Turofield

What does the work you will carry out for the CYBERSTAND SSP consist of?

Through this CYBERSTAND SSP contribution, we will develop comprehensive technical specifications that translate CRA Annex I requirements into actionable security standards for network management systems. Our work consists of creating risk-based security frameworks that address the unique challenges of systems maintaining privileged access to entire network infrastructures. Leveraging our extensive experience developing custom network management solutions integrating third-party and proprietary systems, we will draft detailed normative requirements covering secure-by-default configurations, access control mechanisms, vulnerability handling procedures, and data protection measures specifically adapted for NMS operational constraints. We will develop implementation guidance based on real-world experience with management protocols (SNMP, NETCONF, RESTCONF), create conformity assessment criteria enabling consistent compliance evaluation, and ensure integration with related CRA vertical standards. Our contribution will provide manufacturers with clear technical roadmaps for building secure management platforms while giving conformity bodies practical assessment methodologies.

What is the expected result and impact of this activity?

The expected result is a comprehensive harmonised standard that establishes network management systems as secure, trustworthy components of European digital infrastructure. This standard will provide manufacturers with clear, technically specific requirements for implementing CRA compliance, enabling streamlined self-assessment procedures and reducing costly interpretation uncertainties. For market regulators and conformity assessment bodies, the standard will deliver unambiguous evaluation criteria and repeatable test methodologies, ensuring consistent enforcement across the European market. The broader impact extends to strengthening European digital sovereignty by providing verifiable security requirements for systems controlling critical network infrastructure, supporting economic competitiveness by establishing clear security differentiators for European manufacturers, and protecting essential services across telecommunications, energy, and transportation sectors that depend on secure network management. By translating high-level CRA requirements into risk-based, implementable specifications, this standard will enable European organizations to confidently deploy secure network management systems while maintaining the operational effectiveness that 24/7 critical infrastructure requires.

Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?

We are focusing on developing the vertical standard for network management systems security (Topic 21), systematically translating all CRA Annex I essential cybersecurity requirements into specific technical specifications adapted for NMS contexts. Our work addresses how secure-by-default principles apply to systems requiring continuous operation with privileged administrative access across heterogeneous network environments, how vulnerability handling and security update mechanisms can accommodate 24/7 operational requirements without disrupting critical monitoring functions, and how to implement robust access controls and data protection measures appropriate for systems managing sensitive network topology information and device credentials. We bring essential expertise in the unique operational constraints and security challenges of network management platforms that must balance rigorous security controls with high availability requirements. Our contribution specifically focuses on creating risk-based frameworks that enable proportionate security requirements based on NMS deployment contexts, from core infrastructure management systems requiring high-assurance controls to specialized monitoring tools with appropriate security measures, ensuring the standard is both comprehensive and practically implementable across diverse European network infrastructures.