As the EU Cyber-Resilience Act reshapes cybersecurity expectations for products with digital elements, ETSI’s newly formed CYBER-EUSR working group is developing the technical standards that will underpin compliance. Chair Sandra Feliciano explains how the group is tackling an unprecedented workload, why horizontal and vertical standards matter, and how open collaboration aims to accelerate secure-by-design practices across the IoT sector.
Could you talk about what led up to the creation of the working group?
The establishment of CYBER-EUSR was a result of the European Commission Standardisation Request to develop standards to support the implementation of the EU Cyber-Resilience Act (CRA).
For those who might be less familiar with how the formal standardisation world operates, standards are developed by subject matter experts that work collaboratively in working groups. These are specifically established for that purpose, under standardisation technical committees, which are more long-term structures with wider technical scopes belonging to recognized standardisation development organizations (SDOs), such as ETSI.
Therefore, at ETSI, we have established a new working group (EUSR) under TC CYBER (the technical committee on cybersecurity) to respond to the EU Standardisation Request.
Why does the Cyber Resilience Act require standardisation?
The number of products with digital elements is enormous and their diversity is not possible to encompass under one single regulatory document. Therefore, the EU CRA provides the objectives and the framework, but not the details needed to ensure each product with digital elements is secure by-design and secure by-maintenance during its lifetime. Technical standards complement the EU CRA by providing specifications targeted to each product and adequate to its nature.
Essentially, the EU CRA tells us what needs to be achieved, and the standards like those developed at ETSI tell us what needs to be done and how. The details provided in technical standards are also necessary to serve as reference for the presumption of conformity with the EU CRA.
How will the horizontal standards differ from the vertical? Why were they divided in this way?
Horizontal standards are cross-sector and product agnostic. They will cover principles, concepts and requirements that are applicable across all products with digital elements. Vertical standards, however, are product specific and will detail requirements for different products. These can be, for example, software, such as operating systems; devices, such as fitness wearables and interconnected toys; or components, such as boot managers, just to mention a few.
How are you at ETSI approaching standardisation of the CRA?
At ETSI we established the CYBER-EUSR working group specifically for the CRA, where we now have 18 Rapporteur-led teams of subject-matter experts, currently developing nearly 20 standards for different products.
These teams are working synchronously and asynchronously to develop content, and their Rapporteurs meet weekly to discuss common themes and align approaches. Iterative outputs of their work are then presented at CYBER-EUSR bi-monthly meetings for discussion with other experts. We also hold monthly coordination meetings with CEN-CLC JTC 13/WG 9, which is responsible for the development of the horizontal standards, to exchange information and to avoid any overlaps or potential conflicts in the contents. European Commission Officials are present in these meetings providing excellent support in the correct interpretation of the EU CRA and the EU Standardisation Request to avoid any unnecessary delays.
Although “Openness” is a principle of international standardisation that applies equally to all recognized standardisation bodies, ETSI has a tradition of exercising this principle in a more flexible manner – i.e. our standards are freely accessible – and this time we’re taking this principle a step forward by conducting open consultations on interim drafts. These consultations will allow us to collect input from the market and consider it to improve the content of the standards at an earlier development stage than usual. More rounds of stakeholders’ consultation will also expectably lead to stronger consensus, wider dissemination and faster adoption of the standards.
What role will ETSI’s standards play in compliance with the CRA? Are there plans for test specifications?
Each standard we’re developing at CYBER-EUSR respond to a different topic of the CRA and will support the industry in complying with it, by specifying how to do it.
The vertical standards being developed are rather prescriptive and, in all cases, candidates to become harmonised European standards (hEN). This means that they can be used for self-assessment by the manufacturers of the product. They can also be used by certification bodies for conformity assessment to provide presumption of conformity with the essential requirements of the CRA.
All harmonised European standards include applicable technical requirements and a repeatable measurable way to assess and test them.
Have there been any challenges related to standardisation?
There are always challenges. ETSI is a recognised standardisation body and conducts it activities in strict adherence to the international standardisation principles as dictated by the World Trade Organization (WTO): Transparency, Openness, Impartiality & Consensus, Effectiveness & Relevance, and Coherence. This requires a sturdy process, which is highly specialized, hard-working and time consuming.
The issue is that European society cannot afford delays. The threat landscape continues to become more hostile and complex so to address this, we’re under pressure to publish nearly 20 technical standards a year to ensure European organisations are protected. This requires brainpower from many high-level experts, at a time where the industry is already under pressure to deliver more for less. But as more organisations collaborate with standards bodies this gets easier.
Do you plan on updating the standards given the pace at which cyber threats evolve?
Yes. Periodic systematic reviews is an imperative of formal standardisation to exercise the principles of Effectiveness and Relevance (ensuring the standards have the capacity to respond to market needs, including resilience to threats, reflect latest scientific and technical developments and continue to add value to the users). Harmonised standards must be reviewed regularly and ETSI is committed to maintain them up-to-date, and revise then when the cybersecurity landscape evolves.
What are some actionable ways manufacturers can implement secure by design principles into their work?
These are being described in the different drafts and therefore I invite them to read them as they become available for the open consultation – as well as during all the upcoming public consultations of future iterations, until their official publication. But to give you some examples:
- Incident Response Preparation: Build in logging and telemetry that supports forensic analysis without compromising privacy. Have update mechanisms that can deploy fixes quickly when vulnerabilities emerge.
- Dependency Management: Maintain a software bill of materials (sBOM) and implement automated vulnerability scanning in CI/CD pipelines. Given the CRA’s vulnerability handling requirements, manufacturers need processes to receive, triage, and remediate vulnerabilities in components they didn’t write. This includes having a clear policy on update cadence and end-of-support timelines.
- Default Configuration Hardening: Ship products with the most restrictive settings that still allow basic functionality. No default passwords, unnecessary services disabled, minimal network exposure. The CRA’s essential requirements explicitly call for secure defaults, so this isn’t optional for EU market access anyway.
Manufacturers should also lay the basis of secure-by-design principles through risk assessment of their products.
To share your ideas on how we can further improve them. Manufacturers can also get involved on the following channels:
Are you thinking about how AI will interact with cybersecurity? Do you forecast it presenting an additional challenge to securing connected products?
Definitely! AI will present additional challenges, some of which we might not even be able to foresee yet. It is a shared concern and one that the Rapporteurs and their teams consider when analysing use cases and will adequately address in their drafts on a needs-basis.
AI has already had an impact on Cybersecurity both by enabling new threats, new mitigation techniques, and by bringing its own cybersecurity challenges. In fact, these topics are being specifically addressed in one of our latest groups, ETSI Technical Committee on Security and AI.
Is there anything else you want to mention?
We’re always looking for experts to join and contribute to developing critical standards that will help guide the future of best in practice cybersecurity. Organisations can keep up to date with our work and the status of development of vertical standards that will support the CRA. As a start we invite people to: Follow the stan4cr website and ETSI’s LinkedIn page.
Author Biography:
Sandra Feliciano is Adjunct Professor at the School of Management and Technology at Polytechnic of Porto and offers two decades of consulting, auditing and research experience. Recognised for bridging academia and standardisation, she has founded several technical committees and led the development of standards and accredited certification schemes across healthcare, aerospace, education and ICT.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.
