The inclusion of an EU-wide Information and Communications Technology certification framework as part of the new EU cybersecurity legislation has caused interest in the topic of security certification and evaluation. This paper is based on SAFECode members’ experience with security certifications, including lessons learned as well as recommendations for any new schemes.