Interoperable Europe logo
Rolling Plan for ICT standardisation
Join this collection

Cybersecurity / network and information security (RP 2024)

(A.) Policy and legislation

A.1)   Policy objectives

The EU's Cybersecurity Strategy for the Digital Decade (JOIN/2020/18 final), aims to ensure a global and open Internet with strong guardrails to address the risks to the security and fundamental rights and freedoms of people in Europe. Following the progress achieved under the previous strategies, it contains concrete proposals for deploying three principal instruments –regulatory, investment and policy instruments – to address three areas of EU action – (1) resilience, technological sovereignty and leadership, (2) building operational capacity to prevent, deter and respond, and (3) advancing a global and open cyberspace. Furthermore, Cybersecurity must be integrated into all digital investments, particularly key technologies like Artificial Intelligence (AI), encryption and quantum computing, using incentives, obligations and benchmarks.

The NIS 2 Directive (Directive (EU) 2022/2555) lays down measures that aim to achieve a high common level of cybersecurity across the EU. To that end, the NIS 2 Directive lays down cybersecurity risk-management measures and reporting obligations for entities operating in critical and highly critical sectors. The obligation on entities to appropriately manage cybersecurity risks includes measures for supply chain security. Furthermore, the NIS 2 Directive provides for closer cooperation and capacity building among the Member States and the relevant entities. In order to promote a convergent implementation of the cybersecurity risk-management measures across the EU, Member States should encourage the use of European or international standards and technical specifications relevant to the security of network and information systems, without imposing or discriminating in favour of the use of a particular type of technology. The NIS 2 Directive amends the eIDAS Regulation and includes the requirements concerning cybersecurity risk-management and incident reporting for the trust service providers.

The EU Cybersecurity Act (Regulation EU 2019/881) established the European Cybersecurity Certification Framework in order to improve the conditions for the functioning of the internal market by increasing the level of cybersecurity within the Union and enabling a harmonised approach at Union level to European cybersecurity certification schemes, with a view to creating a digital single market for ICT products, ICT services and ICT processes. The European cybersecurity certification framework provides for a mechanism to establish European cybersecurity certification schemes and to attest that the ICT products, ICT services and ICT processes that have been evaluated in accordance with such schemes comply with specified security requirements for the purpose of protecting the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, services and processes throughout their life cycle. As also laid down in the mandate provided by the EU Cybersecurity Act, the European Union Agency for Cybersecurity (ENISA) can be requested to prepare candidate EU cybersecurity certification schemes. There is a close linkage between the tasks assigned by ENISA to that purpose, and the Rolling Plan for ICT Standardisation. On 18 April 2023, the Commission proposed an amendment to the Cybersecurity Act, setting forth provisions for the adoption of certification schemes for managed security services.

Commission Recommendation (EU) 2019/534 of 26 March 2019 on the Cybersecurity of 5G networks identifies a series of actions in order to support the development of a Union approach to ensuring the cybersecurity of 5G networks. The EU Toolbox on 5G cybersecurity (EU Toolbox) published in January 2020 aims to address risks related to the cybersecurity of 5G networks. It identifies and describes a set of strategic and technical measures, as well as corresponding supporting actions to reinforce their effectiveness, which may be put in place in order to mitigate the identified risks. One of the supporting actions focuses on Supporting and shaping 5G standardization.

As a result of the above mentioned policy initiatives, the European Commission has requested the European Union Agency for Cybersecurity (ENISA) to prepare a candidate EU cybersecurity certification scheme for the certification of ICT products based on Common Criteria (EUCC), of ICT cloud services (EUCS) and the certification of key 5G mobile network components and suppliers' processes (EU5G).

In September 2022, the European Commission presented a proposal for a Cyber Resilience Act (CRA), aiming to establish common essential security requirements for products with digital elements. The Cyber Resilience Act proposal would rely on harmonised standards to support implementation of the essential requirements it sets out, building on existing European and international standards.

Proposed two legislative initiatives the AI Act and the revision of the eIDAS Regulation both add to the trust in digital services and may invoke further standardisation activities in support of managing the cybersecurity risks in the building block of data.

The communication setting up ICT standardisation priorities for the DSM refers to cybersecurity as a priority domain for Europe.

Council Resolution on Encryption (EU) 13084/1/20, was adopted in November 2020 to enable EU ”leveraging its tools and regulatory powers to help shape global rules and standards...to enhance the EU's ability to protect itself against cyber threats, to provide for a secure  communication environment, especially through quantum encryption, and to ensure access to data  for judicial and law enforcement purposes.” The Resolution calls for joining forces with the tech industry to establish an active discussion with the technology  industry, while associating research and academia, to ensure the continued implementation and use of strong encryption technology.  It notes the need to develop a regulatory framework across the EU to enable authorities to use their investigative powers which are subject to proportionality, necessity and judicial oversight under their domestic legislation, while respecting common European values and upholding fundamental rights and preserving the advantages of encryption. Possible solutions should be developed in a transparent manner in cooperation with national and international communication service providers and other relevant stakeholders using technical solutions and standards.

Today, a substantial part of investigations against all forms of crime and terrorism involve encrypted information. Encryption is essential to the digital world, securing digital systems and transactions. It is an important tool for the protection of cybersecurity and fundamental rights, including freedom of expression, privacy and data protection. At the same time, it can also be used as a secure channel for perpetrators where they can hide their actions from law enforcement and the judiciary. The Commission will work with Member States to identify possible legal, operational, and technical solutions for lawful access and promote an approach, which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime and terrorism.

(A.2) EC perspective and progress report

The Communication on ICT standardisation priorities for the digital single market identified as challenges – among others – the increasing reliance of the economy on digital technologies, along with the complexity across the value chain in many of its applications, as well as access rights to standards that call for improved cooperation in the growing ecosystem of existing and emerging standardisation bodies and organisations. The EU Cybersecurity Strategy and Standardisation Strategy emphasise the need to foster broader multi-stakeholder participation and international cooperation in the area of standardisation in support of the resilience of the EU digital single market but also for reaping the benefits from the investments in standardisation and certification. Work towards addressing these challenges is ongoing.

The EU candidate cybersecurity certification schemes EUCC, EUCS (draft) and in particular EU5G (in preparation) stand example for the extensive body of standards being utilized in conformity assessment and certification to improve and make transparent the effectiveness of the risk controls pertained in the use of ICT products, services and process.

The Communication on ICT standardisation priorities for the digital single market resonates with the past policy instruments mentioned above for the priority domain cybersecurity, the “bedrock of trust and reliability”, with the following focus:

  • A very high quality of cybersecurity, as specified in standards, to be built into any new technology or service (“security-by-design”) helps to mainstream cybersecurity requirements into ICT products, services and processes as well as operators to manage their cybersecurity risks out-of-the-box and during the lifecycle by means of evaluation and certification methodologies as employed in EU cybersecurity certification schemes.
  • Communication enabled distributed digital devices and services in IoT, AI, and eIDAS require seamless and interoperable secure authentication and processors across all involved subjects and objects to enable secure and transparent access to, exchange and processing of data (“protection-by-design”).
  • Encouraging the coherent adoption of standardisation practices across the EU to support the cybersecurity risk- management and reporting obligations for essential and important entities, which are one of the key pillars of of  the NIS2 Directive.
  • Collaboration and multi-stakeholder governance remains key in standardisation as stressed in the EU Cybersecurity Strategy and EU Standardisation Strategy.

The essential cybersecurity requirements that will be set out in the European Cyber Resilience Act (CRA) shall ensure an adequate security protection for products with digital elements used by European citizens, business and critical infrastructures . The CRA and the standards underpinning its implementation, will will create synergies with the EU Cybersecurity Act as the preparation of market-driven EU certification schemes has already started. As the next step, following the adoption of the CRA proposal, the Commission will prepare a formal standardisation request to support the implementation of the CRA. 

European cybersecurity certification schemes will support the building blocks of ICT standard setting and will increasingly rely upon standardisation to establish and harmonise the cybersecurity functional and assessment requirements applied to cybersecurity certification.

Assessments and certification of ICT products, services and processes helps consumers making informed decisions as a means technological autonomy. Certification further helps identifying such products and services on the grounds of a solid assessment of the cybersecurity requirements by a proficient evaluator. Transparent standards and specifications for the definition and verification of cybersecurity requirements form the very foundation of the “cybersecurity-by-design-and-default” proposition the European Union aims for, such as the continuous monitoring of the threat landscape for the purpose of aftermarket improvements to the sold ICT and the support with threat intelligence to remain resilient in the next wave of cyberattacks.

Further progress across technologies that are currently available to a limited set of users, such as quantum cryptography and artificial intelligence, could permit for more ways to improve the European Union’s cybersecurity, i.e. for instance through the application of quantum cryptography or machine learning respectively.

It is important that all levels of an organisation – particularly the strategic level, business owners and the management board - are aware of the need for standards and frameworks for cybersecurity. Moreover, between organisations that are partners in (vital) online chains, clear agreements will have to be made on the standards applicable to sectors. The need for security to be ensured throughout the lifetime of the ICT product, ICT service or ICT process by design and development processes that constantly evolve to reduce the risk of harm from malicious exploitation should also be considered in the context of relevant standardisation activities. It is therefore important to undergo an analysis of the existing standards that can mitigate the current risks and map the current and presumed future risks that still need to be addressed by specific standards.

 ‘Cybersecurity-by-design-and-default’ as engendered in European policy instruments like certification schemes as well as the European Community’s move towards resilience over the lifecycle of digital technologies show the way for standardisation activities. Collaboration on European and international level and broad participation in the multi-stakeholder ecosystem of standardisation further reinforce the European Union’s cybersecurity posture.

The transparency of standards should not stop at the preparation phase but also leverage on their accessibility for a wide reception and adoption by the audience concerned. In particular, evaluation methodologies used in certification schemes should be quotable and available in machine readable format.

(A.3) References
  • JOIN/2020/18 final – Joint Communication The EU's Cybersecurity Strategy for the Digital Decade
  • Joint Communication on Resilience, Deterrence and Defence:  Building strong cybersecurity for the EU,  JOIN(2017) 450 final
  • JOIN(2013) 1 final  Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace
  • Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
  • Commission Recommendation (EU) 2019/553 of 3 April 2019 on cybersecurity in the energy sector (notified under document C(2019) 2400)
  • Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)
  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
  • Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union
  • Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the EU (NIS Directive)
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to personal data processing and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises -  C/2017/6100
  • Commission Recommendation (EU) 2019/534 of 26 March 2019 on the Cybersecurity of 5G networks - C/2019/2335
  • COM(2016)176 ICT Standardisation Priorities for the Digital Single Market
  • COM(2015)192 A Digital single market strategy for Europe
  • COM(2017)228 Communication on the Mid-Term Review on the implementation of the Digital Single Market Strategy - A Connected Digital Single Market for All and accompanying Staff Working Document SWD(2017)155
  • Cybersecurity of 5G networks - EU Toolbox of risk mitigating measures (01/2020) 
  • COM/2020/795 Communication on A Counter-Terrorism Agenda for the EU: Anticipate, Prevent, Protect, Respond
  • COM/2021/206 Final Proposal For A Regulation Of The European Parliament And Of The Council Laying Down Harmonised Rules On Artificial Intelligence (Artificial Intelligence Act) And Amending Certain Union Legislative Acts
  • COM(2022) 454 final Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020
  • Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)
  • The EU Toolbox on 5G cybersecurity, EU Toolbox of risk mitigating measures, NIS Cooperation Group, Cybersecurity of 5G networks, 29 January 2020

(B.) Requested actions

Action 1: ESOs to develop standards in support of the cybersecurity essential requirements set out in the Cyber Resilience Act. Furthermore, SDOs to develop standards and sectorial specifications for critical infrastructure protection in support of and responding to the requirements in anticipation of the reviewed NIS2 Directive. Foster the application of EN 62443 series (base on IEC 62443 series) for the firm establishment of EU regulatory requirement operational technology (OT) security including critical infrastructures.

Action 2: SDOs to assess  the content of existing standards and specifications applied under the European Cybersecurity Certification Framework in order to revise existing documents or create new standards. It should be ensured that these standards are gradually and timely made available for providing support to any certification activity, particularly as the preparation and implementation of certification schemes has come under the remit of ENISA on Common Criteria (EUCC), Cloud services (EUCS) and 5G (EU5G). In particular, SDOs are encouraged to develop and harmonise standards related to the specification and assessment of security properties in ICT products and services (including cloud services), as well as those related to security in processes related to the design, development, delivery and maintenance of an ICT product or service, as well as methodologies concerning assurance levels for industry sectors.

Action 3: SDOs to investigate and prepare harmonised evaluation methodologies of cybersecurity risks, controls and interfaces as required by EU policy instruments such as the Certification Framework of the EU Cybersecurity Act, the Cyber Resilience Act and others for their horizontal application into trusted products such as semiconductors, the European Digital Identity Wallet, and other digital technologies.

Action 4: SDOs to assess of European cybersecurity policies the upcoming Cyber Resilience Act, but also in relation to other policy instruments, such as the Machinery Directive, the Radio Equipment Directive or to the machine learning component for the AI Act.

Action 5: SDOs to investigate requirements for secure and interoperable communication protocols for mobile and fixed networks of distributed devices and services that may in addition rely upon limited resources and interfaces.  Requirements should address relevant mechanisms of authenticating, registering, and processing user identities seamlessly across devices, services and applications.

Action 6: SDOs to assess the availability of standards and technical specifications in general or for business sectors relevant for the requirements relating to cybersecurity risk-management, including those pertaining to supply chain, incident notifications for entities in line with the NIS 2 Directive, or in support of the upcoming Cyber Resilience Act and other potential EU legislation, including as regards certification schemes as defined in the Cybersecurity Act.

Action 7: SDOs to assess gaps and develop standards on cybersecurity of products in support of possible certification schemes completed under the European Cybersecurity Act and in support of the upcoming Cyber Resilience Act.

Action 8: SDOs to explore options for the composition and matching of assurance statements as issued under the Certification Framework of the Cybersecurity Act also in conjunction to the provisions of related EU regulatory instruments like the Cyber Resilience Act, the NIS2 Directive or the new eIDAS regulation.

Action 9: SDOs should foster/establish cooperation with the European Cybersecurity Coordination Centre and national Cybersecurity Centres order to facilitate the results of current research and outputs from the funding programmes Horizon Europe and Digital Europe.

Action 10: SDOs to assess gaps and develop standards in support of trust services under the NIS2 Directive and other possible instruments of EU law

Action 11: ESOs to work with global SDOs and the open source community to identify available or ongoing technologies of relevance for supporting EU regulation, in particular the upcoming EU Cyber Resilience Act.

(C.) Activities and additional information 

 (C.1) Related standardisation activities
CEN & CENELEC

CEN-CLC/JTC 13 'Cybersecurity and Data Protection' focuses on Information Technology (IT) and develops European standards for data protection, information protection and security techniques, including: Organizational frameworks and methodologies; IT management systems; Data protection and privacy guidelines; Processes and products evaluation schemes; ICT security and physical security technical guidelines; smart technology, objects, distributed computing devices, data services, product security, support to the EU 5G Certification scheme, Radio Equipment Directive (Directive 2014/53/EU) and Cyber Resilience Act. The ISO/IEC 27000 standards, the Common Criteria for Information Technology Evaluation ISO/IEC 15408 and the Common Methodology for Information Technology Evaluation ISO/IEC 18045are adopted as European Standards by this Joint Technical Committee. The CEN CENELEC JTC 13 has established a dedicated Special Working Group on Cyber Resilience Act (CEN/CLC/JTC 13/WG 9) to start preparation for the standardisation needs of the CRA. This working group is building on the experience of the Special Working Group RED Standardization Request (CEN/CLC/JTC 13/WG 8).

CLC/TC 65X 'Industrial-process measurement, control and automation' coordinates the preparation of European Standards for industrial process measurement, control and automation (e.g. EN IEC 62443-4-1 Security for industrial automation and control systems – Secure product development lifecycle requirements). The EN IEC 62443 series address Operational Technology (OT) found in industrial and critical infrastructure, including but not restricted to power utilities, water management systems, healthcare and transport systems. These are sectorial standards, which can also be applied across many technical areas.

CLC/TC 9X provides standards on electrical and electronic systems, equipment and software for use in railway applications. CLC/TS 50701 ‘Railway applications – Cybersecurity’ provides a specification that can be used to demonstrate that the system is cyber secured, has set Target Security Levels and achieved them during operation and maintenance. Technical Committee IEC TC 9 ‘Electrical equipment and systems for railways’ develops international standards for the railways field which includes rolling stock, fixed installations, management systems (including supervision, information, communication, signalling and processing systems) for railway operation. The project team 63452 ‘Railway applications – Cybersecurity’ is currently developing a standard which maps and adapts IEC 62443 requirements to the railway application domain and its operational environment.

Cybersecurity standards are also being developed in several vertical sectors, for example: CEN/TC 301 'Road Vehicles', CEN/TC 377 'Air-traffic management', CLC/TC 9X 'Electrical and electronic applications for railways', CLC/TC 57 'Power systems management and associated information exchange', CEN-CLC/JTC 19 'Blockchain and Distributed Ledger Technologies', CEN/TC 224 'Personal identification and related personal devices', CLC/TC 45AX 'Instrumentation, control and electrical power systems of nuclear facilities'. 

ETSI

TC CYBER, is the ETSI centre of expertise for cybersecurity and produces standards for the cybersecurity ecosystem, consumer IoT/devices, protection of personal data and communication, network security, cybersecurity tools and guides, and in support of EU legislation (GDPR, CSA, RED, NIS/NIS2) (details in the CYBER Roadmap). TC CYBER work already supports Actions 2, 4 and 7 with EN 303 645 and complementary deliverables on consumer IoT devices, and Action 2 with TS 103 732, protection profile for consumer mobile device which is being submitted to certification against Common Criteria to assist the manufacturers in the security certification of their products. (TC CYBER publications and TC CYBER work programme).

TC CYBER QSC: works on Quantum Cryptography with a focus on the practical implementation of quantum safe primitives, including performance considerations, implementation capabilities, protocols, benchmarking and practical architectural considerations for specific applications.
Work covers the migration towards a post-quantum world (TR 103 619) and extending that knowledge to other sectors to assist in migration (e.g. for ITS in the development of DTR/CYBER-QSC-0018) and the specification of Quantum-Safe Hybrid Key Exchanges.

ISG QKD (Quantum Key Distribution): works to support the industrialisation of QKD technology to secure ICT networks.
Its publications cover requirements for security proofs of QKD protocols and authentication, precise characterisation of QKD modules and components, and approaches to integrate QKD into networks. Work considers the security of system implementations and aims to assist the certification of QKD systems using the Common Criteria.

ISG MEC (Multi-access Edge Computing):  led the publication of a White Paper on “MEC security: Status of standards support and future evolutions” written by several authors participating in ETSI ISG MEC, ETSI ISG NFV SEC and ETSI TC CYBER. The work identified aspects of security where the nature of edge computing leaves typical industry approaches to cloud security insufficient. As a follow-up, the MEC group started a related study on MEC Security in (ETSI GR MEC041).

ETSI also works on other specific security topics including the security of mobile communications including the 5G network equipment security assurance specifications (3GPP SA3), network functions virtualisation (ETSI NFV ISG), intelligent transport systems (ITS WG5), digital enhanced cordless telecommunications (DECT™), M2M/IoT communications (oneM2M published standards, latest drafts), reconfigurable radio systems (ETSI TC RRS), IPv6 based secure internet protocol best practices, IPv4 sunsetting guidelines (ETSI ISG IPE) and emergency telecommunications (including terrestrial trunked radio (TETRA)), secure element technologies (TC SET) and electronic signatures and trust service providers with a set of standards for the certification of trust services TC ESI (ESI activities).

More recently ISG ETI (Encrypted Traffic Integration) has been expanding development of the Zero Trust Architecture to address the problems cited in ETSI GR ETI 001.

IEC         

Technical Committee IEC/TC 65 'Industrial-process measurement, control and automation' develops International Standards for systems and elements used for industrial-process measurement and control concerning continuous and batch processes.

Working Group IEC/TC 65/WG 10 'Security for industrial process measurement and control - network and system security' is responsible for the IEC 62443 series on Industrial communication networks, which addresses the prevention of illegal or unwanted penetration, intentional or unintentional interference with the proper and intended operation, or inappropriate access to confidential information in industrial automation and control systems.

IEC 62443-4-2:2019 'Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components' was published in 2019 and IEC 62443-3-2:2020 'Security for industrial automation and control systems - Part 3-2: Security risk assessment and system design' was published in 2020. The publication of International Standard IEC 62443-2-1 (edition 2) 'Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners'  is expected in 2021.

In Europe, IEC/TC 65 is mirrored by CLC/TC 65X 'Industrial-process measurement, control and automation'. This CENELEC standardisation work is carried out for equipment and systems, and closely coordinated with IEC/TC 65.

Technical Committee IEC/TC 57 'Power systems management and associated information exchange' is responsible for the IEC 62351 standards series 'Power systems management and associated information exchange - Data and communications security'. The different security objectives of this series include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.

IECEE/ICAB        

Conformity Assessment (CA) is any activity, which results in determining whether a product or other object corresponds to the requirements contained in a standard or specification. The IEC runs four CA systems, each of which operates Schemes based on third-party conformity assessment certification. They establish that a product is reliable and meets expectations in terms of performance, safety, efficiency, durability, etc. This is especially crucial for Cybersecurity.

IECEE, the IEC system for Conformity Assessment Schemes for Electrotechnical Equipment and Components, which issues internationally recognized certification on Cybersecurity, operates the CB scheme, facilitating cooperation among accepted National Certification Bodies (NCBs) worldwide. NCBs perform market surveillance functions, which ensure that the overall production line is constantly compliant with the initial testing/certification.

The IECEE Full Certification Scheme is an extension of the IECEE CB Scheme, where initial and/or periodic surveillance of production is performed. The Scheme provides the evidence that each certified product offers the same quality/safety level as type-tested sample.

The CAB (Conformity Assessment Board) is responsible for setting the IEC's conformity assessment policy, promoting and maintaining relations with international organizations on conformity assessment matters.

OASIS

The OASIS Cyber Threat Intelligence (CTI) TC defines a set of information representations and protocols to support automated information sharing for cybersecurity situational awareness, real-time network defence, and sophisticated threat analysis. The Structured Threat Information eXpression (STIX) language provides a common set of descriptors for security threats and events. The Trusted Automated Exchange of Indicator Information (TAXII) specification provides common message exchange patterns.

The OASIS Open Services for Lifecycle Collaboration (OSLC) project issues tools and specifications to support shared software configuration and change management, under open source licenses and using W3C Linked Data methods.  In 2023 OSLC issued OSLC Configuration Management v1.0, an RDF vocabulary and a set of REST APIs for managing versions and configurations of linked data resources from multiple domains, and OSLC Tracked Resource Set v3.0, methods to track additions to and removals from a set of resources, components or code sets, as well as track state changes. 

The OASIS OpenEoX technical committee will publish a unified, machine-readable approach to managing and sharing End-of-Life (EOL) and End-of-Support (EOS) information for commercial and open source software and hardware.   Shareable, interoperable and widely-consumable notices of this kind will power and simplify widespread software security management frameworks. 

OASIS' Computing Ecosystem Supply-Chain (CES-TC) committee defines a multi-tier, cross-vendor supply chain data sharing system, using data schemas and ontologies, APIs, and smart contracts, to enable planning, enhanced visibility, enhanced resilience, and deeper traceability in order to build trusted, secure, and sustainable products and services.   Digital transformation is driving more industries to build intelligent systems, using harmonized and sustainable supply chain methods to maintain resilient capacity for secure, trusted hardware and software. 

The OASIS Heimdall Data Format (OHDF) committee is establishing standard data formats for exchanging normalized security data between cybersecurity tools (which today often each emit different notices, warnings and  identifiers), to allow for ease of mapping and enrichment of security data to relevant compliance standards such as GDPR, PCI-DSS, etc. 

The OASIS Defending Against Disinformation Common Data Model (DAD-CDM) project applies cybersecurity methods to detect, track and mitigate information quality issues.  The project will extend existing object models and defence methods, including the STIX standard, to address misinformation, domestic and foreign manipulation and interference influence operations, and online harm campaigns.  Defense in this context includes enabling effective remediation in real time, as well as building strategies, plans and capabilities to manage information quality risks.

The OASIS Open Command and Control (OpenC2) TC provides a suite of specifications to administer command and control of cyber defence functions distributed across multiple systems. A JSON Abstract Data Notation (JADN) Version 1.0 specification was published in August 2021

The Collaborative Automated Course of Action Operations (CACAO) for Cybersecurity TC provides a standard to describe the prevention, mitigation, and remediation steps in a course of action “playbooks” in a structured machine-readable format that can be shared across organizational boundaries and technology solutions. CACAO Security Playbooks v1.0 specification was published in January 2021.

The OASIS Common Security Advisory Framework (CSAF) TC provides standard structured machine-readable formats for security vulnerability-related advisories based on existing industry practice. The TC delivered CSAF Common Vulnerability Reporting Framework (#CVRF) V1.2 in 2017 and and published the version 2.0 of the framework in 2022.

The OASIS Threat Actor Context (TAC) TC establishes a common knowledge framework that enables semantic interoperability of threat actor contextual information. This framework allows organizations to strategically correlate and analyze attack data, which could lead to a better understanding of their adversary's goals, capabilities, and trends in targeting and techniques. Updated versions 2.1 of STIX and TAXI were published in June 2021

The Open Cybersecurity Alliance OASIS Open Project aims to bring together vendors and end users in an open cybersecurity ecosystem where products can freely exchange information, insights, analytics, and orchestrated response. The OCA supports commonly developed code and tooling and the use of mutually agreed upon technologies, data standards, and procedures.

ISO/IEC JTC 1

Technical Committee ISO/IEC JTC 1/SC 27 'Information security, cybersecurity and privacy protection' produces the International Standards for the protection of electronic information assets and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:

  • Security requirements capture methodology;
  • Management of information and ICT security; in particular information security management systems, security processes, and security controls and services;
  • Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information;
  • Security management support documentation including terminology, guidelines as well as procedures for the registration of security components;
  • Security aspects of identity management, biometrics and privacy;
  • Conformance assessment, accreditation and auditing requirements in the area of information security management systems;
  • Security evaluation criteria and methodology.

Included in the 198 published International Standards are the ISO 27000 Information Security Management Standards series as well as the Common Criteria for Information Technology Evaluation ISO/IEC 15408 and the Common Methodology for Information Technology Evaluation ISO/IEC 18045. 

http://www.iso.org/iso/iso_technical_committee?commid=45306

ITU-T

ITU-T SG2 developed a new Supplement on Countering Spoofing (E.sup.spoofing to E.157). Its purpose is not the development of anti-fraud and identity verification platforms, but rather it provides information that could assist in implementing measures to counter spoofing. It should be noted that Calling Party Number authentication mechanisms are not a global solution against fraud or spoofing, the study of which is covered in various technical standardization bodies.
https://www.itu.int/ITU-T/workprog/wp_item.aspx?isn=15044

ITU-T SG17 (Security) develops globally harmonized standards on telecommunication and information security, application security, cyberspace security, identity management and authentication, data security including privacy-reserving technologies such as de-identification and multi-party computation. On application security, ITU-T SG17 works specifically on software defined networking, cloud computing, intelligent transport systems, distributed ledger technologies, quantum key distribution networks etc. Nearly 300 ITU-T Recommendations have been developed including the security Recommendations under the ITU-T X-series.

More info: http://itu.int/ITU-T/go/tsg17

http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=17

ITU-T SG20 under question Q6/20 studies aspects related to Security, privacy, trust and identification for IoT and SC&C. ITU-T SG20 approved Recommendation ITU-T Y.4805 “Identifier service requirements for the interoperability of Smart City applications”, Recommendation ITU-T Y.4459 “Digital entity architecture framework for IoT interoperability”, Recommendation ITU-T Y.4807 “Agility by design for Telecommunications/ICT Systems Security used in the Internet of Things”, Recommendation ITU-T Y.4808 “Digital entity architecture framework to combat counterfeiting in IoT”, Recommendation ITU-T Y.4809 “Unified IoT Identifiers for intelligent transport systems”, Recommendation ITU-T Y.4810 “Requirements of data security for the heterogeneous IoT devices”, Recommendation ITU-T Y.4811 “Reference framework of converged service for identification and authentication for IoT devices in decentralized environment” and Recommendation ITU-T Y.4500.3 “oneM2M – Security solutions”.

ITU-T SG20 is working on draft Recommendation “Functional requirements and architecture of access control service of IoT platform enabled by zero trust technology in decentralized environments” (Y.IoT-acs-fra), draft Recommendation “Reference framework of cybersecurity risk management of IoT ecosystems on smart cities” (Y.IoT-Smartcity-Risk), draft Technical Report “Requirements and capability framework for identification management service of IoT device” (YSTR.IoT-IMS) and draft Technical Report “Intelligent Anomaly Detection System for IoT” (Intelligent Anomaly Detection System for IoT).

More info: https://itu.int/go/tsg20

ITU-T SG11 focuses on security of existing protocols including revision of SS7 stack and their impact on digital financial services (DFS). Following the Member States' demands on dealing with the spoofing of calling party number, SG11 revised ITU-T Q.731.3, which specifies an exceptional procedure for transit exchange connected to CPE (Customer Premises Equipment) with the purpose of providing predefined calling party number by the originating operator. ITU-T SG11 assumes that all calling party numbers delivered in the telecommunications network should be generated or verified by an operator.

The security of existing signalling protocols is the cornerstone of the trust between financing entity and its customer as ICT network is used to provide access to customers’ bank accounts. SG11 approved Technical Report QSTR-SS7-DFS “SS7 vulnerabilities and mitigation measures for digital financial services transactions” and Technical Report QSTR-USSD (2021) “Low resource requirement, quantum resistant, encryption of USSD messages for use in financial services”.

ITU-T SG11 continues its studies on implementation of security measures on signalling level in order to cope with different types of attacks on existing ICT infrastructure and services (e.g. OTP intercept, calls intercept, spoofing numbers, robocalls, etc.).

SG11 approved stack of standards defining this approach:

  • Recommendation ITU-T Q.3057 “Signalling requirements and architecture for interconnection between trustable network entities”;
  • Recommendation ITU-T Q.3062 “Signalling procedures and protocols for enabling interconnection between trustable network entities in support of existing and emerging networks”;
  • Recommendation ITU-T Q.3063 “Signalling procedures of calling line identification authentication”.

SG11 is developing new draft Recommendation ITU-T Q.TSCA “Procedure for issuing digital certificates for signalling security”.

SG11 organized series of events on signalling security.

More info: https://itu.int/go/SIG-SECURITY

ITU-T SG13 is carrying out work on trust in telecommunication

W3C

W3C runs several groups in the area of Security:

  • Web Cryptography working group, which is defining an API that lets developers implement secure application protocols for web applications, including message confidentiality and authentication services, by exposing trusted cryptographic primitives from the browser.
  • Web Application Security "WebAppSec" working group, which is developing standards to ensure that web applications are delivered free from spoofing, injection, and eavesdropping.
  • Hardware-based secure services community group, which analyses use-cases where browser (and web application)'s developers could benefit from secure services in the field of cryptographic operation, citizen identity and payment to native applications.
  • Web bluetooth community group, which is developing a specification for bluetooth APIs to allow websites to communicate with devices in a secure and privacy-preserving way.
  • Web NFC community group, which is creating a near field communication API that is browser-friendly and adheres to the web's security model.

https://www.w3.org/Security

IEEE

IEEE has standardisation activities in the cybersecurity/network and information security space and also addresses anti-malware technologies, encryption, fixed and removable storage, and hard copy devices, as well as applications of these technologies for smart grids or in healthcare. 

IEEE standards for Secure Computing include:

  • IEEE 2952, Secure Computing Based on Trusted Execution Environment
  • IEEE P2834, Secure and Trusted Learning Systems
  • IEEE P3167, Secure Biometrics Device Interface
  • IEEE P3169, Security Requirement of Privacy-Preserving Computation

IEEE Standards for cryptographic and data authentication procedures for storage devices include:

  • IEEE 1619 Cryptographic Protection of Data in Block-Oriented Storage Devices
  • IEEE 1619.1 Authenticated Encryption with Length Expansion for Storage Devices
  • IEEE 1619.2, Wide-Block Encryption for Shared Storage Media
  • IEEE  2883, Sanitizing Storage  

For securing wired LANs WG 802.1 of the IEEE LAN/MAN Standards Committee has developed the IEEE 802.1AE standard which defines a Layer 2 security protocol called Medium Access Control Security (MACSec) that provides point-to-point security on Ethernet links between nodes.

IEEE actively develops security standards for healthcare and medical devices as well as wearables.

  • IEEE 11073-40101 defines processes for vulnerability assessment as part of the medical device interoperability series of standards. 
  • The IEEE 2621 family of standards addresses wirelessly connected diabetes devices.

IEEE P2989, focuses on Authentication in Multi-Server Environment.

IEEE 1609.2.1 specifies certificate management protocols to support provisioning and management of digital certificates to end entities, that is, an actor that uses digital certificates to authorize application activities, according to IEEE Std 1609.2(TM).

IEEE SA is taking a holistic view on cybersecurity and initiated several critical pre-standardisation Industry Connections programs in this area:

  • IC20-011 IoT Ecosystem Security
  • IC20-021 Meta Issues in Cybersecurity
  • IC21-001 Cybersecurity in Agile Cloud Computing

A new area of work focused on “Human Augmentation” is also working on issues such as security, privacy and identity: IEEE P2049.2, Standard for Human Augmentation: Privacy and Security and IEEE P2049.3, Standard for Human Augmentation: Identity.

The IEEE Computer Society AI Standards committee is working on IEEE P2986, Recommended Practice for Privacy and Security for Federated Machine Learning. 

The “Privacy and Security Architecture for Consumer Wireless Devices” Working Group standardizes a privacy and security architecture for wireless consumer devices (P1912).

IEEE standards for security in the Energy Sector include:

  • IEEE C37.240, Cyber Security Requirements for Substation Automation, Protection and Control Systems
  • IEEE 1402, Physical Security of Electric Power Substations
  • IEEE 1686, Intelligent Electronic Devices Cyber Security Capabilities
  • IEEE 1711, Cryptographic Protocol for Cyber Security of Substation Serial Links
  • IEEE 2030.102.1, Interoperability of Secure IP Protocols Utilized within Utility Control Systems

For more information visit https://ieee-sa.imeetcentral.com/eurollingplan/ 

IETF

The following IETF WGs are active in this area:

The IETF Security Area is the home for working groups focused on security protocols. They provide one or more of the security services: integrity, authentication, non-repudiation, confidentiality, and access control. Since many of the security mechanisms needed to provide these security services employ cryptography, key management is also vital.

The Security Area intersects with all other IETF Areas, and the participants are frequently involved with activities in the working groups from other areas. This involvement focuses upon practical application of Security Area protocols and technologies to the protocols of other Areas.

The full list of IETF Working Groups in the Security Area is available here: https://datatracker.ietf.org/wg#sec

https://wiki.ietf.org/en/group/iab/Multi-Stake-Holder-Platform#h-302-cybersecurity-network-and-information-security

3GPP

SA WG3 is responsible for security and privacy in 3GPP systems, determining the security and privacy requirements, and specifying the security architectures and protocols. The WG also ensures the availability of cryptographic algorithms which need to be part of the specifications.

http://www.3gpp.org/specifications-groups/sa-plenary/sa3-security

ECMA   

Secure ECMAScript (SES) is a runtime environment for running ECMAScript (JavaScript) strict-mode code under object-capability (ocap) rules. ECMA Technical Committee TC39 maintains and updates the general purpose, cross platform, vendor-neutral programming language ECMAScript (JavaScript).

oneM2M

oneM2M’s architecture defines a common middleware technology in a horizontal layer between devices and communications networks and IoT applications. This standardizes secure links between connected devices, gateways, communications networks and cloud infrastructure. The oneM2M SDS – System Design and Security working group is also responsible for security and privacy. The following non-exhaustive list highlights some specifications which define and describe security features in oneM2M:

  • TS-0001 Functional Architecture
  • TS-0003 Security Solutions
  • TS-0016 Secure Environment Abstraction
  • TS-0032 MAF and MEF Interface Specification (MAF = M2M Authentication Framework; MEF = M2M Enrolment Function)

ITU-T SG20 transposed oneM2M specifications in their Y.450x series. See also Y.oneM2M.SEC.SOL.

All specifications are openly accessible at https://www.onem2m.org/technical.

(C.2) Other activities related to standardisation
ECSO    

The European Cyber Security Organisation (ECSO) represents the contractual counterpart to the European Commission for the implementation of the Cyber Security contractual Public-Private Partnership (cPPP).

WG1 focuses on standardisation, certification, labelling and supply chain management.

https://www.ecs-org.eu/

ECSO WG1 has published the State of the Art Syllabus (SOTA) (December 2017), which lists all standards and specifications related to cyber security. The SOTA document gives a good overview of cyber security standards, initiatives and certification schemes, both at the European and international level (including national elements), for assessment and certification of items.

https://www.ecs-org.eu/documents/uploads/updated-sota.pdf

OIDF

Risk and incident sharing and coordination working group [RISC]

RISC (chartered 2015) provides data sharing schemas, privacy recommendations and protocols to share information about important security events in order to thwart attackers from using compromised accounts with one service provider to gain access with other service providers. RISC focuses on peer to peer sharing of information related to the state of individual accounts. 

http://openid.net/wg/risc/charter/

NIST

NIST works on  cybersecurity standards, guidelines, best practices, and other resources to first of all meet the needs of federal agencies and secondly the broader public as well as industry. The Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity issued on May 12, 2021assigns NIST (among other US agencies) to work on two labelling efforts related to consumer Internet of Things (IoT) devices and consumer software with the goal of encouraging manufacturers to produce and purchasers to be informed about products created with greater consideration of cybersecurity risks and capabilities.  On 19 July, the US formally announced the launch of an IoT cybersecurity labelling programme called “US Cyber Trustmark”, to which NIST will be contributing. 

NIST has published guidance outlining security measures for critical software, guidelines recommending minimum standards for vendors’ testing of their software source code, preliminary guidelines for enhancing software supply chain security  and additional guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria.  

Other areas of work include critical infrastructure protection:

Cyber-Physical Systems for Global Cities Project http://www.nist.gov/el/smartgrid/cpsforglobalcities.cfm

Cybersecurity for Smart Grid Systems http://www.nist.gov/el/smartgrid/cybersg.cfm

Cybersecurity for Smart Manufacturing Systems http://www.nist.gov/el/isd/cs/csms.cfm

Development of New Cybersecurity http://www.nist.gov/itl/cybersecurity-framework-021313.cfm

Reference Architecture for Cyber-Physical Systems Project Framework http://www.nist.gov/el/smartgrid/cpsarchitecture.cfm

(C.3) Additional information

The Danish business community in May 2022 launched a data ethics and cybersecurity seal for companies. The seal aims to create transparency for consumers and help ambitious companies gain a competitive advantage.

In the Netherlands, the national government has selected a group of security specifications for its comply-or-explain policy (e.g. DNSSEC, DKIM, TLS, SPF, DMARC, STARTTLS, DANE, RPKI), and is actively using various adoption strategies to get the specifications implemented. An effective tool that was developed to drive adoption is the website www.internet.nl (available in English). Organisations and individuals can easily test whether websites offer support for modern Internet Specifications, and the code is open source.

Also in the Netherlands, a method to help improve secure software lifecycle management, including software development, was developed under the title Secure Software Framework (SSF). The framework is applied by software developers in innovative projects, where security of software is of the utmost importance. The framework was published by the Secure Software Alliance (SSA), a public-private program in which developers of software, end users, professional bodies, institutes for research and education and the Dutch Ministry of Economic Affairs and Climate cooperate to promote secure software and connect initiatives in this area. The SSF is part of the Roadmap for Digital Hard- and Software Security of the Ministry of Economic Affairs and Climate.

In September 2020 in the Netherlands, a public-private coalition called the Online Trust Coalition (OTC) was launched, with the purpose to provide an unambiguous, efficient method for cloud service providers to demonstrate that their services are reliable and secure. And by doing so, to help to implement the relevant laws and regulations (e.g. EU Cybersecurity Act)."

In Germany, the Federal Agency for Information Security (BSI) bases several national cyber-security standards -concerning both critical infrastructures and SMEs- on the ISO/IEC EN 270xx family and the Federal Network Agency (BNetzA) mandates the use of ISO/IEC 27019 (with a few additional requirements in the national IT Security catalogue) for grid network operators with mandatory certification.

In Spain the National Security Framework (ENS), updated in May 2022, is based in current information security and Cybersecurity standards. The ENS promotes the procurement, under the principle of proportionality, of those products and services which have certified security functionality, considering the availability in the near future of the EUCC and the EUCS.  Besides, in the ENS, the protection of cloud services also refers to the requirement of security certification in view of the coming EUCS.

ENISA and the European Computer Security Incident Response Team (CSIRT) community have jointly set up a task force with the goal of reaching a consensus on a ‘Reference Security Incident Classification Taxonomy’. Following a discussion among the CSIRT community during the ‘51st TF-CSIRT meeting’ (15 May 2017 in The Hague, Netherlands), it was concluded that there is an urgent need for a taxonomy list and name that serves as a fixed reference for everyone. This is where the so-called ‘Reference Incident Classification Taxonomy Task Force’ comes into play. The aim of this task force is to enable the CSIRT community in reaching a consensus on a universal reference taxonomy. Additionally, the task force covers the following objectives:

  • Develop a reference document
  • Define and develop an update and versioning mechanism
  • Host the reference document
  • Organise regular physical meetings with stakeholders

The ENISA NCSS Interactive Map lists all the documents of National Cyber Security Strategies in the EU:  https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/national-cyber-security-strategies-interactive-map

Report abusive content Share