Standardizing Security Hardening for Privacy and Safety in Consumer Digital Products
Vertical Standards for Security Requirements
Strengthening EU Cybersecurity through Next-Gen Participation
Horizontal standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
The work for the CYBERSTAND SSP consists of actively participating in the CEN/CENELEC JTC 13 WG 9 working group and related outreach workshops across Europe, contributing to the development of horizontal cybersecurity standards under the Cyber Resilience Act (CRA). This includes drafting and reviewing technical contributions, providing feedback on working documents, and bridging legal requirements with practical engineering insights. The project also emphasizes knowledge transfer by documenting processes and sharing outcomes to inspire and facilitate the involvement of more young professionals in European cybersecurity standardisation.
What is the expected result and impact of this activity?
The expected result of this activity is the delivery of timely and practical contributions that strengthen CRA-related horizontal standards, particularly around secure product development, vulnerability handling, and security-by-design. The impact will be twofold: in the short term, it will help ensure that European harmonised standards are technically sound, feasible for manufacturers, and aligned with international best practices; in the long term, it will contribute to Europe’s strategic autonomy by addressing the generational gap in cybersecurity standardisation, ensuring continuity, innovation, and a more inclusive community that reflects Europe’s values of openness and resilience.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
This contribution focuses specifically on horizontal standards under the CRA Standardisation Request & targets the foundational security and resilience of digital products while ensuring compliance pathways that are both legally aligned and technically implementable.
What does the work you will carry out for the CYBERSTAND SSP consist of?
The work under the CYBERSTAND SSP will focus on developing and contributing to vertical cybersecurity standards for consumer IoT products that are closely tied to the physical world, such as smart home assistants, locks, cameras, toys, and wearables. The activity consists of identifying, specifying, and standardizing practical hardening mechanisms like hardware mute switches, secure data segregation, activity indicators, and other safeguards that mitigate privacy and safety risks caused by potential cyberattacks. This will be achieved through active participation in ETSI TC Cyber Working Group EUSR, contributions to draft standards, and outreach activities to ensure that the technical proposals align with European cybersecurity objectives and are both technically feasible and practical for manufacturers.
What is the expected result and impact of this activity?
The expected result is the inclusion of clear, implementable security safeguards in CRA-relevant vertical standards, providing manufacturers with actionable guidance to make consumer devices safer and more trustworthy. The impact will be twofold: first, it will strengthen the resilience of IoT products against cyber incidents that could lead to privacy breaches or physical harm; second, it will reinforce European leadership in cybersecurity regulation by embedding values such as safety, privacy, and trust directly into product standards. More broadly, the project will increase consumer confidence in digital products, reduce risks from digitally initiated threats, and support a secure and competitive European digital single market.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
The project is specifically targeting vertical standards that interpret and implement CRA Annex I Part I essential security requirements for certain categories of consumer IoT devices. The focus areas include data minimisation (ensuring devices only process necessary data), incident impact reduction (through mechanisms like hardware safeguards and secure data handling), and activity monitoring (providing users with transparency and control over device functions). The application directly addresses CRA standardisation requests for essential cybersecurity requirements in smart home assistants, smart security products, internet-connected toys, and personal wearables with health monitoring features.
