CRA and AI ACT standards interplay in relation to cybersecurity
Horizontal standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
My work centers around supporting a clear and harmonized terminology in cybersecurity standards under the Cyber Resilience Act (CRA) within CEN-CENELEC/JTC 13/WG9 and in those specifically targeting the security of AI systems within CEN-CENELEC/JTC 21/WG5. In both workstreams, I aim to monitor and comment to achieve standards with harmonised text that gives product-agnostic security requirements with minimal contradictions and thus ensure a smooth conformity assessment process across frameworks.
What is the expected result and impact of this activity?
As both regulations —the CRA and the AI Act— apply to AI systems that qualify as digital products, the result of my work shall be a consistent terminology and risk-based technical measures in the standards texts. Thereby I would like to ensure the coherence between CRA standards and those being developed in parallel under the AI Act—especially the cybersecurity standard JT021029 in JTC 21/WG5. The impact are reduced contradictions and thus a smoother technical conformity assessment process across both regulatory frameworks. This helps to ensure that the JTC 13/WG9 deliverables under the CRA are interoperable with AI-specific standards while reflecting broader cybersecurity best practices.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
This contribution focuses on supporting the development of horizontal cybersecurity standards under the Cyber Resilience Act (CRA) within CEN-CENELEC/JTC 13/WG9, with particular attention to ensuring alignment with the AI Act.
