To ensure the mutual recognition of IT security certificates, international agreements are negotiated in working groups and signed by the respective states. These agreements avoid multiple certification of the same product in different countries in cases where the IT security certificates are based on ITSEC (Information Technology Security Evaluation Criteria) or CC (Common Criteria). As a rule, these recognition arrangements cover the following:

• How the respective agreement is coordinated and implemented. This is the responsibility of a Management Committee (such as the SOGIS-MC or the CCRA-MC), which draws on the work of several other working groups
• How the recognition and mutual monitoring of national certification bodies takes place
• At which assurance levels and in which technical domains the recognition is applicable
• Which restrictions apply to the recognition of certificates if these certificates are not in line with national, international or EU laws or regulations. This applies in particular within the application scope of national security.

To date, the BSI has signed the SOGIS-MRA for the European recognition of IT security certificates and the CCRA for the global recognition of these certificates.

In relation to the recognition of certificates by the BSI, this process provides for a limitation of recognition if this would run counter to overriding public interest and, in particular, the security concerns of the Federal Republic of Germany (BSIG Section 9 (4) No. 2.).

As a result, recognition is limited in relation to the following:

• Selection of cryptographic algorithms and functions
• Test results concerning the implementation and strength of cryptographic algorithms and functions

National rules and regulations take precedence here.