (ISO/IEC 15408) and CEM standards.
- →2013 → 2026: India CAN since Sept 16, 2013; India CCDB Chair from April 2026 to April 2028.
- →Tokyo–April–14–16: Decision taken at the CCRA Q1 meeting in Tokyo, April 14–16, 2026. MeitY confirmed publicly on May 14, 2026.
- →STQC + IC3S: STQC Directorate (under MeitY) runs the Indian Common Criteria Certification Scheme (IC3S) — testing labs (CCTLs) + certification body (CCCB).
Exam Angles
CCDB = Technical heart of CCRA: CCRA is the treaty, CCDB does the engineering — maintains the Common Criteria (ISO/IEC 15408) and CEM standards.
Cyber-security has emerged as a strategic domain combining national security, digital economy and consumer trust. India's growing digital footprint — Aadhaar, UPI, digital rupee, DigiLocker, Ayushman Bharat Health Account, e-Hospital — depends on a layered assurance stack: international standards (Common Criteria, ISO 27001, FIPS), domestic institutions (MeitY, STQC, CERT-In, NCIIPC), and the legal framework (IT Act 2000, DPDP Act 2023, proposed Digital India Act). India's elevation to CCDB Chair (April 2026 – April 2028) consolidates a decade of preparation since becoming a Certificate Authorising Nation in September 2013.
Mains Q · 250wIndia's nomination as Chair of the Common Criteria Development Board (April 2026 – April 2028) marks a notable advance in its cyber-security and technology-standards diplomacy. Discuss the architecture of India's cyber-security ecosystem — institutional, legal and international — and evaluate how leadership of the CCDB can strengthen national objectives in digital sovereignty, trusted electronics and export competitiveness. (250 words / 15 marks)
Flashcard
Q · On May 14, 2026, MeitY confirmed that India has been nominated Chair of the Common Criteria Development Board (CCDB) for April 2026–April 2028 — the technical core of the international IT-security tretap to reveal
Connections & Comparisons
- ↔Connect to the Digital Personal Data Protection Act, 2023 — data security and product security are complementary stacks.
- ↔Recall CERT-In (Section 70B of IT Act, 2000) and NCIIPC (Section 70A) — domestic cyber-incident and critical-infrastructure protection institutions.
- ↔Compare with ISO 27001 — information-security management (process-side) vs Common Criteria (product-side); both are typically used together.
- ↔Link to the Trusted Telecom Equipment regime under DoT and the 'Trusted Source' rules — built on internationally recognised security evaluation.
- ↔Connect to UIDAI's Aadhaar Public Devices / Registered Devices ecosystem — biometric device security references CC-style evaluation.