The term EAL level refers to a level of assurance (Evaluation Assurance Level) in a security service.

The EAL levels of the Common Criteria (ISO 15408) describe precise requirements for an IT security audit. As the EAL number increases, so do the requirements for the scope to be audited, the depth of the audit and the audit methods. A lower EAL level can be regarded as a subset of the audit effort required for the next higher level. It therefore makes sense to start the evaluation process with lower EAL levels, as a first usable audit result in the form of a certificate with a detailed report can be achieved more quickly. Building on this, the next EAL levels "only" have to include the additional testing time audit effort. For EAL4, for example, the source code must be evaluated, which requires the evaluator to have developer knowledge of the product. The documentation effort for the product is correspondingly high. From EAL5 onwards, formal specification and verification methods are added, which are no longer met by conventional development methods.

The aim of a Common Criteria evaluation is to confirm that the security functionality claimed by the manufacturer is effective. Since security performance can be rendered ineffective by the exploitability of existing vulnerabilities in particular, vulnerability analysis is a key test objective for all aspects of the evaluation. Achieving increasing EAL levels requires the ability to cover increasingly complex exploitable vulnerabilities.

The certification report clearly shows much more detailed an EAL4 certificate is than an EAL2 certificate, for example. If the product contains a vulnerability that cannot be eliminated, this can lead to a considerable restrictions in its options for use. For example, a security functionality proven with EAL4 could only be effective if massive restrictions are placed on its use, e.g. if the conditions for operating the product are such that any possibility of attack on a network is eliminated and an existing vulnerability can no longer be exploited. Anyone operating the product in a different way would know that they are vulnerable -- despite the EAL4 certificate.

A detailed description of the security performance of a certified product can be found in the certification report (all certification reports are published here, or see http://www.commoncriteriaportal.org/). Of particular interest are the scope of configuration and the assumptions made about the operation of the product. In fact, Internet use is not part of the configuration scope for many certificates. Network environments are also often subject to high requirements for network protection.

With regard to waiving a security audit: untested security technology is just as good as the safety of a car that has not been tested for roadworthiness. It might be OK, but you would have good reason not to trust it. You can only have confidence in the car's safety once it has been tested as roadworthy by an independent body. During an MOT however, cars are all inspected at the same level. The effort required to test IT security is considerably greater. It therefore makes sense to offer an economically viable evaluation process, as seen in the EAL levels.