Cybersecurity / network and information security (RP 2026)

(A.) Policy and legislation

(A.1)   Policy objectives

The EU’s Cybersecurity Strategy for the Digital Decade (JOIN/2020/18 final), set the main direction for the EU cybersecurity policies, which took shape in three areas of EU action – (1) resilience, technological sovereignty and leadership, (2) building operational capacity to prevent, deter and respond, and (3) advancing a global and open cyberspace. Furthermore, cybersecurity is to be integrated into all digital investments, and particularly key technologies.

ProtectEU: a European Internal Security Strategy (COM/2025/148 final) sets out concrete objectives and actions to ensure a safer and more secure Europe. The strategy establishes main directions of action with further measures to improve cybersecurity, among others ensuring an effective implementation of the recently strengthened cybersecurity framework, further simplifying to ease compliance for businesses, improving the European cybersecurity certification framework, reinforcing supply chain security and addressing technological dependencies as a matter of priority. The strategy announces that the Commission will propose relevant measures in the upcoming review of the Cybersecurity Act.

The communication setting up ICT standardisation priorities for the DSM refers to cybersecurity as a priority domain for Europe.

The NIS 2 Directive (Directive (EU) 2022/2555) entered into force in January 2023, with a deadline for Member States to transpose the Directive by 17 October 2024. The Directive lays down measures that aim to achieve a high common level of cybersecurity across the EU. To that end, the NIS 2 Directive lays down cybersecurity risk-management measures and reporting obligations for essential and important entities. The obligation on entities to appropriately manage cybersecurity risks includes measures for supply chain security. Furthermore, the NIS 2 Directive provides for closer cooperation and capacity building among the Member States and the relevant entities.

In order to promote a convergent implementation of the cybersecurity risk-management measures across the EU, Member States shall encourage the use of European or international standards and technical specifications relevant to the security of network and information systems, without imposing or discriminating in favour of the use of a particular type of technology. The NIS 2 Directive amends the eIDAS Regulation and includes the requirements concerning cybersecurity risk-management and incident reporting for the trust service providers.

The EU Cybersecurity Act (Regulation EU 2019/881) established the European Cybersecurity Certification Framework in order to improve the conditions for the functioning of the internal market by increasing the level of cybersecurity within the Union and enabling a harmonised approach at Union level to European cybersecurity certification schemes, with a view to creating a digital single market for ICT products, ICT services and ICT processes. As laid down in the mandate provided by the EU Cybersecurity Act, the European Union Agency for Cybersecurity (ENISA) can be requested to prepare candidate EU cybersecurity certification schemes. All schemes must contain references to the international, European or national standards (or to other technical specifications) applied in the evaluation of ICT products, ICT services and ICT processes. There is a close linkage between the tasks assigned by ENISA to that purpose, and the Rolling Plan for ICT Standardisation.

On 18 April 2023, the Commission proposed an amendment to the Cybersecurity Act, setting forth provisions for the adoption of certification schemes for managed security services. The amendment was adopted on 19 December 2024, through Regulation (EU) 2025/37.

On 31 January 2024, the Commission has adopted the first-ever European cybersecurity certification scheme, the European Cybersecurity Scheme on Common Criteria (EUCC), based on the Common Criteria (ISO/IEC 15408) and Common Evaluation Methodology (ISO/IEC 18045). The scheme offers a Union-wide set of rules and procedures on how to certify ICT products taking into account in their lifecycle and thus make them more trustworthy for users. It entered into application on 27 February 2025. The Cyber Resilience Act (see below) foresees the possibility for European cybersecurity certification schemes, including the EUCC, to provide presumption of conformity. Such a presumption of conformity would need to be specified by the Commission.

On 7 February 2024, the Commission has also published Union Rolling Work Programme for European cybersecurity certification (URWP). URWP outlines strategic priorities for future European cybersecurity certification schemes. It includes general considerations for European cybersecurity certification, such as the importance of standard development activities and coherence and composability of schemes. Furthermore, the URWP lists areas for possible future certification. This includes areas where European cybersecurity certification schemes are envisaged linked to legislative developments, such as European Digital Identity Wallets and managed security services. Furthermore, areas for future reflection regarding cybersecurity certification include Industrial Automation and Control Systems and Security Lifecycle Development building on the CRA requirements as well as cryptographic mechanisms.

Finally, on 11 April 2025, the Commission launched the Call for evidence on the initiative to revise the Cybersecurity Act, with the aim of clarifying the mandate of the EU Agency for Cybersecurity (ENISA) and improving the European Cybersecurity Certification Framework to achieve better resilience. The initiative also aims to streamline, simplify and supplement EU legislation to make the implementation of the EU cybersecurity framework more user and business friendly and to prioritise measures to support the EU objectives of developing a secure and resilient supply chain, including the EU cybersecurity industrial base.

The new Cyber Blueprint (C/2025/3445) was adopted on 6 June 2025 by the Telecom Council. This document describes in a clear and simple way the roles and responsibilities in cyber crisis management. The EU cyber blueprint aims to tackle an increasingly complex cyber threat landscape by strengthening existing EU networks, fostering cooperation between member states and actors involved, and overcoming hurdles that may exist. It recognises the importance of cooperation and information sharing across sectors and communities, including civil-military.

Commission Recommendation (EU) 2019/534 of 26 March 2019 on the Cybersecurity of 5G networks identifies a series of actions in order to support the development of a Union approach to ensuring the cybersecurity of 5G networks. The EU Toolbox on 5G cybersecurity (EU Toolbox) published in January 2020 aims to address risks related to the cybersecurity of 5G networks. It identifies and describes a set of strategic and technical measures, as well as corresponding supporting actions to reinforce their effectiveness, which may be put in place in order to mitigate the identified risks. One of the supporting actions focuses on Supporting and shaping 5G standardisation.

The Cyber Resilience Act (CRA) (Regulation (EU) 2024/2847), which entered into force in December 2024 and is now undergoing transitional period, sets mandatory cybersecurity essential requirements for products with digital elements, including hardware and software products. It relies on harmonised standards to support the implementation of the essential requirements it sets out, building on existing European and International standards.

The AI Act (Regulation (EU) 2024/1689) and the revised Regulation (EU) No 910/2014 on electronic identification and trust services (eIDAS) both add to the trust in digital services. Their implementation may require further standardisation activities, including in the area of cybersecurity.

Post-Quantum Cryptography (PQC) represents the most promising technology to ensure our communications, data at rest and digital identities remain secure in the new digital quantum era. PQC algorithms are based on mathematical problems that are difficult to solve even by quantum computers, and is, for several applications, a software-only based solution, through it will imply a considerable shift not only in widely deployed algorithms but also in the protocols, as well a HW/SW co-designed acceleration technique and post-quantum secure root(s) of trust, firmware updates and HW security modules, and a full transition of the Public Key Infrastructure.

The Commission Recommendation (EU) C(2024) 2393 of 11 April 2024 on a Coordinated Implementation Roadmap for the transition to Post-Quantum Cryptography (PQC) represents a stepping stone for EU policy in the field of digital technologies, in line with the  EU Cybersecurity Strategy. The ongoing advances in quantum computing and optimization of quantum algorithms of relevance for cryptanalysis represent a risk for current, widely deployed public-key cryptography algorithms, which are used to secure and keep intact most of our communications and transactions, and authenticate individuals and entities. Migrating to PQC, the most promising solution for quantum-resistant public-key cryptography, is thus needed. The already existing threat of so-called “harvest now, decrypt later attacks”, in which malicious actors could store data now and decrypt them when a cryptographically relevant quantum computers will be present, and the fact that many devices currently in production could have lifetimes spanning 10 years or more, extending into the period when quantum computers are expected to be available, both call for initiating a transition to PQC now. Moreover, in the future, attacks affecting authentication and digital signatures may also occur, putting in danger digital identities and legal history of documents. The EU PQC Roadmap published by the PQC workstream of the NIS Cooperation Group states that Member States identify high-risk cases in critical entities and ensure quantum-resistant cryptographic protection for these high-risk cases as soon as possible and no later than by the end of 2030.

The Recommendation also encourages the evaluation and selection of relevant PQC EU algorithms with the help of cybersecurity experts, and the further adoption of such algorithms as European standards that should be implemented across the Union as part of the Coordinated Implementation Roadmap and a contribution to activities at international standardisation bodies.

(A.2) EC perspective and progress report

The Communication on ICT standardisation priorities for the digital single market identified as challenges – among others – the increasing reliance of the economy on digital technologies, along with the complexity across the value chain in many of its applications, as well as access rights to standards that call for improved cooperation in the growing ecosystem of existing and emerging standardisation bodies and organisations. The EU Cybersecurity Strategy and Standardisation Strategy emphasise the need to foster broader multi-stakeholder participation and international cooperation in the area of standardisation in support of the resilience of the EU digital single market but also for reaping the benefits from the investments in standardisation and certification. Work towards addressing these challenges is ongoing.

The European Common Criteria-based cybersecurity certification scheme and other candidate cybersecurity certification schemes in preparation stand example for the extensive body of standards being utilized in conformity assessment and certification to improve and make transparent the effectiveness of the risk controls pertained in the use of ICT products, services and process.

The Communication on ICT standardisation priorities for the digital single market resonates with the past policy instruments mentioned above for the priority domain cybersecurity, the “bedrock of trust and reliability”, with the following focus:

• A very high quality of cybersecurity, as specified in standards, to be built into any new technology or service (“security-by-design”) helps to mainstream cybersecurity requirements into ICT products, services and processes as well as operators to manage their cybersecurity risks out-of-the-box and during the lifecycle by means of evaluation and certification methodologies as employed in EU cybersecurity certification schemes, and the Cyber Resilience Act to become fully applicable by end of 2027.
• Communication enabled distributed digital devices and services in IoT, AI, and eIDAS require seamless and interoperable secure authentication and processors across all involved subjects and objects to enable secure and transparent access to, exchange and processing of data (“protection-by-design”).
• Encouraging the coherent adoption of standardisation practices across the EU to support the cybersecurity risk-management for essential and important entities in accordance with the NIS2 Directive.

Collaboration and multi-stakeholder governance remains key in standardisation as stressed in the EU Cybersecurity Strategy and EU Standardisation Strategy.

The essential cybersecurity requirements set out in the Cyber Resilience Act (CRA) are designed to ensure an adequate security protection for products with digital elements used by European citizens, business and critical infrastructures. On 3 February 2025, the Commission adopted a formal standardisation request to support the implementation of the CRA. More precisely, the Commission requested 41 standardisation deliverables, including horizontal standards and product-specific deliverables for all the important and critical product categories (Annexes III and IV of the CRA). CEN, CENELEC and ETSI accepted the request and the work is underway. 

Additionally, European cybersecurity certification schemes will support the building blocks of ICT standard setting and will rely upon standardisation to establish and harmonise the cybersecurity functional and assessment requirements applied to cybersecurity certification.

Assessments and certification of ICT products, services and processes help consumers making informed decisions as a means of technological autonomy. Certification further helps identifying such products and services on the grounds of a solid assessment of the cybersecurity requirements by a proficient evaluator. Transparent standards and specifications for the definition and verification of cybersecurity requirements form the very foundation of the “cybersecurity-by-design-and-default” proposition the European Union aims for, such as the continuous monitoring of the threat landscape for the purpose of aftermarket improvements to the sold ICT and the support with threat intelligence to remain resilient in the next wave of cyberattacks.

Further progress across technologies that are currently available to a limited set of users, such as quantum key distribution and artificial intelligence, could permit for more ways to improve the European Union’s cybersecurity, i.e. for instance through the application of quantum key distribution or machine learning respectively.

‘Cybersecurity-by-design-and-default’ as engendered in European instruments like CRA and certification schemes as well as the European Union’s move towards resilience over the lifecycle of digital technologies show the way for standardisation activities. Collaboration on European and international level and broad participation in the multi-stakeholder ecosystem of standardisation further reinforce the European Union’s cybersecurity posture.

In this context, European standards and certification schemes can also serve as an enabler for the development of a functioning cybersecurity insurance market. Transparent and verifiable security requirements allow insurers to better assess cyber risk and build consistent coverage models across the single market.

The transparency of standards should not stop at the preparation phase but also leverage on their accessibility for a wide reception and adoption by the audience concerned. In particular, evaluation methodologies used in certification schemes should be quotable and available in machine readable format.

(A.3) References

• JOIN/2020/18 final – Joint Communication The EU’s Cybersecurity Strategy for the Digital Decade
• Joint Communication on Resilience, Deterrence and Defence: Building strong cybersecurity for the EU, JOIN(2017) 450 final
• JOIN(2013) 1 final Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace
• Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).
• Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
• Commission Recommendation (EU) 2019/553 of 3 April 2019 on cybersecurity in the energy sector (notified under document C(2019) 2400)
• Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protectOion of privacy in the electronic communications sector (Directive on privacy and electronic communications)
• Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union
• Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the EU (NIS Directive)
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to personal data processing and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
• Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises – C/2017/6100
• Commission Recommendation (EU) 2019/534 of 26 March 2019 on the Cybersecurity of 5G networks – C/2019/2335
• COM(2016)176 ICT Standardisation Priorities for the Digital Single Market
• COM(2015)192 A Digital single market strategy for Europe
• COM(2017)228 Communication on the Mid-Term Review on the implementation of the Digital Single Market Strategy – A Connected Digital Single Market for All and accompanying Staff Working Document SWD(2017)155
• Cybersecurity of 5G networks – EU Toolbox of risk mitigating measures (01/2020)
• COM/2020/795 Communication on A Counter-Terrorism Agenda for the EU: Anticipate, Prevent, Protect, Respond.
• Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)
• Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework (eIDAS 2.0)
• Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)
• COM(2022) 454 final Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020. The co-legislators reached an agreement on 30 November 2023, endorsed by the Council on 20 December 2023 and voted by EP plenary on 12 March 2024. The act is now undergoing the final stages of the adoption process.
• Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
• The EU Toolbox on 5G cybersecurity, EU Toolbox of risk mitigating measures, NIS Cooperation Group, Cybersecurity of 5G networks, 29 January 2020.
• Commission Recommendation (EU) C(2024) 2393 of 11 April 2024 on a Coordinated Implementation Roadmap for the transition to Post-Quantum Cryptography.
• CRA Standardisation request M/606 on eNorm Platform.
• The EU cyber blueprint.

(B) Requested actions 

Action 1. Cyber Resilience Act Implementation: European Standardisation Organizations (ESOs) to develop standards in line with the Standardisation Request M/606.

The first deliverables relating to the horizontal framework and vulnerability handling are expected for 30 August 2026. Product-specific standards covering the important and critical product categories (CRA Annex III and IV) should be ready by 30 October 2026. The set of standardisation deliverables covering the essential requirements of Annex 1 Part 1 in a product-agnostic way are due one year later on 30 October 2027.

SDOs may consider developing relevant standards for products with digital elements that fall in the CRA “default” product category in coordination with the ongoing standardisation work in reply to M/606, in constant communication with open source community to include their Free and Open Source work.

In addition, SDOs should assess potential future vertical areas that would fall under the legislation and prepare for creating standards for them, to avoid delays.

Action 2. NIS2 Directive Support: ESOs and SDOs are invited to develop standards to protect critical infrastructure per the NIS2 Directive, including the support to trust services under the NIS2, as well as promoting the implementation of the EN 62443 series to support the implementation of operational technology (OT) security in the context of critical infrastructures, such as in the energy sector.

Action 3. Cybersecurity Act/Cybersecurity Certification Framework facilitation: ESOs and SDOs are invited to evaluate current standards under the European Cybersecurity Certification Framework (including both the present and planned schemes as well as initiatives under the Union Rolling Work Programme for European cybersecurity certification (URWP)) to update or introduce new standards on time to facilitate certification activities, including the preparation of candidate certification schemes by ENISA.

Mapping of upcoming EU cybersecurity certification schemes (EUCS, EU5G, MSS, EUDI Wallet) and existing national labels or certification schemes and voluntary assurance mechanisms is recommended, to reduce duplication and facilitate mutual recognition where appropriate. 

Action 4. Post-Quantum Cryptography: ESOs, SDOs and Open Source Foundations are welcome to assess post-quantum algorithms, examine advanced cryptographic schemes and adopt standards for secure and interoperable post-quantum communications and authentication, including in hybrid form. These standards should support encryption, authentication and seamless identity management capabilities across variety of networks, in all layers of the cloud-edge/IoT continuum, and in particular for constrained devices, aligning with limitations of available resources.

Action 5. Support to the European Health Data Space regulation: ESOs and SDOs are welcome to evaluate the need and feasibility of sector-specific cybersecurity standards for healthcare (for e.g. electronic health record systems, digital health applications, software as medical device, medical devices software, IoMT) that would complement relevant horizontal cybersecurity standards.

Action 6. Horizontal support to EU policies: ESOs and SDOs are invited to perform gap analysis and explore harmonized methodologies for evaluating cybersecurity risks and controls, integrating these into existing and new standards for trusted products and technologies, both software and hardware, in line with EU policy requirements.

ESOs should collaborate with global SDOs to identify available or ongoing technologies of relevance for supporting EU policies.

The ESOs should work with the open source community on setting up appropriate processes for consultation with the open source community and for collaborating with global SDOs and Open Source Foundations on ways to include available work on Free and Open Source and avoid duplication of efforts. In particular this applies to activities taking place in line with the Cyber resilience Act’s Standardisation Request M/606.

Action 7. Continuous (automated) monitoring of compliance: Standardisation organisations should consider the topic of continuous (automated) monitoring of compliance. Available technologies like OSCAL (Open Security Controls Assessment Language) developed by NIST may be a starting point. 

(C.) Activities and additional information

(C.1) Related standardisation activities

CEN & CENELEC

CEN-CLC/JTC 13 ‘Cybersecurity and Data Protection’ focuses on Information Technology (IT) and develops European standards for data protection, information protection and security techniques, including: Organizational frameworks and methodologies; IT management systems; Data protection and privacy guidelines; Processes and products evaluation schemes; ICT security and physical security technical guidelines; smart technology, objects, distributed computing devices, data services, product security, support to the EU 5G Certification scheme, Radio Equipment Directive (Directive 2014/53/EU) and Cyber Resilience Act. The ISO/IEC 27000 standards, the Common Criteria for Information Technology Evaluation ISO/IEC 15408 and the Common Methodology for Information Technology Evaluation ISO/IEC 18045 are adopted as European Standards by this Joint Technical Committee. The CEN CENELEC JTC 13 has established a dedicated Special Working Group on Cyber Resilience Act (CEN/CLC/JTC 13/WG 9) to address the standardisation needs of the CRA, as defined in the adopted standardisation request (M/606). This working group is building on the experience of the Special Working Group RED Standardisation Request (CEN/CLC/JTC 13/WG 8) and has initiated three work items corresponding to the horizontal standards requested for the CRA. A new WG10 cryptography has been created to act as mirror of ISO/IEC JTC1/SC27/WG2 and focus on new topics like PQC.

CLC/TC 65X ‘Industrial-process measurement, control and automation’ coordinates the preparation of European Standards for industrial process measurement, control and automation (e.g. EN IEC 62443-4-1 Security for industrial automation and control systems – Secure product development lifecycle requirements). The EN IEC 62443 series address Operational Technology (OT) found in industrial and critical infrastructure, including but not restricted to power utilities, water management systems, healthcare and transport systems. These are sectorial standards, which can also be applied across many technical areas. TC65x is currently working on updating the 62443 series to meet the requirements of the CRA, as well as dedicated product standards under M/606 for certain product categories (industrial use-cases).

TC65X started the following three horizontal projects to address the essential requirements from the CRA.

• EN IEC 62443-4-2 2019prAA (79973)
• EN IEC 62443-3-3 2019prAA (79830)
• EN IEC 62443-4-1:2018/prAA (81481)

and, the following vertical product standards

• prEN 50XXX-1 (81649)
• prEN 50XXX-2 (81650)
• prEN 50XXX-3 (81651)
• prEN 50XXX-4 (81652)
• prEN 50XXX-5 (81653)
• prEN 50XXX-6 (81654)

CLC/TC 47X has been set up to respond to the CRA M/606 for microprocessors microcontrollers (CRA Annex III, class I and class II), as well as FPGA and ASIC (CRA Annex III, class I), and smartcards including secure elements (CRA Annex IV) in close alignment with CEN/TC 224.

CEN/TC 224 will work on deliverables focusing on the application-side of the smartcards including secure elements (CRA Annex IV), as well as identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers.

CLC/TC 9X provides standards on electrical and electronic systems, equipment and software for use in railway applications. CLC/TS 50701 ‘Railway applications – Cybersecurity’ provides a specification that can be used to demonstrate that the system is cyber secured, has set Target Security Levels and achieved them during operation and maintenance. Technical Committee IEC TC 9 ‘Electrical equipment and systems for railways’ develops international standards for the railways field which includes rolling stock, fixed installations, management systems (including supervision, information, communication, signalling and processing systems) for railway operation. The project team 63452 ‘Railway applications – Cybersecurity’ is currently developing a standard which maps and adapts IEC 62443 requirements to the railway application domain and its operational environment.

Cybersecurity standards are also being developed in several vertical sectors, for example: CEN/TC 301 ‘Road Vehicles’, CEN/TC 377 ‘Air-traffic management’, CLC/TC 9X ‘Electrical and electronic applications for railways’, CLC/TC 57 ‘Power systems management and associated information exchange’, CEN-CLC/JTC 19 ‘Blockchain and Distributed Ledger Technologies’, CEN/TC 224 ‘Personal identification and related personal devices’, CLC/TC 45AX ‘Instrumentation, control and electrical power systems of nuclear facilities’.

CEN/CLC/JTC 22 WG4 is working on PQC, in particular on equitable analysis of and comparison between PQC and Quantum Cryptography (more specifically Quantum Key Distribution, QKD). CEN/CENELEC Cyber-Security Technical Committee (JTC 13) is currently working on PQC:

http://www.iso.org/iso/iso_technical_committee?commid=45306

ETSI

TC CYBER, is the ETSI centre of expertise for cybersecurity and produces standards for the cybersecurity ecosystem, consumer IoT/devices, protection of personal data and communication, network security, cybersecurity tools and guides, and in support of EU legislation (CRA, GDPR, CSA, RED, NIS2) (details in the CYBER Roadmap).  TC CYBER has set up a sub-group for EU standardisation requests (EUSR), focusing on the development of harmonised standards. Currently, several work items are under way or under discussion in response to CRA M/606.  ETSI (TC CYBER) has been working with GSMA and 3GPP in support of Action 2 on the enhancement of existing standards and assessment schemes (NESAS and SAS) for EU5G. ETSI is also working with O-RAN alliance to make O-RAN specifications including assurance specifications available, including for use with CRA. TC CYBER has also produced further standards such as Privileged Access Workstation Security TS 103 994 which supports Action 1 & 10.

ETSI CYBER QSC continue to track the work of NIST on standardisation of post-quantum algorithms. ETSI will both update and extend ETSI CYBER QSC specification as the NIST work progresses, which would be applicable to all Requested Actions. ETSI has already published a number of relevant guidelines and documents on: TR 104 016 – V1.1.1 – CYBER; Quantum-Safe Cryptography (QSC); A Repeatable Framework for Quantum-Safe Migrations, TR 103 949 – V1.1.1 – Quantum-Safe Cryptography (QSC) Migration; ITS and C-ITS migration study, TR 103 692 – V1.1.1 – CYBER; State management for stateful authentication mechanisms,  TS 103 744 – V1.1.1 – CYBER; Quantum-safe Hybrid Key Exchanges ,  TR 103 619 – V1.1.1 – CYBER; Migration strategies and recommendations to Quantum Safe schemes .  ETSI has also recently launched its post-quantum security standard to guarantee the protection of critical data and communications in the future. The specification TS 104 015 – V1.1.1 – Cyber Security (CYBER); Quantum-Safe Cryptography (QSC); Efficient Quantum-Safe Hybrid Key Exchanges with Hidden Access Policies enhances security mechanisms, ensuring that only authorized users with the correct permissions can access sensitive data to decrypt them. Guidelines and reports on the migration to PQC have been published by NSAs, such as ANSSI in France (“ANSSI views on the Post-Quantum Cryptography transition”, 2022 and “ANSSI views on the Post-Quantum Cryptography transition (2023 follow up)”, 2023) and BSI in Germany (“Quantum-safe cryptography – fundamentals, current developments and recommendations”, 2021)   and also by ENISA (“Post-Quantum Cryptography Integration study”, 2021 and the report “Post-Quantum Cryptography: current state and quantum mitigation”, 2021).  

The work by ETSI on migrating to a fully quantum-safe cryptographic state builds on a combination of approaches for the transition to a quantum-safe digital infrastructure. It indeed also builds on the work done in the context of the Industrial Specification Group on Quantum Key Distribution (ETSI ISG QKD),  with a focus on the practical implementation of quantum- primitives, including performance considerations, implementation capabilities, protocols, benchmarking and practical architectural considerations for specific applications.  The publications cover requirements for security proofs of QKD protocols and authentication, precise characterisation of QKD modules and components, and approaches to integrate QKD into networks. Work considers the security of system implementations and aims to assist the certification of QKD systems using the Common Criteria and to support the industrialisation of QKD technology to secure ICT networks. .Work is also done in an EU-funded action grant at ETSI, in the context of the Annual Union Work Plan for European Standardisation,  io the  combination with QKD (to serve QKD networks), in particular on developing specific hybridization schemes standards for combining conventional and post-quantum methods with QKD, a Common Criteria Protection Profile for a Key Processing Module that can work with other such modules to agree secret random keys across a trusted node QKD network, and a new ETSI Technical Specification for an authenticated hybrid key establishment method, including requirements for QKD (AQSHKEX Authenticated Quantum Safe Hybrid Key Exchange) new Technical Specification for a quantum-safe (QS) profile for ETS (Enterprise Transport Security).

ISG PDL (Industry Specification Group on Permissioned distributed ledgers, and Distributed Ledger technology) has published Group Reports and Specifications (GRs & GSs) for smart contracts and a GS for DAOs (Distributed Autonomous Organisations) among other subjects’ non-repudiation, redactability, digital identity, etc… these have many Security and integrity related matters:

• ETSI GR PDL 004v1.1.1 – PDL Smart Contracts System Architecture and Functional Specification.
• ETSI GS PDL 011v2.1.1 – Specification of Requirements for Smart Contracts’ architecture and security.
• ETSI GR PDL 014v1.1.1 Study on non-repudiation techniques.
• ETSI GR PDL 017v1.1.1 eIDAS2, in cooperation with TC ESI.
• ETSI GS PDL 018v1.2.1 Redactable Distributed Ledgers.
• ETSI GR PDL 019v1.1.1 PDL Services for Identity and Trust Management.
• ETSI GS PDL 023v1.1.1 DID – Decentralized identifiers Framework
• ETSI GS PDL 027v1.1.1 SSI in Telecom Networks (draft)
• ETSI GR PDL 028v1.1.1 PDL in ineM2M IoT standards (draft)
• ETSI GS PDL 029v1.1.1 Distributed Autonomous Organization (in approval)
• ETSI GR PDL 030v1.1.1 Trust in Telecom System (draft)

ISG MEC (Multi-access Edge Computing): led the publication of a White Paper on “MEC security: Status of standards support and future evolutions” written by several authors participating in ETSI ISG MEC, ETSI ISG NFV SEC and ETSI TC CYBER. The work identified aspects of security where the nature of edge computing leaves typical industry approaches to cloud security insufficient. As a follow-up, the MEC group started a related study on MEC Security in (ETSI GR MEC041) and has commenced associated normative work, including API Gateway for Client Applications (ETSI GS MEC 060) with architectural impacts captured in the latest draft of the Framework and Reference Architecture specification (ETSI GS MEC 003)

ETSI also works on other specific security topics including the security of mobile communications including the 5G network equipment security assurance specifications (3GPP SA3), network functions virtualisation (ETSI NFV ISG SEC WG6), intelligent transport systems (ITS WG5), digital enhanced cordless telecommunications (DECT™), M2M/IoT communications (oneM2M published standards, latest drafts), reconfigurable radio systems (ETSI TC RRS), IPv6 based secure internet protocol best practices, IPv4 sunsetting guidelines (ETSI ISG IPE) and emergency telecommunications (including terrestrial trunked radio (TETRA) and electronic signatures and trust service providers with a set of standards for the certification of trust services TC ESI (ESI activities) More recently ISG ETI (Encrypted Traffic Integration) has been expanding development of the Zero Trust Architecture to address the problems cited in ETSI GR ETI 001.

TC SET, is producing the standard for 2 secure element platforms: the UICC which is the most widely deployed secure element with billions of pieces going into the market every year just as SIM cards and the SSP which is a disruptive TC SET proposal for high end, high security secure element. TC SET and some of its members are involved in the development the EU5G certification process with the development of the eUICC certification scheme based on EUCC and is committed to continue cooperation with ENISA to add an EU scheme for production and personalisation site certification. In addition, TC SET has standardised a major evolution of the UICC platform allowing the support of EU digital identity compliant with the eIDAS requirements. Regulation. TC SET has started to work on migration to PQC technologies.

IEC 

Project team IEC/TC 9/PT 63452 ‘Railway applications – Cybersecurity’ is responsible to adapt IEC 62443 requirements to the railway application domain and its operational environment, and details how the requirements are applied in that context. It provides guidance on how the security process can be interfaced with the generic RAMS life cycle of IEC 62278. It is in charge of defining the cybersecurity activities and cybersecurity deliverables needed to identify, monitor and manage cybersecurity risks within a railway application

Committee IEC/TC 65 ‘Industrial-process measurement, control and automation’ develops International Standards for systems and elements used for industrial-process measurement and control concerning continuous and batch processes.

Working Group IEC/TC 65/WG 10 ‘Security for industrial process measurement and control – network and system security’ is responsible for the IEC 62443 series on Industrial communication networks, which addresses the prevention of illegal or unwanted penetration, intentional or unintentional interference with the proper and intended operation, or inappropriate access to confidential information in industrial automation and control systems.

IEC 62443-4-2:2019 ‘Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components’ was published in 2019 and IEC 62443-3-2:2020 ‘Security for industrial automation and control systems – Part 3-2: Security risk assessment and system design’ was published in 2020. The publication of International Standard IEC 62443-2-1 (edition 2) ‘Security for industrial automation and control systems – Part 2-1: Security program requirements for IACS asset owners’ is expected in 2021.

Technical Committee IEC/TC 57 ‘Power systems management and associated information exchange’ is responsible for the IEC 62351 standards series ‘Power systems management and associated information exchange – Data and communications security’. The different security objectives of this series include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.

IECEE/ICAB 

Conformity Assessment (CA) is any activity, which results in determining whether a product or other object corresponds to the requirements contained in a standard or specification. The IEC runs four CA systems, each of which operates Schemes based on third-party conformity assessment certification. They establish that a product is reliable and meets expectations in terms of performance, safety, efficiency, durability, etc. This is especially crucial for Cybersecurity.

IECEE, the IEC system for Conformity Assessment Schemes for Electrotechnical Equipment and Components, which issues internationally recognized certification on Cybersecurity, operates the CB scheme, facilitating cooperation among accepted National Certification Bodies (NCBs) worldwide. NCBs perform market surveillance functions, which ensure that the overall production line is constantly compliant with the initial testing/certification.

The IECEE Full Certification Scheme is an extension of the IECEE CB Scheme, where initial and/or periodic surveillance of production is performed. The Scheme provides the evidence that each certified product offers the same quality/safety level as type-tested sample.

The CAB (Conformity Assessment Board) is responsible for setting the IEC’s conformity assessment policy, promoting and maintaining relations with international organizations on conformity assessment matters.

OASIS

The OASIS Cyber Threat Intelligence (CTI) TC defines a set of information representations and protocols to support automated information sharing for cybersecurity situational awareness, real-time network defence, and sophisticated threat analysis. The Structured Threat Information eXpression (STIX), launched in 2014 and most recently issued as STIX v2.1 in 2021, language provides a common set of descriptors for security threats and events. The Trusted Automated Exchange of Indicator Information (TAXII), launched in 2014 and most recently issued as TAXII v2.1 in 2020, specification provides common message exchange patterns.

• The OASIS Open Services for Lifecycle Collaboration (OSLC) project issues tools and specifications to support shared software configuration and change management, under open source licenses and using W3C Linked Data methods. In 2023 OSLC issued OSLC OSLC Configuration Management v1.0, an RDF vocabulary and a set of REST APIs for managing versions and configurations of linked data resources from multiple domains, and OSLC Tracked Resource Set v3.0, methods to track additions to and removals from a set of resources, components or code sets, as well as track state changes.
• The OASIS  will publish a unified, machine-readable approach to managing and sharing End-of-Life (EOL) and End-of-Support (EOS) information for commercial and open source software and hardware. Shareable, interoperable and widely-consumable notices of this kind will power and simplify widespread software security management frameworks.
• The Open Supply-Chain Information Modeling (OSIM) TC was launched in 2024 to model data for software provenance, re-use, safety, and compliance certification, to address policy requirements such as the Cyber Resilience Act and Software Bill of Materials (SBOM) rules requiring aggregation of safety and interoperability metadata from multiple sources.  It is likely to integrate other specifications such as the Ecma CycloneDX standard, the ISO/IEC 5962:2021 SPDX standard for licensing information, the OASIS Vulnerability Exploitability Exchange (VEX) profile (see CSAF in this section), and other work in progress such as IETF’s SCITT program.
• OASIS’ Computing Ecosystem Supply-Chain (CES-TC) committee defines a multi-tier, cross-vendor supply chain data sharing system, using data schemas and ontologies, APIs, and smart contracts, to enable planning, enhanced visibility, enhanced resilience, and deeper traceability in order to build trusted, secure, and sustainable products and services. 
• The OASIS Heimdall Data Format (OHDF) committee is establishing standard data formats for exchanging normalized security data between cybersecurity tools (which today often each emit different notices, warnings and identifiers), to allow for ease of mapping and enrichment of security data to relevant compliance standards such as GDPR, PCI-DSS, etc.
• The OASIS Defending Against Deception Common Data Model (DAD-CDM) project applies cybersecurity methods to detect, track and mitigate information quality issues. The project will extend existing object models and defence methods, including the STIX standard, to address misinformation, domestic and foreign manipulation and interference influence operations, and online harm campaigns. Defense in this context includes enabling effective remediation in real time, as well as building strategies, plans and capabilities to manage information quality risks.
• The OASIS Open Command and Control (OpenC2) TC provides a suite of specifications to administer command and control of cyber defence functions across diverse devices and systems, as well as specific security protocols for transmitting those commands in potentially hostile, vulnerable, or high-latency (IoT) environments. The base standard is the OpenC2 Language Specification v1.0 published in 2019; the committee also issued a JSON Abstract Data Notation (JADN) v2.0 in 2025 for simple formal semantic expressions. See also the OpenC2 overview. In addition, the TC issued the OpenC2 Profile for Stateless Packet Filtering v1.0 in 2019, and a Specification for Transfer of OpenC2 Messages via HTTPS v1.1 and Specification for Transfer of OpenC2 Messages via MQTT v1.0 in 2021.
• The Collaborative Automated Course of Action Operations (CACAO) for Cybersecurity TC provides a standard to describe the prevention, mitigation, and remediation steps in a course of action “playbooks” in a structured machine-readable format that can be shared across organizational boundaries and technology solutions. The CACAO Security Playbooks Version 2.0 specification was published in 2023.
• The OASIS Common Security Advisory Framework (CSAF) TC provides standard structured machine-readable formats for security vulnerability-related advisories in JSON format, as well as secure distribution mechanisms for discovery and disclosure. Its Vulnerability Exploitability Exchange (VEX) profile adds secure methods and actionable metadata for Software Bills of Materials (SBOMs), specifying correlations to global databases of known vulnerabilities. The TC delivered CSAF Common Vulnerability Reporting Framework (#CVRF) V1.2 in 2017 and and published the version 2.0 of the framework in 2022. CSAF v2.0 also is issued as ISO/IEC 
• The OASIS Threat Actor Context (TAC) TC establishes a common knowledge framework that enables semantic interoperability of threat actor contextual information. This framework allows organizations to strategically correlate and analyse attack data, using a formal model relying on the W3C Ontology Web Language (OWL) specification. This formalism allows high-volume automated or AI analysis and threat response, as well as manual response, and enables a better understanding of their adversary’s goals, capabilities, and trends in targeting and techniques.
• The Open Cybersecurity Alliance OASIS Open Project aims to bring together vendors and end users in an open cybersecurity ecosystem where products can freely exchange information, insights, analytics, and orchestrated response. The OCA supports commonly developed code and tooling and the use of mutually agreed upon technologies, data standards, and procedures.
• OASIS launched the “Space Automated Threat Intelligence Sharing (SATIS) TC “in 2024 to extend OASIS STIX and other cybersecurity threat sharing and response standards to space sector use cases, including satellites, ground stations, and other space infrastructure.

ISO/IEC JTC 1

Technical Committee ISO/IEC JTC 1/SC 27 ‘Information security, cybersecurity and privacy protection’ produces the International Standards for the protection of electronic information assets and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:

• Security requirements capture methodology;
• Management of information and ICT security; in particular information security management systems, security processes, and security controls and services;
• Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information;
• Security management support documentation including terminology, guidelines as well as procedures for the registration of security components;
• Security aspects of identity management, biometrics and privacy;
• Conformance assessment, accreditation and auditing requirements in the area of information security management systems;
• Security evaluation criteria and methodology.

Included in the 198 published International Standards are the ISO 27000 Information Security Management Standards series as well as the Common Criteria for Information Technology Evaluation ISO/IEC 15408 and the Common Methodology for Information Technology Evaluation ISO/IEC 18045.

Concerning PQC, the evaluation of algorithms as candidates for standards is being done in the context of the competitions organized by NIST, supported by the EU through the contribution of EU-funded researchers. Such candidate standards are meant for both key exchange and digital signatures. NIST is coordinating with ISO/IEC JTC1 SC27 (https://committee.iso.org/home/jtc1sc27) and will standardise through it. At present, standards have been published for stateful hash-based signatures, a key-encapsulation mechanism and digital signatures, but others will come via the ongoing on-ramp competition for digital signatures, reserve algorithms under considerations for key-exchange, and in the future for threshold schemes for cryptographic primitives. SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of SC 27 standards and technical reports in relevant areas. ISO/IEC standards can be fast-tracked to CEN/CENELEC through the Vienna and Frankfurt agreements.

WG 2 (Cryptographic Mechanisms) of ISO/IEC JTC 1/SC 27. ISO is close to finishing standardisation of stateful hash-based signatures, which are already standardised by NIST and in IETF’s RFCs 8391 and 8554. ISO WG 2 has issued a SC 27 committee document 208 – Post-Quantum Cryptography, a white paper explaining the general setting of PQC and 5 core types of hardness assumptions. SC 27 / WG 2 is also on track to issue an amendment on a standard on key encapsulation to include three post-quantum KEMs: one selected by NIST, and two others that are more conservative.

JTC1/SC27/WG2 also works on Fully Homomorphic Encryption.

Other ISO committees have issued statements on PQC to highlight their awareness and intention to migrate. For example, ISO/TC 68/SC 2/WG 11 (Encryption algorithms used in banking applications) issued the report Quantum Computing and the Financial Services Industry. 

ITU-T

ITU-T SG2 is ready to approve Recommendation ITU-T E.371, “Deemed impermissible traffic”, which defines deemed impermissible traffic that is considered inappropriate, illegal, or against the terms of service. It can include various activities such as call refiling, over the top (OTT) bypass, wangiri, etc., or any other behaviour that violates the rules and regulations of any country.  Deemed impermissible traffic can have serious legal, ethical, and privacy implications, leading to financial loss, compromised personal information as well as invasion of privacy. The Recommendation emphasizes the importance of understanding impermissible traffic and its potential consequences. It highlights the negative impact on security, privacy and user experience as well as quality of service (QoS) and quality of experience (QoE). The solutions and the use case sections of the Recommendation provide practical measures to combat impermissible traffic effectively.  SG2 is also ready to approve a revision of Recommendation ITU-T E.156, “Guidelines for ITU-T action on reported misuse of ITU-T E.164 number resources”, which aims to clarify the process to report the potential misuse and the measures available to the entities who manage the numbering resources potentially being misused.  Finally, SG2 has also started work on draft Recommendation ITU-T E.RAA4Q.TSCA, “Registration Authority assignment criteria to issue digital public certificates for use by Q.TSCA”, which intends to provide a consistent and transparent means by which registration authorities will be selected for the purpose of the issuance of certificates to facilitate secure signalling of telephone numbers.

More info: http://itu.int/ITU-T/go/tsg2

ITU-T SG17 (Security) is responsible for developing international standards to enhance confidence, security and trust in the use of telecommunications/ICTs, in the context of an ever-growing attack surface and confronted with an unbalanced threat landscape. Providing security by ICTs and ensuring security for ICTs are both major study areas for SG17. SG17 develops globally harmonized standards on security model, framework, architecture and lifecycle, cybersecurity and service, security management, end-device, edge, network, cloud and application security, data protection techniques, new and emerging security technologies, open system interconnection (OSI) and technical languages. Over 300 ITU-T Recommendations have been developed including the security Recommendations under the ITU-T X-series.

Recently, ITU-T SG17’s work increased specifically on security and trustworthiness of AI systems, fixed mobile satellite converged networking, cloud computing, intelligent transport systems, distributed ledger technologies and quantum-safe communications. SG17 is extending ITU-T X.509 on Public Key Infrastructure (PKI) and Privilege Management Infrastructure (PMI) as foundation for global interoperable identity and trust management of Artificial Intelligence (AI) agents in collaboration with other SDOs.

More info: http://itu.int/ITU-T/go/tsg17

Since 2016, ITU-T SG11 has been continuing its studies on implementation of security measures on signalling level in order to cope with different types of attacks on existing ICT infrastructure and services (e.g. OTP intercept, calls intercept, spoofing numbers, robocalls, etc.). Validating the calling party could help prevent such attacks. Only calls that have been successfully validated by the network would be allowed to pass through the network and reach the terminating party. The validation can be based on signing sensitive information in the signalling exchange (e.g., CLI) to guarantee the trustworthiness of the information and the caller’s identity. This would involve using digital public-key certificates (ITU-T X.509) issued by dedicated Certification Authorities (CAs) specifically for use in the telecommunications environment, not internet-based certificates.

ITU-T SG11 has been developing a series of standards defining the procedure for incorporating and validating digital public-key certificates at the signalling level, including signing the CLI in SS7-based networks (ITU-T Q.3057, Q.3062, Q.3063, Amd.2 to Q.931, Amd.6 to Q.1902.3, Amd.7 to Q.763).

Currently, ITU-T SG11 is developing ITU-T Q.TSCA “Requirements for issuing End-Entity and Certification Authority certificates for enabling trustable signalling interconnection between network entities,” which defines the requirements for the verification of information elements in certificate signing requests.

In addition, ITU-T SG2 continues the development of ITU-T E.RAA4Q.TSCA “Registration Authority Assignment criteria to issue digital public certificates for use by Q.TSCA” which defines the criteria for the selection of registration authorities for use in relation to Q.TSCA, and the process by which the criteria would be used to select registration authorities to support the allocation of digital public certificates that will facilitate implementation in support of Q.TSCA.

In addition, SG11 approved Technical Report QSTR-SS7-DFS “SS7 vulnerabilities and mitigation measures for digital financial services transactions” and Technical Report QSTR-USSD (2021) “Low resource requirement, quantum resistant, encryption of USSD messages for use in financial services”.

All relevant events as well as additional details of ITU activities on this matter are available at: https://itu.int/go/SIG-SECURITY

ITU-T SG13 develops standards for quantum key distribution networks (QKDN) and related technologies. It further studies the concepts and mechanisms to enable trusted ICT, including framework, requirements, capabilities, architectures and implementation scenarios of trusted network infrastructures and trusted cloud solutions.

ITU-T SG13 produced Y.3800-series Recommendations related to QKDN. ITU-T SG13 is also carrying out work on trust in telecommunication and approved Y.2073 “Standardisation roadmap on Trustworthy Networking and Services”, Y.3058 “Functional architecture for trust enabled service provisioning”, Y.3059 “Trust Registry for Devices: requirements, architectural framework” and Y.3060 “Autonomous networks – overview on trust” and Y.3062 “Trustworthiness evaluation for IMT-2020 and Beyond with autonomous network functions”. 

ITU-T SG5 develops standards on Electrical protection, reliability, safety, and security of telecommunication/ICT systems. It studies measures applicable to facilities and systems, against the effects by lightning, attacks using extreme electromagnetic field such as High-Altitude Electromagnetic Pulse (HEMP) and High- Power Electromagnetic (HPEM), causing threats for ICT societies.

ITU-T SG20 develops standards on aspects related to security, privacy, trustworthiness, and identification of Internet of Things (IoT) and smart sustainable cities and communities (SSC&C).

More info: https://itu.int/go/tsg20

W3C

W3C approaches Security in three main activities

• Develop security technology standards
• Review and increase the security of web standards
• Guide Web Developers to design and develop in a secure manner

Developing security standards

The Web Application Security Working Group develops security and policy mechanisms to improve the security of Web Applications, and enable secure cross-site communication.

The Web Authentication Working Group defined a client-side API providing strong authentication functionality to Web Applications.

The Federated Identity Working Group supports authentication and authorization flows without compromising security and privacy principles.

The Web Payment Security Working Group enhances the security and interoperability of various Web payments technologies.

• The Web Incubation Community Group is a group that incubates new Web APIs, there are some interesting and promising proposal for Cyber Security, such as: Device Bound Session Credentials, Digital Credentials API, Realms Initialization Control to virtualise web environment.
• The Threat Modeling Community Group incubates Threat Models on Security, Privacy, and Harms on Digital Credentials and AI
• The Web Forensics Community Group incubates standardisation on guidelines and formats for acquiring evidence from the Web

Reviewing the security of web standards

The Security Interest Group’s (SING) mission is to improve Security on the Web by advising groups developing standards on how to avoid and mitigate security issues with their technologies, the group will also suggest changes to existing standards and technologies to improve security.

• To guide Web Developers to design and develop in a secure manner, W3C created a cross-organization group to guide web developers and ensure a holistic approach to security.
• The Security Web Application Guidelines (SWAG) Community Group increases the overall security of web application development, thereby making the web a more secure platform for web users, through the edition of web creators security best practices and providing a platform for stakeholder collaboration (e.g., OpenSSF, OWASP, Open Web Docs, etc.)

More information at https://www.w3.org/Security

IEEE

• IEEE has standardisation activities in the cybersecurity/network and information security space. It also addresses anti-malware technologies, encryption, fixed and removable storage, and hard copy devices, as well as applications of these technologies for smart grids or healthcare.
• The IEEE Computer Society AI Standards committee is working on IEEE P2986, Recommended Practice for Privacy and Security for Federated Machine Learning.
• The “Privacy and Security Architecture for Consumer Wireless Devices” Working Group standardises a privacy and security architecture for wireless consumer devices (P1912).
• IEEE 1609.2.1 specifies certificate management protocols to support provisioning and management of digital certificates to end entities, that is, an actor that uses digital certificates to authorize application activities, according to IEEE Std 1609.2(TM).
• IEEE standards for Secure Computing include:
• IEEE 2952, Secure Computing Based on Trusted Execution Environment
• IEEE P2834, Secure and Trusted Learning Systems
• IEEE P3167, Secure Biometrics Device Interface
• IEEE 3169, Security Requirement of Privacy-Preserving Computation
• IEEE Standards for cryptographic and data authentication procedures for storage devices include:
• IEEE 1619 Cryptographic Protection of Data in Block-Oriented Storage Devices
• IEEE 1619.1 Authenticated Encryption with Length Expansion for Storage Devices
• IEEE 1619.2, Wide-Block Encryption for Shared Storage Media
• IEEE 2883, Sanitizing Storage
• IEEE Standards on energy systems with security requirements
• IEEE 1686 IEEE Standard for Intelligent Electronic Devices Cybersecurity Capabilities 
• IEEE P2808 Standard for Function Designations used in Electrical Power Systems for Cyber Services and Cybersecurity 
• IEEE 1711 Cryptographic Protocol for Cyber Security of Substation Serial Links
• IEEE 1711.2 IEEE Standard for Secure SCADA Communications Protocol (SSCP) 
• IEEE C37.240, Cyber Security Requirements for Substation Automation, Protection and Control Systems
• IEEE 1402, Physical Security of Electric Power Substations
• IEEE 2030.102.1, Interoperability of Secure IP Protocols Utilized within Utility Control Systems

For securing wired LANs, WG 802.1 of the IEEE LAN/MAN Standards Committee has developed the IEEE 802.1AE standard, which defines a Layer 2 security protocol called Medium Access Control Security (MACSec) that provides point-to-point security on Ethernet links between nodes.

IEEE actively develops security standards for healthcare and medical devices, as well as wearables.

• IEEE 11073-40101 defines processes for vulnerability assessment as part of the medical device interoperability series of standards.
• The IEEE 2621 family of standards addresses wirelessly connected diabetes devices. IEEE 2621.1- 2002 Standard for Wireless Diabetes Device Security Assurance Evaluation: Connected Electronic Product Security Evaluation Programs 
• IEEE Standards focusing on cybersecurity in emerging technologies
• IEEE P3172 Recommended Practice for Post-Quantum Cryptography Migration
• IEEE P1943 Working Group, Post-Quantum Network Security
• IEEE P1947 Standard for Quantum Cybersecurity Framework 
• IEEE P3481 Standard for the Functional Requirements for Cybersecurity-Specific Large Language Models 
• IEEE P1932.2 Standard for Cybersecurity Management in Distributed Core Networks 
• IEEE P2851.2 Standard for the Enablement of Functional Safety Interoperability with Cybersecurity 
• IEEE P2989 focuses on Authentication in a Multi-Server Environment.

IEEE SA is taking a holistic view on cybersecurity and has initiated several critical pre-standardisation Industry Connections programs in this area:

• IC20-021 Meta Issues in Cybersecurity

A new area of work focused on “Human Augmentation” also addresses issues such as security, privacy, and identity: IEEE P2049.2, Standard for Human Augmentation: Privacy and Security, and IEEE P2049.3, Standard for Human Augmentation: Identity.

IEEE’s Certification Program includes: 

• IEEE Medical Device Cybersecurity Certification Program : More details can be found here https://standards.ieee.org/

For more information visit https://ieee-sa.imeetcentral.com/eurollingplan/ 

IETF

The following IETF WGs are active in this area:

With specific reference to Commission Recommendation (EU) C(2024) 2393 of 11 April 2024 on a Coordinated Implementation Roadmap for the transition to PQC, the IETF has established the Post-Quantum Use In Protocols Working Group which provides a standing venue to discuss PQC (operational and engineering) transition issues and experiences to date relevant to work in the IETF. The WG will document operational and design guidance which supports PQC transition. The IETF Security Area is the home for working groups focused on security protocols. They provide one or more of the security services: integrity, authentication, non-repudiation, confidentiality, and access control. Since many of the security mechanisms needed to provide these security services employ cryptography, key management is also vital. In IETF, the OpenPGP, TLS, and LAMPS working groups are actively discussing integrating PQC into their protocols, with cross-protocol issues covered in IETF PQUIP and IRTF CFRG. Work on the necessary JOSE/COSE serializations for the NIST standardised schemes SLH-DSA/ML-DSA is also ongoing.

The Security Area intersects with all other IETF Areas, and the participants are frequently involved with activities in the working groups from other areas. This involvement focuses upon practical application of Security Area protocols and technologies to the protocols of other Areas.

The full list of IETF Working Groups in the Security Area is available here: https://datatracker.ietf.org/wg#sec

https://wiki.ietf.org/en/group/iab/Multi-Stake-Holder-Platform#h-302-cybersecurity-network-and-information-security

3GPP

SA WG3 is responsible for security and privacy in 3GPP systems, determining the security and privacy requirements, and specifying the security architectures and protocols. The WG also ensures the availability of cryptographic algorithms which need to be part of the specifications.

http://www.3gpp.org/specifications-groups/sa-plenary/sa3-security

Ecma International

Secure ECMAScript (SES) is a runtime environment for running ECMAScript (JavaScript) strict-mode code under object-capability (ocap) rules. Ecma Technical Committee TC39 maintains and updates the general purpose, cross platform, vendor-neutral programming language ECMAScript (JavaScript).

TC54 develops and maintains CycloneDX (ECMA-424), a Bill of Materials specification supporting both Software BOM (SBOM) and Cryptography BOM (CBOM), including standardised algorithm families to enable crypto-agility and planning for the transition to PQC. CycloneDX also supports Vulnerability Disclosure Reports (VDR) so vendors can assert and publish known vulnerabilities affecting their products, directly supporting NIS2 coordinated vulnerability-disclosure obligations. In addition, TC54 is specifying the Transparency Exchange API, currently under development, to publish and autonomously discover transparency artefacts (e.g., SBOM/CBOM, VDR, VEX, attestations) at scale. Complementary identifiers and vocabularies, such as Package-URL (PURL) and Common Lifecycle Enumeration (CLE), are progressing toward Ecma ratification, providing consistent cross-ecosystem component identity and lifecycle signalling.

ECMA-424

oneM2M

oneM2M’s architecture defines a common middleware technology in a horizontal layer between devices and communications networks and IoT applications. This standardises secure links between connected devices, gateways, communications networks and cloud infrastructure. The oneM2M SDS – System Design and Security working group is also responsible for security and privacy. The following non-exhaustive list highlights some specifications which define and describe security features in oneM2M:

• TS-0001 Functional Architecture
• TS-0003 Security Solutions
• TS-0016 Secure Environment Abstraction
• TS-0032 MAF and MEF Interface Specification (MAF = M2M Authentication Framework; MEF = M2M Enrolment Function)

ITU-T SG20 transposed oneM2M specifications in their Y.450x series. See also Y.oneM2M.SEC.SOL.

All specifications are openly accessible at https://www.onem2m.org/technical.

(C.2) Other activities related to standardisation 

ECSO 

The European Cyber Security Organisation (ECSO) represents the contractual counterpart to the European Commission for the implementation of the Cyber Security contractual Public-Private Partnership (cPPP).

WG1 focuses on standardisation, certification, labelling and supply chain management.

Home

OIDF

Risk and incident sharing and coordination working group [RISC]

RISC (chartered 2015) provides data sharing schemas, privacy recommendations and protocols to share information about important security events in order to thwart attackers from using compromised accounts with one service provider to gain access with other service providers. RISC focuses on peer to peer sharing of information related to the state of individual accounts. http://openid.net/wg/risc/charter/ 

NIST

NIST works on cybersecurity standards, guidelines, best practices, and other resources to first of all meet the needs of federal agencies and secondly the broader public as well as industry. The Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity issued on May 12, 2021 assigns NIST (among other US agencies) to work on two labelling efforts related to consumer Internet of Things (IoT) devices and consumer software with the goal of encouraging manufacturers to produce and purchasers to be informed about products created with greater consideration of cybersecurity risks and capabilities. On 19 July, the US formally announced the launch of an IoT cybersecurity labelling programme called “US Cyber Trustmark”, to which NIST will be contributing.

NIST has published guidance outlining security measures for critical software, guidelines recommending minimum standards for vendors’ testing of their software source code, preliminary guidelines for enhancing software supply chain security and additional guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria.

Other areas of work include critical infrastructure protection:

• Cyber-Physical Systems for Global Cities Project http://www.nist.gov/el/smartgrid/cpsforglobalcities.cfm
• Cybersecurity for Smart Grid Systems http://www.nist.gov/el/smartgrid/cybersg.cfm
• Cybersecurity for Smart Manufacturing Systems http://www.nist.gov/el/isd/cs/csms.cfm
• Development of New Cybersecurity http://www.nist.gov/itl/cybersecurity-framework-021313.cfm
• Reference Architecture for Cyber-Physical Systems Project Framework http://www.nist.gov/el/smartgrid/cpsarchitecture.cfm

NIST’s work on PQC is focused on the organization of the internationally open competitions for submission of PQC algorithms and their selection as algorithms candidate for standardisation, for key exchange, digital signatures, and threshold schemes for cryptographic primitives. At present, one algorithm for key encapsulation , and two algorithms for digital signatures have been standardised, specifications for one additional digital signature algorithm are being written, reserve algorithms are being considered as additional potential standards for key agreement, and and additional on-ramp call for digital signatures is ongoing. An additional open call on multiparty threshold cryptography is being finalized. The final version of this call (upcoming in 2025) will set a period for submissions, followed by a period of public analysis of the gathered reference material.

Post-Quantum Cryptography | CSRC (nist.gov)

Post-Quantum Cryptography FIPS Approved | CSRC (nist.gov)

PQC Digital Signature Second Round Announcement | CSRC (nist.gov)

Multi-Party Threshold Cryptography | CSRC (nist.gov)

NIST also publishes guidelines on deprecation timeline for algorithms (NIST IR 8547 initial public draft, Transition to Post-Quantum Cryptography Standards ) and on specific aspects of the implementation of PQC ( NIST SP 800-227 initial public draft, Recommendations for Key-Encapsulation Mechanisms )

(C.3) Additional information

The Danish business community in May 2022 launched a data ethics and cybersecurity seal for companies. The seal aims to create transparency for consumers and help ambitious companies gain a competitive advantage.

In the Netherlands, the national government has selected a group of security specifications for its comply-or-explain policy (e.g. DNSSEC, DKIM, TLS, SPF, DMARC, STARTTLS, DANE, RPKI), and is actively using various adoption strategies to get the specifications implemented. An effective tool that was developed to drive adoption is the website www.internet.nl (available in English). Organisations and individuals can easily test whether websites offer support for modern Internet Specifications, and the code is open source.

Also in the Netherlands, a method to help improve secure software lifecycle management, including software development, was developed under the title Secure Software Framework (SSF). The framework is applied by software developers in innovative projects, where security of software is of the utmost importance. The framework was published by the Secure Software Alliance (SSA), a public-private program in which developers of software, end users, professional bodies, institutes for research and education and the Dutch Ministry of Economic Affairs and Climate cooperate to promote secure software and connect initiatives in this area. The SSF is part of the Roadmap for Digital Hard- and Software Security of the Ministry of Economic Affairs and Climate.

In September 2020 in the Netherlands, a public-private coalition called the Online Trust Coalition (OTC) was launched, with the original mission to provide an unambiguous, efficient method for cloud service providers to demonstrate that their services are reliable and secure. OTC has made a significant contribution to the EUCS with a method to deliver irrefutable evidence of Cloud resilience compliance by means of a standard audit approach. In line with this approach the OTC has cooperated with the NL professional organization of registered IT auditors to develop the IDRS (International Digital Reporting Standard). The IDRS is meant to demonstrate existence and efficacy of IT control, covering the 6 key areas of IT governance: digital transformation, cyber security, business continuity, data and ethics, sourcing, and privacy. The OTC is now working on methods to harmonize control regimes for a wide selection of legislation in the EU rulebook aimed at board level responsibilities. I

In addition, in the Netherlands, the Centre for Crime Prevention and Safety (the CCV) has launched several initiatives to strengthen cybersecurity for SMEs and service providers. Since 2021, the Risk Classification for Digital Security(RKIDV) helps entrepreneurs assess risks and apply basic measures aligned with national guidance (DTC/NCSC). The RKIDV is accessible via the website of the Digital Trust Center. Based on RKIDV, the CCV will introduce the ‘Digital Baseline Security for SMEs’ label, enabling ICT service providers to demonstrate compliance and support their clients. The CCV has also established certification schemes for cybersecurity services, including Penetration Testing, Awareness Training and Incident Response. The Dutch approach also allows service providers and certification bodies from outside the Netherlands to enter the market. Furthermore, the CCV manages the CYRA (Cyber Rating) method. CYRA-IT is already in use, offering a step-by-step maturity model towards ISO/IEC 27001 certification. CYRA-OT (based on IEC 62443) and CYRA-Health (based on NEN 7510) will follow by the end of 2025.”

IIn Germany, the Federal Agency for Information Security (BSI) bases several national cyber-security standards -concerning both critical infrastructures and SMEs- on the ISO/IEC EN 270xx family and the Federal Network Agency (BNetzA) mandates the use of ISO/IEC 27019 (with a few additional requirements in the national IT Security catalogue) for grid network operators with mandatory certification.

In Spain the National Security Framework (ENS), updated in May 2022, is a collective, multidisciplinary, and long-term national effort running for 15 years. The ENS is based in current information security and Cybersecurity standards. Implemented as a Royal Decree–based framework, it has been updated several times to align with national and European regulations, address emerging cybersecurity needs and trends, and enable adoption across specific sectors, with mandatory compliance by all entities in the Spanish public sector, by private sector entities, domestic or foreign, that use their own information systems to provide services to the public sector, and also by entities in the supply chain of the latter, to the extent determined by a prior risk analysis, making it the most widespread legal model in Europe. Supported by successive National Cybersecurity Strategies and the transposition of the NIS Directive, the ENS stands out for its solid foundation and long-established track record. The ENS has proven to be a highly successful framework thanks to its strong linkage between the security requirements, certified products and services, and procurement processes. This connection ensures that security measures are fully embedded into procurement, significantly strengthening the overall security posture of organizations. Through the ENS link to the Catalogue of Information and Communication Technology Security Products and Services (CPSTIC) and procurement, the ENS facilitates the use of European certification schemes, like EUCC, and future ones, like EUCS, arising from Regulation (EU) 2019/881, supported by its extensive experience and mandate in certifying products and services. Thanks to its flexibility, principle of proportionality, maturity, extensive experience in auditing, certification, and monitoring, along with a comprehensive set of guidelines, tools, and sector-specific compliance profiles for the various NIS2 domains—and with more than 1,100 public and private entities already certified, including cloud service providers—the ENS is widely regarded as a robust framework that can serve as a European reference and a model for adoption by other Member States.

ENISA and the European Computer Security Incident Response Team (CSIRT) community have jointly set up a task force with the goal of reaching a consensus on a ‘Reference Security Incident Classification Taxonomy’. Following a discussion among the CSIRT community during the ‘51st TF-CSIRT meeting’ (15 May 2017 in The Hague, Netherlands), it was concluded that there is an urgent need for a taxonomy list and name that serves as a fixed reference for everyone. This is where the so-called ‘Reference Incident Classification Taxonomy Task Force’ comes into play. The aim of this task force is to enable the CSIRT community in reaching a consensus on a universal reference taxonomy. Additionally, the task force covers the following objectives:

• Develop a reference document
• Define and develop an update and versioning mechanism
• Host the reference document
• Organise regular physical meetings with stakeholders

The ENISA NCSS Interactive Map lists all the documents of National Cyber Security Strategies in the EU: https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/national-cyber-security-strategies-interactive-map

For PQC, in the Netherlands, the General Intelligence and Security Service (AIVD), TNO and Centrum Wiskunde & Informatica (CWI) published a handbook for the migration to PQC (TNO-2024-pqc-en.pdf ). The handbook is intended for the Dutch government, businesses, vital sectors and knowledge institutions that work with important information that is being encrypted, such as trade secrets.

The BSI in Germany has issued guidelines on how to implement the migration to a quantum-safe digital infrastructure (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.html   ; Migration ). The recommendations encourage to implement hybrid solutions with both PQC and current asymmetric cryptography, to start with conservative choices for key exchange which ensures a high level of security even if not optimal performance, to use the already standardised hash-based signature for firmware updates, to test the post-quantum signature schemes for authentication (Dilithium, Falcon, Sphincs+), and to consider implementing QKD only in combination with PQC.

France has issued guidelines, recommending a transition plan, in which PQC algorithms must be hybridized with well-known pre-quantum algorithms and systems must be crypto-agile, i.e. able to update its crypto algorithms (anssi-avis-migration-vers-la-cryptographie-post-quantique.pdf ).

ENISA has also issued reports on PQC, on an overview of the current state of affairs on the standardisation process of PQC (https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation ) and on the necessity to design new cryptographic protocols and integrate post-quantum systems into existing protocols (https://www.enisa.europa.eu/publications/post-quantum-cryptography-integration-study).