CYEN

What does the work you will carry out for the CYBERSTAND SSP consist of?

CYEN will contribute to the CYBERSTAND SSP by reviewing and improving at least three existing cybersecurity standards by October 2026. This work will focus on standards relevant to CRA, identifying gaps, ambiguities and implementation challenges for SMEs and the manufacturers. For each standard, CYEN will deliver a structured standard review input file with clause-by-clause comments, proposed revised wording and justifications aligned with EU regulatory practice.
In addition, CYEN will contribute to at least three deliverables listed in the CEN/CENELEC and/or ETSI Work Programme by 30 August 2026. This will include drafting and reviewing content and promoting alignment between different standards and regulations to support a holistic approach. Contributions will be provided through written inputs, participation in drafting groups and responses to formal consultations.
CYEN will also support the drafting and consensus building of at least one CRA-related standard by 30 August 2026. We will focus on ensuring that requirements are both practical for manufacturers and robust from a regulatory perspective. CYEN will help bridge regulatory expectations and industry capabilities by providing concrete examples and use cases from real-world projects.
To underpin this work, CYEN will actively participate in the standards development process by attending at least 20 WG/TC meetings and submitting at least 20 structured comments on draft standards by October 2026. Through these meetings, CYEN will follow and influence the evolution of drafts, represent the perspective of EU-based SMEs and critical sectors, and support coordination between standards. Its comments will focus on clarity, consistency, implementability and alignment with EU legislation, using official templates to ensure they can be efficiently processed and integrated.

What is the expected result and impact of this activity?

CYEN's contribution will aim at making cybersecurity standards more practical and proportionate for SMEs by promoting tiered, clearly testable requirements. SMEs will better understand what is expected at different maturity levels and can avoid unnecessary or overly complex controls. As a result, they can achieve higher security outcomes with lower compliance costs and more predictable implementation efforts.
By clarifying and harmonising requirements and conformity assessment criteria, the work will also support faster market access. Predictable evidence expectations and interoperable audit approaches will allow one well-structured assessment to be reused across multiple schemes and markets. This reduces duplicated audits and documentation, helping manufacturers and service providers bring secure products and services to market more quickly.
Finally, where feasible, we aim at supporting a strengthened market supervision through consistent metrics and machine-readable compliance artefacts. Standardised formats for security evidence and reporting will enable authorities and conformity assessment bodies to compare organisations and products more objectively and automate parts of their oversight. This improves the effectiveness and efficiency of supervision, leading to a more trustworthy and resilient EU cybersecurity ecosystem.

Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?

Horizontal standards for security, governance, risk compliance, vulnerability management, secure configurations