CRA Verticals L19/L22/L36: Consistency & Testability Aligned with EUCC/EUMSS
Vertical standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
I will contribute as an expert reviewer to CRA vertical standards L19 (anti-malware), L22 (SIEM) and L36 (firewalls/IDS/IPS). The work centres on producing review packs for each line, embedded in the relevant TC/WG workflow and timelines. Each pack contains: (i) line-by-line technical/editorial comments, (ii) ready-to-merge text proposals with defined terms and short rationales, and (iii) a traceability matrix mapping the vertical requirements to CRA horizontal entries (2–14 and 15) and to the evidence expectations of EUCC (products) and EUMSS (managed security services). A cross-vertical consistency report will identify overlaps and propose shared terminology to minimise duplication among L19/L22/L36.
A strong emphasis is placed on secure update and vulnerability handling. I will integrate principles from ISO/IEC TS 9569:2023 (Patch Management extension to ISO/IEC 15408/18045) into proposed text and checklists, ensuring updates, signatures/rules/models and telemetry are governed by verifiable, lifecycle-aware controls. The workplan is flexible by design: while the submission proposes an indicative sequence (L19 → L22 → L36 with two iteration cycles), I will adapt priorities and deliverables to the WG’s agendas and deadlines. Participation will be primarily remote/hybrid, with engagement through document repositories, issue trackers and scheduled WG meetings.
What is the expected result and impact of this activity?
The activity will deliver three review packs (one per vertical) plus a horizontal consistency report, all aligned with WG processes. Immediate results include clearer, more uniform wording across L19/L22/L36; testable requirements linked to CRA horizontals; and ready-to-merge text that reduces editorial burden. The traceability matrices provide a direct bridge from CRA requirements to EUCC/EUMSS evidence types, enabling manufacturers and managed service providers to reuse conformity material and avoid duplicated efforts.
The broader impact is higher legal certainty and faster adoption. Consistent, verifiable requirements support future harmonised standards and improve the reliability of CRA presumption of conformity across the EU. Integrating TS 9569-based secure-update patterns and horizontal 15 (vulnerability handling) strengthens resilience, from anti-malware updates and SIEM correlation rules to network security device signatures. The cross-vertical terminology and structure improve interoperability and reduce contradictions, which benefits not only large vendors but also SMEs and open-source projects seeking practical, assessment-ready guidance. Finally, explicit coherence with EUCC/EUMSS and awareness of NIS2, the Cyber Solidarity Act and the AI Act (where analytics/ML are implicated) ensures the texts remain aligned with the evolving European regulatory landscape.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
The focus is the vertical standardisation of L19, L22 and L36, tightly aligned with the CRA horizontals and related conformity ecosystems. Technically, I concentrate on:
• Horizontal mapping (2–14 and 15): ensuring that cross-cutting obligations—secure development, configuration, logging/telemetry, documentation, and especially vulnerability handling (15)—are reflected consistently inside each vertical.
• Secure update & patch management: embedding ISO/IEC TS 9569:2023 guidance so anti-malware engines, SIEM correlation rules/detections, and firewall/IDS/IPS signatures/firmware follow verifiable lifecycle controls (integrity, rollback, provenance, timely distribution).
• Assessment readiness: wording that supports conformity assessment and future harmonised standards, with traceability to EUCC/EUMSS evidence expectations to streamline evaluation of products and managed services.
• Cross-vertical coherence: eliminating overlaps and normalising terminology across L19/L22/L36 to reduce ambiguity and implementation costs.
• Regulatory consistency: keeping assumptions compatible with NIS2, the Cyber Solidarity Act, and the AI Act where analytics/ML appear (notably in SIEM and advanced anti-malware).
Where WG discussions touch OT contexts, I will reference IEC 62443 profiles to maintain compatibility while preserving the core CRA alignment.
