Cross-Sector Cybersecurity Expertise for CRA HeN: From Connected Devices to Backend Services
Horizontal standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
As part of the CYBERSTAND SSP, I contribute to the development of harmonized European standards under the Cyber Resilience Act (CRA). Specifically, I participate in the CEN-CENELEC JTC 13 / WG9 / PT1 and PT2 working groups, which are tasked with specifying process and product security requirements for digital products. My role includes drafting and reviewing requirements related to risk management, technical security controls as well as 3rd party supplier handling.
What is the expected result and impact of this activity?
The expected result is a comprehensive and technically sound standard that enables manufacturers to demonstrate conformity with the essential cybersecurity requirements of the CRA. The standard will improve consistency across EU products with digital elements and support the principle of security by design. This contributes to a more resilient digital market and strengthens trust in connected devices across Europe.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
In PT2, I focus primarily on the technical definition of security requirements derived from Annex I – Essential Cybersecurity Requirements.
In PT1, my main focus is on the handling of third-party suppliers. Additionally, I contribute to discussions on the structure and cybersecurity risk assessment methodologies within the standards, aiming to ensure a balance between technical feasibility and regulatory clarity.
