Contribution to the Development of Technical Standards in Support of the CRA
Horizontal standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
My work involves developing and standardizing fundamental concepts for a risk-based approach in engineering processes of products with digital elements, as required by the Cyber Resilience Act (CRA). As the ICT Standardization Project Manager and Head of Cybersecurity, I am focusing on developing horizontal standards 1-14 for security requirements relating to product properties. This includes defining the building blocks and concepts to help vendors assess security needs of specific products and select sufficient security measures. My role as Secretary/Head of the National Committee mirror to ISO/IEC JTC1/SC27 & CEN/CLC JTC13 allows me to ensure alignment between national and international standardization efforts in this area.
What is the expected result and impact of this activity?
The expected results include the development of a comprehensive cybersecurity framework with a standardized risk-based approach for assessing and ensuring appropriate levels of cybersecurity based on product risks. This will create a unified set of security requirements applicable across various digital product categories, improve overall security of digital products, enhance transparency and consumer trust, and support SMEs and innovation in the European market. The impact will include harmonization of security requirements, European leadership in cybersecurity standards, cross-sector collaboration, regulatory efficiency, economic benefits through reduced cybersecurity incidents, and providing a foundation for future vertical standards development.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
I am focusing on developing horizontal standards 1-14 for security requirements relating to the properties of products with digital elements. Specifically, my work addresses the challenges identified in the CRA regarding: standardizing the assessment of security needs for products' intended use; defining when security measures are sufficient; enabling comparable assessment of product resistance against specific attack methods; and standardizing how vendors inform consumers about security properties and robustness levels. This work aligns with existing standards including ISO 31000:2018, ISO/IEC 31010:2019, ISO/IEC 15408, ISO 31073:2022, prEN 18037:2024, ISO 18045, and EN 17640:2022.
