Evolving Standards for Evolving Threats: A Lifecycle-Based Approach to IoT Cybersecurity
Horizontal standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
My work under the CYBERSTAND SSP consists of contributing to both horizontal and vertical cybersecurity standards for Internet of Things (IoT), bridging CEN-CENELEC and ETSI efforts under the Cyber Resilience Act (CRA). I will participate in CEN-CLC/JTC 13 WG 9 to help develop the “Generic Security Requirements” standard and work closely with ETSI TC CYBER and WG EUSR on defining vertical-specific requirements, ensuring alignment between general CRA compliance principles and IoT-sector-specific needs, such as those in smart home, consumer, and industrial contexts. My activities include drafting testable security and privacy requirements, validating them via monthly experiments, and engaging with SMEs, regulators, and stakeholders.
What is the expected result and impact of this activity?
This activity will produce validated, real-world-applicable security and privacy requirements for IoT, directly supporting both CEN-CENELEC and ETSI standardisation efforts. The impact lies in bridging horizontal security requirements with vertical-specific needs, enabling more effective and scalable adoption across IoT domains. My involvement in ETSI TC CYBER and WG EUSR helps ensure that sector-specific challenges, like data minimisation in smart homes or attack surface limitations in IoT, are addressed with tailored yet interoperable standards. The results of monthly IoT testing into both working groups, supporting harmonisation and empirical grounding. By collaborating with both ETSI and CEN-CENELEC, this project helps operationalise the CRA across various IoT use cases, lowers the compliance burden for SMEs by promoting reusable methodologies, and strengthens Europe’s leadership in international cybersecurity standardisation.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
My focus includes three horizontal aspects of the CRA, avoiding known exploitable vulnerabilities, limiting personal data processing, and designing products with reduced attack surfaces, while also supporting ETSI’s work on vertical IoT standards. The goal is to help translate these general obligations into practical, sector-specific requirements through ETSI TC CYBER, especially for smart home, consumer, and industrial IoT.
