Secure-by-Design and Risk-Based Engineering for Products with Digital Elements
Horizontal standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
I'm currently working with CEN/CLC/JTC 13 Working Group 9 (WG9) on the development of horizontal standards that support the cybersecurity requirements set out in the Cyber Resilience Act.
These standards define a baseline of security controls that apply across all digital products. They’re meant to serve as a shared foundation for the vertical standards that will address specific product categories.
My role involves helping turn regulatory text into a clear, structured set of controls. I contribute to drafting, reviewing, and refining these controls with the group, making sure they’re not just technically sound but also practical, especially for small and medium-sized enterprises that may not have dedicated security resources.
The goal is to create something realistic and applicable: a set of controls that product teams can actually use to meet CRA requirements in day-to-day development.
What is the expected result and impact of this activity?
The result of this work is a catalogue of cybersecurity controls based on the core requirements of the Cyber Resilience Act. This catalogue will support the development of the vertical standards for specific product categories. The practical impact is that manufacturers, especially smaller ones, will have something usable, not vague legal language, but clear security measures they can actually apply during product design and maintenance. This baseline helps bring consistency across different sectors and raises the overall standard for product security in the EU market.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
I'm currently working on the horizontal cybersecurity standards that define the core security properties of products with digital elements, as outlined in entries 2 to 14 of Annex I of the standardisation request. These cover areas such as protection against known vulnerabilities, secure configuration, data integrity, incident handling, and software updates. I focus on the requirements where a software engineering perspective can make the most impact.
