Data Economy (RP 2026)

(A.) Policy and legislation

(A.1) Policy objectives

Digital technologies are transforming the economy and society, and data is at the centre of this transformation. Data-driven innovation will be essential for the modernisation of Europe and the data economy which has the potential of bringing enormous benefits for citizens, for example in support to health, mobility, and sustainability. The key role of data is reflected in many chapters of the rolling plan outlining the respective sector specific aspects. On top of that, and addressed in this chapter, data is of foundational and horizontal relevance.

As stated in the Communication “A European strategy for data”, the aim is to “create a single European data space – a genuine single market for data, open to data from across the world – where personal as well as non-personal data, including sensitive business data, are secure and businesses also have easy access to an almost infinite amount of high-quality industrial data, boosting growth and creating value, while minimising the human carbon and environmental footprint … [and] where EU law can be enforced effectively, and where all data-driven products and services comply with the relevant norms of the EU’s single market”.

The following aspects are being addressed in the policy initiatives:

Availability of data
Imbalances in market power
Data interoperability
Data quality
Data governance
Data infrastructures and technologies
Data lifecycle: collection, record keeping, archival and long-term preservation of information
Data space interoperability

Looking at each of the policy initiatives in more detail:

Two foundational laws establish common ground rules that apply to all data being shared in the EU. Wherever personal data is concerned, the General Data Protection Regulation (GDPR) sets the ground rules. The GDPR sets out detailed requirements for companies and organisations on collecting, storing and managing personal data. It applies to organisations based in the EU as well as organisations outside the EU that deal with personal data related to individuals in the EU. For non-personal data, the Regulation on a framework for the free flow of non-personal data in the European Union contributes to the free movement of data in the EU by limiting the situations in which data localisation requirements can be imposed by Member States.

The Data Governance Act (DGA) provides a framework to enhance trust in voluntary data sharing for the benefit of businesses and citizens. The Data Governance Act is a cross-sectoral instrument that aims to make more data available by regulating the re-use of publicly held, protected data, by enhancing trust in data sharing through data intermediaries and in the sharing of data for altruistic purposes. See the Data Governance Explained for more information.

The European Data Innovation Board (EDIB), announced in the DGA, started its work at the end of 2023. The goals of the EDIB are to facilitate the sharing of best practices, in particular on data intermediation, data altruism and the use of public data that cannot be made available as open data, as well as on the prioritisation of cross-sectoral interoperability standards.

To harness the value of data for the benefit of the European economy and society, the Commission supports the development of common European data spaces in strategic economic sectors and domains of public interest. Common European data spaces bring together relevant data infrastructures and governance frameworks in order to facilitate data pooling and sharing. Coordination & Support Actions (Horizon Europe) and Deployment Projects (Digital Europe) are helping to make the European data spaces a reality. The “Data Spaces Support Centre” (DSSC) is a Digital Europe project that aims to facilitate data sharing and link the expertise of data sharing practitioners and researchers. The Commission Staff Working Document on Common European Data Spaces published in 2022 provided a first overview of the state of play. An update was provided in the Second staff working document on data spaces, published in 2024.

The European Commission is committed to ensuring fairness in how the value from using data is shared among businesses, consumers and accountable public bodies. The Data Act is addressing the fairness aspect, and includes measures related to the access to data on smart devices and related services, measures to provide protection from unfair contractual terms, measures to enable customers to switch between data processing services, and various other measures. See the Data Act Explained for more information.

Open data, including data from public institutions, is the final pillar in the European Strategy for Data. As stated in the EU Data Strategy, “Opening up government-held information is a long-standing EU policy. This data has been produced with public money and should therefore benefit society.” Open public sector data should be Findable, Accessible, Interoperable and Reusable (FAIR). The revised Open Data Directive (2019) aims to ensure that the public sector leads by example when it comes to sharing data. The High-Value Data Sets implementing act takes it a step further by specifying the data elements and level of granularity for six categories of open public sector data.

Public institutions also possess sensitive data, not suitable for sharing as open data. The Data Governance Act includes rules on the way such data can be shared in a trusted manner.

In summary, the European data economy – the vision of a European single market for data – is a foundational driver, built on European values and governed by European law. The political guidelines for the Commission 2024-2029 stress the need to further strengthen the European data economy, in support of the development of AI and other frontier technologies. The Data Union Strategy (published in November 2025) establishes three priority areas for action: (i) scaling up access to data for AI to ensure our businesses have access to high-quality data needed for innovation; (ii) streamlining data rules to give legal certainty to businesses and reduce compliance costs; (iii) safeguarding the EU’s data sovereignty to strengthen our global position on international data flows. Standardisation is an integral part of the strategy.

(A.2) EC perspective and progress report

Interoperability standards for data and data sharing services will be key enablers for the single market for data. Standards will enable the cost-efficient sharing of data and also provide common mechanisms for organisations to comply with the European law.

A major achievement was the creation of dedicated committees by CEN and CENELEC (JTC 25) and ETSI (TC DATA) that started the work on relevant data interoperability standards, in line with the standardisation request on a European Trusted Data Framework. Significant pre-standardisation developments include the work of the Data Spaces Support Centre, in particular, the DSSC Data Spaces Blueprint, the CEN Workshop Trusted Data Transaction, and the SEMIC solutions developed by the Interoperable Europe initiative. The standardisation request has been an important factor in connecting the various developments.

This section provides a high-level overview of the main data sharing scenarios that have been identified and the relation with the European Trusted Data Framework. Note that this is just a snapshot, new data sharing scenarios are emerging on a regular basis, driven by the continuous evolution of data value chains. Aim is to develop the European Trusted Data Framework in a way that it will be flexible and adaptable, allowing it to accommodate new developments and requirements in data sharing.

Note: See chapter 3.1.3 Data interoperability for more detailed information on the European Trusted Data Framework.

Common European Data Spaces

To harness the value of data for the benefit of the European economy and society, the Commission supports the development of common European data spaces in strategic economic sectors and domains of public interest. Common European data spaces bring together relevant data infrastructures and governance frameworks that facilitate trusted sharing.

They:

deploy data-sharing tools and services for the pooling, processing and sharing of data by an open number of organisations, as well as federate energy-efficient and trustworthy cloud capacities and related services;
include data governance structures, compatible with relevant EU legislation, which determine, in a transparent and fair way, the rights concerning access to and processing of the data;
improve the availability, quality and interoperability of data – both in domain-specific settings and across sectors.

The standardisation request on a European Trusted Data Framework addresses the essential requirements on interoperability within and across (common European) data spaces, as stated in Data Act Article 33. Interoperability is the backbone of Europe’s single market for data, ensuring smooth data exchange across participants and preventing common European data spaces from becoming isolated data silos.

Public Sector Data

While the standardisation request on a European Trusted Data Framework focuses on interoperability within and across data spaces, it emphasizes the need for interoperability with initiatives and solutions around public sector data.

The data.europa.eu portal provides a central point of access to public sector data. By making the metadata available in a standard format, Member States can make data sets from their local portals findable, accessible and reusable to citizens and organisations. Data portals enable the Findability and Accessibility of data sets, the first two elements of the FAIR principles. The other two elements, Interoperability and Reusability, can further be enhanced by the use of common data standards for the data sets and by applying good data governance practices, for example to ensure data quality.

Sharing of public sector open data is supported by the Open Data Directive and the Implementing Act on High-Value Data Sets. The Data Governance Act also includes rules that enable the sharing of public sector restricted data. Other than with open data, the sharing of restricted data is on request and bilateral. The required mechanisms such as negotiation and access control have similarities with the mechanisms applied in Common European Data Spaces.

Data Intermediation and Data Altruism

Article 2(11) of the Data Governance Act defines a ‘data intermediation service’ as a service aiming to establish commercial relationships for data sharing between an undetermined number of individuals or companies on the one hand and data users (both individuals or entities) on the other. This can be done through technical means (platforms/apps where data can be stored), legal or other means. Data altruism is about individuals and companies giving their consent or permission to make available data that they generate – voluntarily and without reward – to be used for objectives of general interest.

Details regarding the understanding of “data intermediation services” and “data altruism” are outlined in Data Governance Act explained | Shaping Europe’s digital future (europa.eu).

The standardisation request on a European Trusted Data Framework stresses the need for support of data sharing scenarios where data intermediaries or data altruism organisations are involved.

Personal Data

Sharing of personal data is bound by the provisions in the General Data Protection Regulation. Sharing of personal data relies on consent of the data subject, i.e. “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

The Data Governance Act aims to promote trust and bring additional legal certainty and user-friendliness to the process of granting and withdrawing consent, through the creation of a European data altruism consent form.

The standardisation request on a European Trusted Data Framework includes requirements regarding the way to describe information relevant to assess a legal basis for processing the data in question under GDPR

Industrial data / data from connected devices

The Data Act establishes data access and data rights for the users of connected devices. This is expected to unlock innovations in many areas:

When you buy a ‘traditional’ product, you acquire all parts and accessories of that product. However, when you buy a connected product that generates data, it is often not clear who can do what with the data. By empowering users to transfer (‘port’) their data more easily, the Data Act will give both individuals and businesses more control over the data they generate through their use of smart objects, machines and devices, thereby allowing them to enjoy the advantages of the digitisation of products.
By having access to the relevant data, aftermarket services providers will be able to improve and innovate their services and compete on an equal footing with comparable services offered by manufacturers. Therefore, users of connected products could opt for a cheaper repair and maintenance provider – or maintain and repair it themselves. This way, they would benefit from lower prices on that market. This could extend the lifespan of connected products, thus contributing to the Green Deal objectives.
Availability of data about the functioning of industrial equipment will allow for factory shop-floor optimisation: factories, farms and construction companies will be able to optimise operational cycles, production lines and supply chain management, including based on machine learning.

In precision agriculture, IoT analytics of data from connected equipment can help farmers analyse real-time data like weather, temperature, moisture, prices or GPS signals and provide insights on how to optimise and increase yield. This will improve farm planning and help farmers make decisions about the level of resources needed.

The standardisation request on a European Trusted Data Framework aims to address scenarios for access of data residing in distributed systems, connected products and other environments, such as platforms.

This topic (data capture from connected products, sensors, and cameras) is also mentioned in the Data Union Strategy as part of horizontal enabler “Raising the bar on data quality and data capturing”.

Annotation and labelling practices

This topic is introduced in the Data Union Strategy as part of horizontal enabler “Raising the bar on data quality and data capturing”:

Content authenticity & provenance involves embedding metadata within digital media to verify its originality and detect alterations, such as deepfakes. This metadata accompanies digital objects, providing a traceable record that helps users ensure the source and integrity of the content.

Data labelling, primarily used for non-text data such as images, audio, and video, involves tagging and annotating to train AI systems effectively. However, it can also apply to text data when specific features need identification.

The objective is to streamline the annotation and labelling practices across the EU by promoting efficient, accurate, and scalable systems that utilize both automated and human-assisted techniques, ensuring consistent and high-quality annotated data for enhanced AI applications.

Synthetic data

This topic is introduced in the Data Union Strategy as horizontal enabler:

Synthetic data refers to artificially generated data that mimics real-world data sets and is used to train and evaluate AI systems. It is particularly useful for scenarios where real data is scarce, sensitive, or expensive to collect. The objective is to promote the use of synthetic data across the EU by encouraging the development of reliable and scalable generation techniques, ensuring that synthetic data accurately reflects the complexities of real-world scenarios to support robust AI applications.

Data quality

This topic is introduced in the Data Union Strategy as part of horizontal enabler “Raising the bar on data quality and data capturing”:

Data Quality is a cross-cutting topic to all data sharing scenarios, addressing dimensions such as completeness, consistency, provenance, semantic clarity, and governance. The objective is to provide businesses, regulators, and researchers with a framework for collaborative data quality initiatives in data spaces, enabling communities to define and measure shared benchmarks for reliable data.

Smart contracts

Smart contracts are mentioned in several places as a way to automate aspects of trusted data sharing agreements, for example related to the management of consent. Smart contracts are listed under needs since they cut across legal, organisational, semantic and technical layers. See Smart contracts and the digital single market through the lens of a “law plus technology” approach | Shaping Europe’s digital future (europa.eu) for more background.

The standardisation request on a European Trusted Data Framework includes requirements on the automated execution of data transactions.

Open source software

Open source software is expected to play an important role in establishing trusted data sharing connections. Projects such as the EU-funded SIMPL project aim to help establish the infrastructure. To ensure interoperability, a close alignment between standardisation developments and open source developments will be needed.

Switching between data processing services

The Data Act includes rules setting the right framework conditions for customers to effectively switch between different providers of data-processing services to unlock the EU cloud market. These will also contribute to an overall framework for efficient data interoperability.

See chapter 3.1.2 Cloud and edge computing for more information on the standardisation developments in this area.

(A.3) References

This section provides relevant references related to sections A.1 and A.2.

COM(2025) 835 Data Union Strategy – Unlocking Data for AI
Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Regulation (EU) 2024/903 of the European Parliament and of the Council of 13 March 2024 laying down measures for a high level of public sector interoperability across the Union (Interoperable Europe Act)
COM(2020) 66 final Communication from the Commission “A European strategy for data”
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union
Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)
Directive (EU) 2019/1024 on open data and the re-use of public sector information
Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance (Data Governance Act)
Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act)
Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act)
Decision (EU) 2015/2240 on interoperability solutions and common frameworks for European public administrations, businesses and citizens (ISA2 programme) as a means for modernising the public sector (ISA2)

COUNCIL RECOMMENDATION of 14 November 2005 on priority actions to increase cooperation in the field of archives in Europe:

New European interoperability framework – Promoting seamless services and data flows for European public administrations

(B) Requested actions and progress in standardisation

(B.1) Requested actions

The actions proposed focus on fields where ICT standardisation can support horizontal and high-level policy objectives in the area of data economy. Actions that address sector specific needs and objectives are included in the respective chapters addressing the different sectors and technology areas.

Action 1: Stock-taking and collaboration:

Action 1.1: SDOs to identify, map and inform about standards that are available or under development that are of relevance in supporting the scenarios listed in section A2 above. Such standards should be evaluated and considered for EU adoption.

Action 1.2: SDOs to collaborate on addressing standardisation needs around all the data lifecycle, from data collection to record keeping, archiving and long term preservation of information and start the respective standardisation activities, including taking into account the results of ISA2 program, the privacy by design principles, and other relevant activities (see for example section C.2).

Action 1.3: Following an analysis of standards available or under development (Action 1 above) and of possible standardisation needs (Action 2 above), SDOs to develop, in collaboration when appropriate, specific standards in support of the scenarios outlined in section A.2 above, taking into account EU legislation.

Action 2: In the context of the Multi-Stakeholder Platform for ICT Standardisation (MSP), start an analysis on the role of open source software complementing standardisation in the support of the scenarios listed in section A.2 above, e.g. with APIs, protocols, service delivery and other applications.

Action 3: In collaboration with the Data Spaces Support Centre (DSSC) and considering the policy objectives outlined in the chapter on Data Interoperability as well as the work of the EU High-Level Forum, stakeholders to address the topic of gathering and processing data from different sources across domains and develop proposals for respective standardisation projects.

Action 4: Coordinate and support the standardisation of data spaces by identifying cross-sectoral and cross-border projects, use cases, and pilots that implement data spaces extending beyond domain and geographic boundaries. This will help define and test the interoperability standards for data spaces

Action 5: SDOs to establish an exchange with open source communities for identifying open source technologies that are available or under way and that can be of relevance for supporting standardisation activities in support of the EU Data Act and EU policy objectives around the EU data strategy.

(C) Activities and additional information

(C.1) Related standardisation activities

CEN & CENELEC

CEN-CLC/JTC 13 ‘Cybersecurity and Data Protection’ focuses on Information Technology (IT) and develops European standards for data protection, information protection and security techniques, including: Organizational frameworks and methodologies; IT management systems; Data protection and privacy guidelines; Processes and products evaluation schemes; ICT security and physical security technical guidelines; smart technology, objects, distributed computing devices, data services, product security, support to the EU 5G Certification scheme, Radio Equipment Directive (Directive 2014/53/EU) and Cyber Resilience Act. The ISO/IEC 27000 standards, the Common Criteria for Information Technology Evaluation ISO/IEC 15408 and the Common Methodology for Information Technology Evaluation ISO/IEC 18045 are adopted as European Standards by this Joint Technical Committee. The CEN CENELEC JTC 13 has established a dedicated Special Working Group on Cyber Resilience Act (CEN/CLC/JTC 13/WG 9) to address the standardisation needs of the CRA, as defined in the adopted standardisation request (M/606). This working group is building on the experience of the Special Working Group RED Standardisation Request (CEN/CLC/JTC 13/WG 8) and has initiated three work items corresponding to the horizontal standards requested for the CRA. A new WG10 cryptography has been created to act as mirror of ISO/IEC JTC1/SC27/WG2 and focus on new topics like PQC.

CLC/TC 65X ‘Industrial-process measurement, control and automation’ coordinates the preparation of European Standards for industrial process measurement, control and automation (e.g. EN IEC 62443-4-1 Security for industrial automation and control systems – Secure product development lifecycle requirements). The EN IEC 62443 series address Operational Technology (OT) found in industrial and critical infrastructure, including but not restricted to power utilities, water management systems, healthcare and transport systems. These are sectorial standards, which can also be applied across many technical areas. TC65x is currently working on updating the 62443 series to meet the requirements of the CRA, as well as dedicated product standards under M/606 for certain product categories (industrial use-cases).

TC65X started the following three horizontal projects to address the essential requirements from the CRA.

EN IEC 62443-4-2 2019prAA (79973)
EN IEC 62443-3-3 2019prAA (79830)
EN IEC 62443-4-1:2018/prAA (81481)

and, the following vertical product standards

prEN 50XXX-1 (81649)
prEN 50XXX-2 (81650)
prEN 50XXX-3 (81651)
prEN 50XXX-4 (81652)
prEN 50XXX-5 (81653)
prEN 50XXX-6 (81654)

CLC/TC 47X has been set up to respond to the CRA M/606 for microprocessors microcontrollers (CRA Annex III, class I and class II), as well as FPGA and ASIC (CRA Annex III, class I), and smartcards including secure elements (CRA Annex IV) in close alignment with CEN/TC 224.

CEN/TC 224 will work on deliverables focusing on the application-side of the smartcards including secure elements (CRA Annex IV), as well as identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers.

CLC/TC 9X provides standards on electrical and electronic systems, equipment and software for use in railway applications. CLC/TS 50701 ‘Railway applications – Cybersecurity’ provides a specification that can be used to demonstrate that the system is cyber secured, has set Target Security Levels and achieved them during operation and maintenance. Technical Committee IEC TC 9 ‘Electrical equipment and systems for railways’ develops international standards for the railways field which includes rolling stock, fixed installations, management systems (including supervision, information, communication, signalling and processing systems) for railway operation. The project team 63452 ‘Railway applications – Cybersecurity’ is currently developing a standard which maps and adapts IEC 62443 requirements to the railway application domain and its operational environment.

Cybersecurity standards are also being developed in several vertical sectors, for example: CEN/TC 301 ‘Road Vehicles’, CEN/TC 377 ‘Air-traffic management’, CLC/TC 9X ‘Electrical and electronic applications for railways’, CLC/TC 57 ‘Power systems management and associated information exchange’, CEN-CLC/JTC 19 ‘Blockchain and Distributed Ledger Technologies’, CEN/TC 224 ‘Personal identification and related personal devices’, CLC/TC 45AX ‘Instrumentation, control and electrical power systems of nuclear facilities’.

CEN/CLC/JTC 22 WG4 is working on PQC, in particular on equitable analysis of and comparison between PQC and Quantum Cryptography (more specifically Quantum Key Distribution, QKD). CEN/CENELEC Cyber-Security Technical Committee (JTC 13) is currently working on PQC:

http://www.iso.org/iso/iso_technical_committee?commid=45306

ETSI

TC CYBER, is the ETSI centre of expertise for cybersecurity and produces standards for the cybersecurity ecosystem, consumer IoT/devices, protection of personal data and communication, network security, cybersecurity tools and guides, and in support of EU legislation (CRA, GDPR, CSA, RED, NIS2) (details in the CYBER Roadmap). TC CYBER has set up a sub-group for EU standardisation requests (EUSR), focusing on the development of harmonised standards. Currently, several work items are under way or under discussion in response to CRA M/606. ETSI (TC CYBER) has been working with GSMA and 3GPP in support of Action 2 on the enhancement of existing standards and assessment schemes (NESAS and SAS) for EU5G. ETSI is also working with O-RAN alliance to make O-RAN specifications including assurance specifications available, including for use with CRA. TC CYBER has also produced further standards such as Privileged Access Workstation Security TS 103 994 which supports Action 1 & 10.

ETSI CYBER QSC continue to track the work of NIST on standardisation of post-quantum algorithms. ETSI will both update and extend ETSI CYBER QSC specification as the NIST work progresses, which would be applicable to all Requested Actions. ETSI has already published a number of relevant guidelines and documents on: TR 104 016 – V1.1.1 – CYBER; Quantum-Safe Cryptography (QSC); A Repeatable Framework for Quantum-Safe Migrations, TR 103 949 – V1.1.1 – Quantum-Safe Cryptography (QSC) Migration; ITS and C-ITS migration study, TR 103 692 – V1.1.1 – CYBER; State management for stateful authentication mechanisms, TS 103 744 – V1.1.1 – CYBER; Quantum-safe Hybrid Key Exchanges , TR 103 619 – V1.1.1 – CYBER; Migration strategies and recommendations to Quantum Safe schemes . ETSI has also recently launched its post-quantum security standard to guarantee the protection of critical data and communications in the future. The specification TS 104 015 – V1.1.1 – Cyber Security (CYBER); Quantum-Safe Cryptography (QSC); Efficient Quantum-Safe Hybrid Key Exchanges with Hidden Access Policies enhances security mechanisms, ensuring that only authorized users with the correct permissions can access sensitive data to decrypt them. Guidelines and reports on the migration to PQC have been published by NSAs, such as ANSSI in France (“ANSSI views on the Post-Quantum Cryptography transition”, 2022 and “ANSSI views on the Post-Quantum Cryptography transition (2023 follow up)”, 2023) and BSI in Germany (“Quantum-safe cryptography – fundamentals, current developments and recommendations”, 2021) and also by ENISA (“Post-Quantum Cryptography Integration study”, 2021 and the report “Post-Quantum Cryptography: current state and quantum mitigation”, 2021).

The work by ETSI on migrating to a fully quantum-safe cryptographic state builds on a combination of approaches for the transition to a quantum-safe digital infrastructure. It indeed also builds on the work done in the context of the Industrial Specification Group on Quantum Key Distribution (ETSI ISG QKD), with a focus on the practical implementation of quantum- primitives, including performance considerations, implementation capabilities, protocols, benchmarking and practical architectural considerations for specific applications. The publications cover requirements for security proofs of QKD protocols and authentication, precise characterisation of QKD modules and components, and approaches to integrate QKD into networks. Work considers the security of system implementations and aims to assist the certification of QKD systems using the Common Criteria and to support the industrialisation of QKD technology to secure ICT networks. .Work is also done in an EU-funded action grant at ETSI, in the context of the Annual Union Work Plan for European Standardisation, io the combination with QKD (to serve QKD networks), in particular on developing specific hybridization schemes standards for combining conventional and post-quantum methods with QKD, a Common Criteria Protection Profile for a Key Processing Module that can work with other such modules to agree secret random keys across a trusted node QKD network, and a new ETSI Technical Specification for an authenticated hybrid key establishment method, including requirements for QKD (AQSHKEX Authenticated Quantum Safe Hybrid Key Exchange) new Technical Specification for a quantum-safe (QS) profile for ETS (Enterprise Transport Security).

ISG PDL (Industry Specification Group on Permissioned distributed ledgers, and Distributed Ledger technology) has published Group Reports and Specifications (GRs & GSs) for smart contracts and a GS for DAOs (Distributed Autonomous Organisations) among other subjects’ non-repudiation, redactability, digital identity, etc… these have many Security and integrity related matters:

ETSI GR PDL 004v1.1.1 – PDL Smart Contracts System Architecture and Functional Specification.
ETSI GS PDL 011v2.1.1 – Specification of Requirements for Smart Contracts’ architecture and security.
ETSI GR PDL 014v1.1.1 Study on non-repudiation techniques.
ETSI GR PDL 017v1.1.1 eIDAS2, in cooperation with TC ESI.
ETSI GS PDL 018v1.2.1 Redactable Distributed Ledgers.
ETSI GR PDL 019v1.1.1 PDL Services for Identity and Trust Management.
ETSI GS PDL 023v1.1.1 DID – Decentralized identifiers Framework
ETSI GS PDL 027v1.1.1 SSI in Telecom Networks (draft)
ETSI GR PDL 028v1.1.1 PDL in ineM2M IoT standards (draft)
ETSI GS PDL 029v1.1.1 Distributed Autonomous Organization (in approval)
ETSI GR PDL 030v1.1.1 Trust in Telecom System (draft)

ISG MEC (Multi-access Edge Computing): led the publication of a White Paper on “MEC security: Status of standards support and future evolutions” written by several authors participating in ETSI ISG MEC, ETSI ISG NFV SEC and ETSI TC CYBER. The work identified aspects of security where the nature of edge computing leaves typical industry approaches to cloud security insufficient. As a follow-up, the MEC group started a related study on MEC Security in (ETSI GR MEC041) and has commenced associated normative work, including API Gateway for Client Applications (ETSI GS MEC 060) with architectural impacts captured in the latest draft of the Framework and Reference Architecture specification (ETSI GS MEC 003)

ETSI also works on other specific security topics including the security of mobile communications including the 5G network equipment security assurance specifications (3GPP SA3), network functions virtualisation (ETSI NFV ISG SEC WG6), intelligent transport systems (ITS WG5), digital enhanced cordless telecommunications (DECT™), M2M/IoT communications (oneM2M published standards, latest drafts), reconfigurable radio systems (ETSI TC RRS), IPv6 based secure internet protocol best practices, IPv4 sunsetting guidelines (ETSI ISG IPE) and emergency telecommunications (including terrestrial trunked radio (TETRA) and electronic signatures and trust service providers with a set of standards for the certification of trust services TC ESI (ESI activities) More recently ISG ETI (Encrypted Traffic Integration) has been expanding development of the Zero Trust Architecture to address the problems cited in ETSI GR ETI 001.

TC SET, is producing the standard for 2 secure element platforms: the UICC which is the most widely deployed secure element with billions of pieces going into the market every year just as SIM cards and the SSP which is a disruptive TC SET proposal for high end, high security secure element. TC SET and some of its members are involved in the development the EU5G certification process with the development of the eUICC certification scheme based on EUCC and is committed to continue cooperation with ENISA to add an EU scheme for production and personalisation site certification. In addition, TC SET has standardised a major evolution of the UICC platform allowing the support of EU digital identity compliant with the eIDAS requirements. Regulation. TC SET has started to work on migration to PQC technologies.

IEC

Project team IEC/TC 9/PT 63452 ‘Railway applications – Cybersecurity’ is responsible to adapt IEC 62443 requirements to the railway application domain and its operational environment, and details how the requirements are applied in that context. It provides guidance on how the security process can be interfaced with the generic RAMS life cycle of IEC 62278. It is in charge of defining the cybersecurity activities and cybersecurity deliverables needed to identify, monitor and manage cybersecurity risks within a railway application

Committee IEC/TC 65 ‘Industrial-process measurement, control and automation’ develops International Standards for systems and elements used for industrial-process measurement and control concerning continuous and batch processes.

Working Group IEC/TC 65/WG 10 ‘Security for industrial process measurement and control – network and system security’ is responsible for the IEC 62443 series on Industrial communication networks, which addresses the prevention of illegal or unwanted penetration, intentional or unintentional interference with the proper and intended operation, or inappropriate access to confidential information in industrial automation and control systems.

IEC 62443-4-2:2019 ‘Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components’ was published in 2019 and IEC 62443-3-2:2020 ‘Security for industrial automation and control systems – Part 3-2: Security risk assessment and system design’ was published in 2020. The publication of International Standard IEC 62443-2-1 (edition 2) ‘Security for industrial automation and control systems – Part 2-1: Security program requirements for IACS asset owners’ is expected in 2021.

Technical Committee IEC/TC 57 ‘Power systems management and associated information exchange’ is responsible for the IEC 62351 standards series ‘Power systems management and associated information exchange – Data and communications security’. The different security objectives of this series include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.

IECEE/ICAB

Conformity Assessment (CA) is any activity, which results in determining whether a product or other object corresponds to the requirements contained in a standard or specification. The IEC runs four CA systems, each of which operates Schemes based on third-party conformity assessment certification. They establish that a product is reliable and meets expectations in terms of performance, safety, efficiency, durability, etc. This is especially crucial for Cybersecurity.

IECEE, the IEC system for Conformity Assessment Schemes for Electrotechnical Equipment and Components, which issues internationally recognized certification on Cybersecurity, operates the CB scheme, facilitating cooperation among accepted National Certification Bodies (NCBs) worldwide. NCBs perform market surveillance functions, which ensure that the overall production line is constantly compliant with the initial testing/certification.

The IECEE Full Certification Scheme is an extension of the IECEE CB Scheme, where initial and/or periodic surveillance of production is performed. The Scheme provides the evidence that each certified product offers the same quality/safety level as type-tested sample.

The CAB (Conformity Assessment Board) is responsible for setting the IEC’s conformity assessment policy, promoting and maintaining relations with international organizations on conformity assessment matters.

OASIS

The OASIS Cyber Threat Intelligence (CTI) TC defines a set of information representations and protocols to support automated information sharing for cybersecurity situational awareness, real-time network defence, and sophisticated threat analysis. The Structured Threat Information eXpression (STIX), launched in 2014 and most recently issued as STIX v2.1 in 2021, language provides a common set of descriptors for security threats and events. The Trusted Automated Exchange of Indicator Information (TAXII), launched in 2014 and most recently issued as TAXII v2.1 in 2020, specification provides common message exchange patterns.

The OASIS Open Services for Lifecycle Collaboration (OSLC) project issues tools and specifications to support shared software configuration and change management, under open source licenses and using W3C Linked Data methods. In 2023 OSLC issued OSLC OSLC Configuration Management v1.0, an RDF vocabulary and a set of REST APIs for managing versions and configurations of linked data resources from multiple domains, and OSLC Tracked Resource Set v3.0, methods to track additions to and removals from a set of resources, components or code sets, as well as track state changes.
The OASIS will publish a unified, machine-readable approach to managing and sharing End-of-Life (EOL) and End-of-Support (EOS) information for commercial and open source software and hardware. Shareable, interoperable and widely-consumable notices of this kind will power and simplify widespread software security management frameworks.
The Open Supply-Chain Information Modeling (OSIM) TC was launched in 2024 to model data for software provenance, re-use, safety, and compliance certification, to address policy requirements such as the Cyber Resilience Act and Software Bill of Materials (SBOM) rules requiring aggregation of safety and interoperability metadata from multiple sources. It is likely to integrate other specifications such as the Ecma CycloneDX standard, the ISO/IEC 5962:2021 SPDX standard for licensing information, the OASIS Vulnerability Exploitability Exchange (VEX) profile (see CSAF in this section), and other work in progress such as IETF’s SCITT program.
OASIS’ Computing Ecosystem Supply-Chain (CES-TC) committee defines a multi-tier, cross-vendor supply chain data sharing system, using data schemas and ontologies, APIs, and smart contracts, to enable planning, enhanced visibility, enhanced resilience, and deeper traceability in order to build trusted, secure, and sustainable products and services.
The OASIS Heimdall Data Format (OHDF) committee is establishing standard data formats for exchanging normalized security data between cybersecurity tools (which today often each emit different notices, warnings and identifiers), to allow for ease of mapping and enrichment of security data to relevant compliance standards such as GDPR, PCI-DSS, etc.
The OASIS Defending Against Deception Common Data Model (DAD-CDM) project applies cybersecurity methods to detect, track and mitigate information quality issues. The project will extend existing object models and defence methods, including the STIX standard, to address misinformation, domestic and foreign manipulation and interference influence operations, and online harm campaigns. Defense in this context includes enabling effective remediation in real time, as well as building strategies, plans and capabilities to manage information quality risks.
The OASIS Open Command and Control (OpenC2) TC provides a suite of specifications to administer command and control of cyber defence functions across diverse devices and systems, as well as specific security protocols for transmitting those commands in potentially hostile, vulnerable, or high-latency (IoT) environments. The base standard is the OpenC2 Language Specification v1.0 published in 2019; the committee also issued a JSON Abstract Data Notation (JADN) v2.0 in 2025 for simple formal semantic expressions. See also the OpenC2 overview. In addition, the TC issued the OpenC2 Profile for Stateless Packet Filtering v1.0 in 2019, and a Specification for Transfer of OpenC2 Messages via HTTPS v1.1 and Specification for Transfer of OpenC2 Messages via MQTT v1.0 in 2021.
The Collaborative Automated Course of Action Operations (CACAO) for Cybersecurity TC provides a standard to describe the prevention, mitigation, and remediation steps in a course of action “playbooks” in a structured machine-readable format that can be shared across organizational boundaries and technology solutions. The CACAO Security Playbooks Version 2.0 specification was published in 2023.
The OASIS Common Security Advisory Framework (CSAF) TC provides standard structured machine-readable formats for security vulnerability-related advisories in JSON format, as well as secure distribution mechanisms for discovery and disclosure. Its Vulnerability Exploitability Exchange (VEX) profile adds secure methods and actionable metadata for Software Bills of Materials (SBOMs), specifying correlations to global databases of known vulnerabilities. The TC delivered CSAF Common Vulnerability Reporting Framework (#CVRF) V1.2 in 2017 and and published the version 2.0 of the framework in 2022. CSAF v2.0 also is issued as ISO/IEC
The OASIS Threat Actor Context (TAC) TC establishes a common knowledge framework that enables semantic interoperability of threat actor contextual information. This framework allows organizations to strategically correlate and analyse attack data, using a formal model relying on the W3C Ontology Web Language (OWL) specification. This formalism allows high-volume automated or AI analysis and threat response, as well as manual response, and enables a better understanding of their adversary’s goals, capabilities, and trends in targeting and techniques.
The Open Cybersecurity Alliance OASIS Open Project aims to bring together vendors and end users in an open cybersecurity ecosystem where products can freely exchange information, insights, analytics, and orchestrated response. The OCA supports commonly developed code and tooling and the use of mutually agreed upon technologies, data standards, and procedures.
OASIS launched the “Space Automated Threat Intelligence Sharing (SATIS) TC “in 2024 to extend OASIS STIX and other cybersecurity threat sharing and response standards to space sector use cases, including satellites, ground stations, and other space infrastructure.

ISO/IEC JTC 1

Technical Committee ISO/IEC JTC 1/SC 27 ‘Information security, cybersecurity and privacy protection’ produces the International Standards for the protection of electronic information assets and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:

Security requirements capture methodology;
Management of information and ICT security; in particular information security management systems, security processes, and security controls and services;
Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information;
Security management support documentation including terminology, guidelines as well as procedures for the registration of security components;
Security aspects of identity management, biometrics and privacy;
Conformance assessment, accreditation and auditing requirements in the area of information security management systems;
Security evaluation criteria and methodology.

Included in the 198 published International Standards are the ISO 27000 Information Security Management Standards series as well as the Common Criteria for Information Technology Evaluation ISO/IEC 15408 and the Common Methodology for Information Technology Evaluation ISO/IEC 18045.

Concerning PQC, the evaluation of algorithms as candidates for standards is being done in the context of the competitions organized by NIST, supported by the EU through the contribution of EU-funded researchers. Such candidate standards are meant for both key exchange and digital signatures. NIST is coordinating with ISO/IEC JTC1 SC27 (https://committee.iso.org/home/jtc1sc27) and will standardise through it. At present, standards have been published for stateful hash-based signatures, a key-encapsulation mechanism and digital signatures, but others will come via the ongoing on-ramp competition for digital signatures, reserve algorithms under considerations for key-exchange, and in the future for threshold schemes for cryptographic primitives. SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of SC 27 standards and technical reports in relevant areas. ISO/IEC standards can be fast-tracked to CEN/CENELEC through the Vienna and Frankfurt agreements.

WG 2 (Cryptographic Mechanisms) of ISO/IEC JTC 1/SC 27. ISO is close to finishing standardisation of stateful hash-based signatures, which are already standardised by NIST and in IETF’s RFCs 8391 and 8554. ISO WG 2 has issued a SC 27 committee document 208 – Post-Quantum Cryptography, a white paper explaining the general setting of PQC and 5 core types of hardness assumptions. SC 27 / WG 2 is also on track to issue an amendment on a standard on key encapsulation to include three post-quantum KEMs: one selected by NIST, and two others that are more conservative.

JTC1/SC27/WG2 also works on Fully Homomorphic Encryption.

Other ISO committees have issued statements on PQC to highlight their awareness and intention to migrate. For example, ISO/TC 68/SC 2/WG 11 (Encryption algorithms used in banking applications) issued the report Quantum Computing and the Financial Services Industry.

ITU-T

ITU-T SG2 is ready to approve Recommendation ITU-T E.371, “Deemed impermissible traffic”, which defines deemed impermissible traffic that is considered inappropriate, illegal, or against the terms of service. It can include various activities such as call refiling, over the top (OTT) bypass, wangiri, etc., or any other behaviour that violates the rules and regulations of any country. Deemed impermissible traffic can have serious legal, ethical, and privacy implications, leading to financial loss, compromised personal information as well as invasion of privacy. The Recommendation emphasizes the importance of understanding impermissible traffic and its potential consequences. It highlights the negative impact on security, privacy and user experience as well as quality of service (QoS) and quality of experience (QoE). The solutions and the use case sections of the Recommendation provide practical measures to combat impermissible traffic effectively. SG2 is also ready to approve a revision of Recommendation ITU-T E.156, “Guidelines for ITU-T action on reported misuse of ITU-T E.164 number resources”, which aims to clarify the process to report the potential misuse and the measures available to the entities who manage the numbering resources potentially being misused. Finally, SG2 has also started work on draft Recommendation ITU-T E.RAA4Q.TSCA, “Registration Authority assignment criteria to issue digital public certificates for use by Q.TSCA”, which intends to provide a consistent and transparent means by which registration authorities will be selected for the purpose of the issuance of certificates to facilitate secure signalling of telephone numbers.

More info: http://itu.int/ITU-T/go/tsg2

ITU-T SG17 (Security) is responsible for developing international standards to enhance confidence, security and trust in the use of telecommunications/ICTs, in the context of an ever-growing attack surface and confronted with an unbalanced threat landscape. Providing security by ICTs and ensuring security for ICTs are both major study areas for SG17. SG17 develops globally harmonized standards on security model, framework, architecture and lifecycle, cybersecurity and service, security management, end-device, edge, network, cloud and application security, data protection techniques, new and emerging security technologies, open system interconnection (OSI) and technical languages. Over 300 ITU-T Recommendations have been developed including the security Recommendations under the ITU-T X-series.

Recently, ITU-T SG17’s work increased specifically on security and trustworthiness of AI systems, fixed mobile satellite converged networking, cloud computing, intelligent transport systems, distributed ledger technologies and quantum-safe communications. SG17 is extending ITU-T X.509 on Public Key Infrastructure (PKI) and Privilege Management Infrastructure (PMI) as foundation for global interoperable identity and trust management of Artificial Intelligence (AI) agents in collaboration with other SDOs.

More info: http://itu.int/ITU-T/go/tsg17

Since 2016, ITU-T SG11 has been continuing its studies on implementation of security measures on signalling level in order to cope with different types of attacks on existing ICT infrastructure and services (e.g. OTP intercept, calls intercept, spoofing numbers, robocalls, etc.). Validating the calling party could help prevent such attacks. Only calls that have been successfully validated by the network would be allowed to pass through the network and reach the terminating party. The validation can be based on signing sensitive information in the signalling exchange (e.g., CLI) to guarantee the trustworthiness of the information and the caller’s identity. This would involve using digital public-key certificates (ITU-T X.509) issued by dedicated Certification Authorities (CAs) specifically for use in the telecommunications environment, not internet-based certificates.

ITU-T SG11 has been developing a series of standards defining the procedure for incorporating and validating digital public-key certificates at the signalling level, including signing the CLI in SS7-based networks (ITU-T Q.3057, Q.3062, Q.3063, Amd.2 to Q.931, Amd.6 to Q.1902.3, Amd.7 to Q.763).

Currently, ITU-T SG11 is developing ITU-T Q.TSCA “Requirements for issuing End-Entity and Certification Authority certificates for enabling trustable signalling interconnection between network entities,” which defines the requirements for the verification of information elements in certificate signing requests.

In addition, ITU-T SG2 continues the development of ITU-T E.RAA4Q.TSCA “Registration Authority Assignment criteria to issue digital public certificates for use by Q.TSCA” which defines the criteria for the selection of registration authorities for use in relation to Q.TSCA, and the process by which the criteria would be used to select registration authorities to support the allocation of digital public certificates that will facilitate implementation in support of Q.TSCA.

In addition, SG11 approved Technical Report QSTR-SS7-DFS “SS7 vulnerabilities and mitigation measures for digital financial services transactions” and Technical Report QSTR-USSD (2021) “Low resource requirement, quantum resistant, encryption of USSD messages for use in financial services”.

All relevant events as well as additional details of ITU activities on this matter are available at: https://itu.int/go/SIG-SECURITY

ITU-T SG13 develops standards for quantum key distribution networks (QKDN) and related technologies. It further studies the concepts and mechanisms to enable trusted ICT, including framework, requirements, capabilities, architectures and implementation scenarios of trusted network infrastructures and trusted cloud solutions.

ITU-T SG13 produced Y.3800-series Recommendations related to QKDN. ITU-T SG13 is also carrying out work on trust in telecommunication and approved Y.2073 “Standardisation roadmap on Trustworthy Networking and Services”, Y.3058 “Functional architecture for trust enabled service provisioning”, Y.3059 “Trust Registry for Devices: requirements, architectural framework” and Y.3060 “Autonomous networks – overview on trust” and Y.3062 “Trustworthiness evaluation for IMT-2020 and Beyond with autonomous network functions”.

ITU-T SG5 develops standards on Electrical protection, reliability, safety, and security of telecommunication/ICT systems. It studies measures applicable to facilities and systems, against the effects by lightning, attacks using extreme electromagnetic field such as High-Altitude Electromagnetic Pulse (HEMP) and High- Power Electromagnetic (HPEM), causing threats for ICT societies.

ITU-T SG20 develops standards on aspects related to security, privacy, trustworthiness, and identification of Internet of Things (IoT) and smart sustainable cities and communities (SSC&C).

More info: https://itu.int/go/tsg20

W3C

W3C approaches Security in three main activities

Develop security technology standards
Review and increase the security of web standards
Guide Web Developers to design and develop in a secure manner

Developing security standards

The Web Application Security Working Group develops security and policy mechanisms to improve the security of Web Applications, and enable secure cross-site communication.

The Web Authentication Working Group defined a client-side API providing strong authentication functionality to Web Applications.

The Federated Identity Working Group supports authentication and authorization flows without compromising security and privacy principles.

The Web Payment Security Working Group enhances the security and interoperability of various Web payments technologies.

The Web Incubation Community Group is a group that incubates new Web APIs, there are some interesting and promising proposal for Cyber Security, such as: Device Bound Session Credentials, Digital Credentials API, Realms Initialization Control to virtualise web environment.
The Threat Modeling Community Group incubates Threat Models on Security, Privacy, and Harms on Digital Credentials and AI
The Web Forensics Community Group incubates standardisation on guidelines and formats for acquiring evidence from the Web

Reviewing the security of web standards

The Security Interest Group’s (SING) mission is to improve Security on the Web by advising groups developing standards on how to avoid and mitigate security issues with their technologies, the group will also suggest changes to existing standards and technologies to improve security.

To guide Web Developers to design and develop in a secure manner, W3C created a cross-organization group to guide web developers and ensure a holistic approach to security.
The Security Web Application Guidelines (SWAG) Community Group increases the overall security of web application development, thereby making the web a more secure platform for web users, through the edition of web creators security best practices and providing a platform for stakeholder collaboration (e.g., OpenSSF, OWASP, Open Web Docs, etc.)

More information at https://www.w3.org/Security

IEEE

IEEE has standardisation activities in the cybersecurity/network and information security space. It also addresses anti-malware technologies, encryption, fixed and removable storage, and hard copy devices, as well as applications of these technologies for smart grids or healthcare.
The IEEE Computer Society AI Standards committee is working on IEEE P2986, Recommended Practice for Privacy and Security for Federated Machine Learning.
The “Privacy and Security Architecture for Consumer Wireless Devices” Working Group standardises a privacy and security architecture for wireless consumer devices (P1912).
IEEE 1609.2.1 specifies certificate management protocols to support provisioning and management of digital certificates to end entities, that is, an actor that uses digital certificates to authorize application activities, according to IEEE Std 1609.2(TM).
IEEE standards for Secure Computing include:
IEEE 2952, Secure Computing Based on Trusted Execution Environment
IEEE P2834, Secure and Trusted Learning Systems
IEEE P3167, Secure Biometrics Device Interface
IEEE 3169, Security Requirement of Privacy-Preserving Computation
IEEE Standards for cryptographic and data authentication procedures for storage devices include:
IEEE 1619 Cryptographic Protection of Data in Block-Oriented Storage Devices
IEEE 1619.1 Authenticated Encryption with Length Expansion for Storage Devices
IEEE 1619.2, Wide-Block Encryption for Shared Storage Media
IEEE 2883, Sanitizing Storage
IEEE Standards on energy systems with security requirements
IEEE 1686 IEEE Standard for Intelligent Electronic Devices Cybersecurity Capabilities
IEEE P2808 Standard for Function Designations used in Electrical Power Systems for Cyber Services and Cybersecurity
IEEE 1711 Cryptographic Protocol for Cyber Security of Substation Serial Links
IEEE 1711.2 IEEE Standard for Secure SCADA Communications Protocol (SSCP)
IEEE C37.240, Cyber Security Requirements for Substation Automation, Protection and Control Systems
IEEE 1402, Physical Security of Electric Power Substations
IEEE 2030.102.1, Interoperability of Secure IP Protocols Utilized within Utility Control Systems

For securing wired LANs, WG 802.1 of the IEEE LAN/MAN Standards Committee has developed the IEEE 802.1AE standard, which defines a Layer 2 security protocol called Medium Access Control Security (MACSec) that provides point-to-point security on Ethernet links between nodes.

IEEE actively develops security standards for healthcare and medical devices, as well as wearables.

IEEE 11073-40101 defines processes for vulnerability assessment as part of the medical device interoperability series of standards.
The IEEE 2621 family of standards addresses wirelessly connected diabetes devices. IEEE 2621.1- 2002 Standard for Wireless Diabetes Device Security Assurance Evaluation: Connected Electronic Product Security Evaluation Programs
IEEE Standards focusing on cybersecurity in emerging technologies
IEEE P3172 Recommended Practice for Post-Quantum Cryptography Migration
IEEE P1943 Working Group, Post-Quantum Network Security
IEEE P1947 Standard for Quantum Cybersecurity Framework
IEEE P3481 Standard for the Functional Requirements for Cybersecurity-Specific Large Language Models
IEEE P1932.2 Standard for Cybersecurity Management in Distributed Core Networks
IEEE P2851.2 Standard for the Enablement of Functional Safety Interoperability with Cybersecurity
IEEE P2989 focuses on Authentication in a Multi-Server Environment.

IEEE SA is taking a holistic view on cybersecurity and has initiated several critical pre-standardisation Industry Connections programs in this area:

IC20-021 Meta Issues in Cybersecurity

A new area of work focused on “Human Augmentation” also addresses issues such as security, privacy, and identity: IEEE P2049.2, Standard for Human Augmentation: Privacy and Security, and IEEE P2049.3, Standard for Human Augmentation: Identity.

IEEE’s Certification Program includes:

IEEE Medical Device Cybersecurity Certification Program : More details can be found here https://standards.ieee.org/

For more information visit https://ieee-sa.imeetcentral.com/eurollingplan/

IETF

The following IETF WGs are active in this area:

With specific reference to Commission Recommendation (EU) C(2024) 2393 of 11 April 2024 on a Coordinated Implementation Roadmap for the transition to PQC, the IETF has established the Post-Quantum Use In Protocols Working Group which provides a standing venue to discuss PQC (operational and engineering) transition issues and experiences to date relevant to work in the IETF. The WG will document operational and design guidance which supports PQC transition. The IETF Security Area is the home for working groups focused on security protocols. They provide one or more of the security services: integrity, authentication, non-repudiation, confidentiality, and access control. Since many of the security mechanisms needed to provide these security services employ cryptography, key management is also vital. In IETF, the OpenPGP, TLS, and LAMPS working groups are actively discussing integrating PQC into their protocols, with cross-protocol issues covered in IETF PQUIP and IRTF CFRG. Work on the necessary JOSE/COSE serializations for the NIST standardised schemes SLH-DSA/ML-DSA is also ongoing.

The Security Area intersects with all other IETF Areas, and the participants are frequently involved with activities in the working groups from other areas. This involvement focuses upon practical application of Security Area protocols and technologies to the protocols of other Areas.

The full list of IETF Working Groups in the Security Area is available here: https://datatracker.ietf.org/wg#sec

https://wiki.ietf.org/en/group/iab/Multi-Stake-Holder-Platform#h-302-cybersecurity-network-and-information-security

3GPP

SA WG3 is responsible for security and privacy in 3GPP systems, determining the security and privacy requirements, and specifying the security architectures and protocols. The WG also ensures the availability of cryptographic algorithms which need to be part of the specifications.

http://www.3gpp.org/specifications-groups/sa-plenary/sa3-security

Ecma International

Secure ECMAScript (SES) is a runtime environment for running ECMAScript (JavaScript) strict-mode code under object-capability (ocap) rules. Ecma Technical Committee TC39 maintains and updates the general purpose, cross platform, vendor-neutral programming language ECMAScript (JavaScript).

TC54 develops and maintains CycloneDX (ECMA-424), a Bill of Materials specification supporting both Software BOM (SBOM) and Cryptography BOM (CBOM), including standardised algorithm families to enable crypto-agility and planning for the transition to PQC. CycloneDX also supports Vulnerability Disclosure Reports (VDR) so vendors can assert and publish known vulnerabilities affecting their products, directly supporting NIS2 coordinated vulnerability-disclosure obligations. In addition, TC54 is specifying the Transparency Exchange API, currently under development, to publish and autonomously discover transparency artefacts (e.g., SBOM/CBOM, VDR, VEX, attestations) at scale. Complementary identifiers and vocabularies, such as Package-URL (PURL) and Common Lifecycle Enumeration (CLE), are progressing toward Ecma ratification, providing consistent cross-ecosystem component identity and lifecycle signalling.

ECMA-424

oneM2M

oneM2M’s architecture defines a common middleware technology in a horizontal layer between devices and communications networks and IoT applications. This standardises secure links between connected devices, gateways, communications networks and cloud infrastructure. The oneM2M SDS – System Design and Security working group is also responsible for security and privacy. The following non-exhaustive list highlights some specifications which define and describe security features in oneM2M:

TS-0001 Functional Architecture
TS-0003 Security Solutions
TS-0016 Secure Environment Abstraction
TS-0032 MAF and MEF Interface Specification (MAF = M2M Authentication Framework; MEF = M2M Enrolment Function)

ITU-T SG20 transposed oneM2M specifications in their Y.450x series. See also Y.oneM2M.SEC.SOL.

All specifications are openly accessible at https://www.onem2m.org/technical.

(C.2) Other activities related to standardisation

ECSO

The European Cyber Security Organisation (ECSO) represents the contractual counterpart to the European Commission for the implementation of the Cyber Security contractual Public-Private Partnership (cPPP).

WG1 focuses on standardisation, certification, labelling and supply chain management.

Home

OIDF

Risk and incident sharing and coordination working group [RISC]

RISC (chartered 2015) provides data sharing schemas, privacy recommendations and protocols to share information about important security events in order to thwart attackers from using compromised accounts with one service provider to gain access with other service providers. RISC focuses on peer to peer sharing of information related to the state of individual accounts. http://openid.net/wg/risc/charter/

NIST

NIST works on cybersecurity standards, guidelines, best practices, and other resources to first of all meet the needs of federal agencies and secondly the broader public as well as industry. The Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity issued on May 12, 2021 assigns NIST (among other US agencies) to work on two labelling efforts related to consumer Internet of Things (IoT) devices and consumer software with the goal of encouraging manufacturers to produce and purchasers to be informed about products created with greater consideration of cybersecurity risks and capabilities. On 19 July, the US formally announced the launch of an IoT cybersecurity labelling programme called “US Cyber Trustmark”, to which NIST will be contributing.

NIST has published guidance outlining security measures for critical software, guidelines recommending minimum standards for vendors’ testing of their software source code, preliminary guidelines for enhancing software supply chain security and additional guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria.

Other areas of work include critical infrastructure protection:

Cyber-Physical Systems for Global Cities Project http://www.nist.gov/el/smartgrid/cpsforglobalcities.cfm
Cybersecurity for Smart Grid Systems http://www.nist.gov/el/smartgrid/cybersg.cfm
Cybersecurity for Smart Manufacturing Systems http://www.nist.gov/el/isd/cs/csms.cfm
Development of New Cybersecurity http://www.nist.gov/itl/cybersecurity-framework-021313.cfm
Reference Architecture for Cyber-Physical Systems Project Framework http://www.nist.gov/el/smartgrid/cpsarchitecture.cfm

NIST’s work on PQC is focused on the organization of the internationally open competitions for submission of PQC algorithms and their selection as algorithms candidate for standardisation, for key exchange, digital signatures, and threshold schemes for cryptographic primitives. At present, one algorithm for key encapsulation , and two algorithms for digital signatures have been standardised, specifications for one additional digital signature algorithm are being written, reserve algorithms are being considered as additional potential standards for key agreement, and and additional on-ramp call for digital signatures is ongoing. An additional open call on multiparty threshold cryptography is being finalized. The final version of this call (upcoming in 2025) will set a period for submissions, followed by a period of public analysis of the gathered reference material.

Post-Quantum Cryptography | CSRC (nist.gov)

Post-Quantum Cryptography FIPS Approved | CSRC (nist.gov)

PQC Digital Signature Second Round Announcement | CSRC (nist.gov)

Multi-Party Threshold Cryptography | CSRC (nist.gov)

NIST also publishes guidelines on deprecation timeline for algorithms (NIST IR 8547 initial public draft, Transition to Post-Quantum Cryptography Standards ) and on specific aspects of the implementation of PQC ( NIST SP 800-227 initial public draft, Recommendations for Key-Encapsulation Mechanisms )

(C.3) Additional information

The Danish business community in May 2022 launched a data ethics and cybersecurity seal for companies. The seal aims to create transparency for consumers and help ambitious companies gain a competitive advantage.

In the Netherlands, the national government has selected a group of security specifications for its comply-or-explain policy (e.g. DNSSEC, DKIM, TLS, SPF, DMARC, STARTTLS, DANE, RPKI), and is actively using various adoption strategies to get the specifications implemented. An effective tool that was developed to drive adoption is the website www.internet.nl (available in English). Organisations and individuals can easily test whether websites offer support for modern Internet Specifications, and the code is open source.

Also in the Netherlands, a method to help improve secure software lifecycle management, including software development, was developed under the title Secure Software Framework (SSF). The framework is applied by software developers in innovative projects, where security of software is of the utmost importance. The framework was published by the Secure Software Alliance (SSA), a public-private program in which developers of software, end users, professional bodies, institutes for research and education and the Dutch Ministry of Economic Affairs and Climate cooperate to promote secure software and connect initiatives in this area. The SSF is part of the Roadmap for Digital Hard- and Software Security of the Ministry of Economic Affairs and Climate.

In September 2020 in the Netherlands, a public-private coalition called the Online Trust Coalition (OTC) was launched, with the original mission to provide an unambiguous, efficient method for cloud service providers to demonstrate that their services are reliable and secure. OTC has made a significant contribution to the EUCS with a method to deliver irrefutable evidence of Cloud resilience compliance by means of a standard audit approach. In line with this approach the OTC has cooperated with the NL professional organization of registered IT auditors to develop the IDRS (International Digital Reporting Standard). The IDRS is meant to demonstrate existence and efficacy of IT control, covering the 6 key areas of IT governance: digital transformation, cyber security, business continuity, data and ethics, sourcing, and privacy. The OTC is now working on methods to harmonize control regimes for a wide selection of legislation in the EU rulebook aimed at board level responsibilities. I

In addition, in the Netherlands, the Centre for Crime Prevention and Safety (the CCV) has launched several initiatives to strengthen cybersecurity for SMEs and service providers. Since 2021, the Risk Classification for Digital Security(RKIDV) helps entrepreneurs assess risks and apply basic measures aligned with national guidance (DTC/NCSC). The RKIDV is accessible via the website of the Digital Trust Center. Based on RKIDV, the CCV will introduce the ‘Digital Baseline Security for SMEs’ label, enabling ICT service providers to demonstrate compliance and support their clients. The CCV has also established certification schemes for cybersecurity services, including Penetration Testing, Awareness Training and Incident Response. The Dutch approach also allows service providers and certification bodies from outside the Netherlands to enter the market. Furthermore, the CCV manages the CYRA (Cyber Rating) method. CYRA-IT is already in use, offering a step-by-step maturity model towards ISO/IEC 27001 certification. CYRA-OT (based on IEC 62443) and CYRA-Health (based on NEN 7510) will follow by the end of 2025.”

IIn Germany, the Federal Agency for Information Security (BSI) bases several national cyber-security standards -concerning both critical infrastructures and SMEs- on the ISO/IEC EN 270xx family and the Federal Network Agency (BNetzA) mandates the use of ISO/IEC 27019 (with a few additional requirements in the national IT Security catalogue) for grid network operators with mandatory certification.

In Spain the National Security Framework (ENS), updated in May 2022, is a collective, multidisciplinary, and long-term national effort running for 15 years. The ENS is based in current information security and Cybersecurity standards. Implemented as a Royal Decree–based framework, it has been updated several times to align with national and European regulations, address emerging cybersecurity needs and trends, and enable adoption across specific sectors, with mandatory compliance by all entities in the Spanish public sector, by private sector entities, domestic or foreign, that use their own information systems to provide services to the public sector, and also by entities in the supply chain of the latter, to the extent determined by a prior risk analysis, making it the most widespread legal model in Europe. Supported by successive National Cybersecurity Strategies and the transposition of the NIS Directive, the ENS stands out for its solid foundation and long-established track record. The ENS has proven to be a highly successful framework thanks to its strong linkage between the security requirements, certified products and services, and procurement processes. This connection ensures that security measures are fully embedded into procurement, significantly strengthening the overall security posture of organizations. Through the ENS link to the Catalogue of Information and Communication Technology Security Products and Services (CPSTIC) and procurement, the ENS facilitates the use of European certification schemes, like EUCC, and future ones, like EUCS, arising from Regulation (EU) 2019/881, supported by its extensive experience and mandate in certifying products and services. Thanks to its flexibility, principle of proportionality, maturity, extensive experience in auditing, certification, and monitoring, along with a comprehensive set of guidelines, tools, and sector-specific compliance profiles for the various NIS2 domains—and with more than 1,100 public and private entities already certified, including cloud service providers—the ENS is widely regarded as a robust framework that can serve as a European reference and a model for adoption by other Member States.

ENISA and the European Computer Security Incident Response Team (CSIRT) community have jointly set up a task force with the goal of reaching a consensus on a ‘Reference Security Incident Classification Taxonomy’. Following a discussion among the CSIRT community during the ‘51st TF-CSIRT meeting’ (15 May 2017 in The Hague, Netherlands), it was concluded that there is an urgent need for a taxonomy list and name that serves as a fixed reference for everyone. This is where the so-called ‘Reference Incident Classification Taxonomy Task Force’ comes into play. The aim of this task force is to enable the CSIRT community in reaching a consensus on a universal reference taxonomy. Additionally, the task force covers the following objectives:

Develop a reference document
Define and develop an update and versioning mechanism
Host the reference document
Organise regular physical meetings with stakeholders

The ENISA NCSS Interactive Map lists all the documents of National Cyber Security Strategies in the EU: https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/national-cyber-security-strategies-interactive-map

For PQC, in the Netherlands, the General Intelligence and Security Service (AIVD), TNO and Centrum Wiskunde & Informatica (CWI) published a handbook for the migration to PQC (TNO-2024-pqc-en.pdf ). The handbook is intended for the Dutch government, businesses, vital sectors and knowledge institutions that work with important information that is being encrypted, such as trade secrets.

The BSI in Germany has issued guidelines on how to implement the migration to a quantum-safe digital infrastructure (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.html ; Migration ). The recommendations encourage to implement hybrid solutions with both PQC and current asymmetric cryptography, to start with conservative choices for key exchange which ensures a high level of security even if not optimal performance, to use the already standardised hash-based signature for firmware updates, to test the post-quantum signature schemes for authentication (Dilithium, Falcon, Sphincs+), and to consider implementing QKD only in combination with PQC.

France has issued guidelines, recommending a transition plan, in which PQC algorithms must be hybridized with well-known pre-quantum algorithms and systems must be crypto-agile, i.e. able to update its crypto algorithms (anssi-avis-migration-vers-la-cryptographie-post-quantique.pdf ).

ENISA has also issued reports on PQC, on an overview of the current state of affairs on the standardisation process of PQC (https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation ) and on the necessity to design new cryptographic protocols and integrate post-quantum systems into existing protocols (https://www.enisa.europa.eu/publications/post-quantum-cryptography-integration-study).