Strengthening cybersecurity through standardisation: The proposed Cyber Resilience Act

As the digital landscape continues to evolve, the need for robust cybersecurity measures becomes increasingly paramount. With cyber threats growing in sophistication and frequency, the establishment of standardised practices has become essential for the enhancement of cyber resilience.

This article explores the importance of standardisation in the realm of cybersecurity in view of the implementation of the proposed Cyber Resilience Act (CRA).

Additionally, a call for proposals for EU action grants on standardisation in the area of cybersecurity, under the Digital Europe Programme (DIGITAL), has been opened. It has invited stakeholders (notably European standardisation bodies and conformity assessment bodies), industry players, and relevant actors that play a role in the European standardisation process and in the implementation of the CRA and Cybersecurity Act, to secure funding to enhance standardisation efforts which can bolster awareness and engage stakeholders in shaping a secure digital future.

Importance of standardisation in cybersecurity

Standardisation plays a crucial role in cybersecurity as it provides a common framework and guidelines for organisations and individuals to follow. It establishes a baseline of best practices that ensure consistent protection against cyber threats. Standardised approaches simplify security implementation, improve interoperability, and may enhance the overall effectiveness of cybersecurity measures.

The CRA is a proposed regulation aimed at strengthening cybersecurity across various sectors.

Its main purpose is to introduce cybersecurity requirements for the development of secure hardware and software that will be used throughout the product’s entire lifecycle, as well as to obligate manufacturers to maintain the product’s security for at least five years after its market launch. Additionally, it emphasises the importance of standardisation to achieve higher levels of cyber resilience.

The CRA seeks to establish a comprehensive framework that addresses critical aspects of cybersecurity, including risk management, incident response, and information sharing. By outlining standardised practices, the CRA aims to promote a proactive and coordinated approach to cybersecurity at both organisational and national levels.

One of the key benefits of standardisation in cybersecurity is the improved awareness it may bring. By adopting standardised practices, organisations can gain a deeper understanding of potential vulnerabilities and develop effective countermeasures. Standardisation also facilitates the dissemination of knowledge and best practices among stakeholders, leading to greater awareness of emerging threats and the latest cybersecurity advancements.

Standardisation in cybersecurity requires the active involvement of stakeholders from various sectors. The proposed CRA seeks to engage stakeholders through consultations, public-private partnerships, and collaboration with industry experts.

By involving stakeholders, such as Government agencies, industry associations, and cybersecurity professionals, the CRA aims to gather diverse perspectives and ensure that the standards developed are practical, relevant, and widely accepted.

By engaging stakeholders a collective commitment to cybersecurity can be developed. It allows for the identification of sector-specific challenges, enabling tailored solutions that address unique risks. Stakeholders’ active participation can also foster a sense of ownership, encouraging organisations and individuals to adhere to standardised practices voluntarily.

Furthermore, stakeholder engagement ensures that standards are regularly reviewed and updated to keep pace with evolving threats and technological advancements.

Standardisation also plays a vital role in enhancing cybersecurity measures and bolstering cyber resilience. The proposed CRA demonstrates the recognition of standardisation’s significance in combating cyber threats.

By promoting awareness and engaging stakeholders, the CRA seeks to establish a unified approach to cybersecurity that fosters collaboration, innovation, and a more secure digital environment. Embracing standardised practices empowers organisations and individuals to proactively defend against cyber threats, ultimately safeguarding our interconnected world.

The European Commission, through the Directorate-General for Communication, Networks, Content and Technology (DG Connect), on behalf of the European Cybersecurity Competence Centre (ECCC) on the 25th May 2023 has launched a call in accordance with the 2023-2024 Work Programme for DIGITAL, to facilitate the implementation of the CRA, whereby harmonised standards would be developed, by which if followed, would trigger the presumption of conformity with the CRA essential cybersecurity requirements to which they correspond.

This will be complementary to actions by the National Cybersecurity Coordination Centres, which will play a key role in reducing negative cross-border spill overs and subsequent costs to society to mitigate the risks associated with non-secure products.

The deadline for proposals is 26th September 2023, whereby projects under the topic DIGITAL-ECCC-2023-DEPLOY-CYBER-04-STANDARDISATION will be 100 per cent funded by the European Commission with no minimum amount funding requirement. Maximum project length is 36 months.

Activities covered by this topic include the organisation of events, workshops, stakeholder consultations, and production of white papers, all fostering the development of harmonised standards and conformity with requirements stemming from above mentioned legislative framework, as well as the support for participation of relevant European experts in European and international cybersecurity standardisation forums.

The National Cybersecurity Coordination Centre for Malta, under the auspices of MITA, aims to promote EU funding opportunities within Maltese territory and provide technical assistance to Maltese entities to apply for EU-funding calls. In this manner, information on this call for proposals is available on NCC-MT.

This article is co-funded by the European Union.