Cybersecurity / network and information security (RP 2025)

(A.) Policy and legislation

(A.1) Policy objectives

The EU’s Cybersecurity Strategy for the Digital Decade (JOIN/2020/18 final), aims to ensure a global and open Internet with strong guardrails to address the risks to the security and fundamental rights and freedoms of people in Europe. Following the progress achieved under the previous strategies, it contains concrete proposals for deploying three principal instruments – regulatory, investment and policy instruments – to address three areas of EU action – (1) resilience, technological sovereignty and leadership, (2) building operational capacity to prevent, deter and respond, and (3) advancing a global and open cyberspace. Furthermore, Cybersecurity must be integrated into all digital investments, particularly key technologies like Artificial Intelligence (AI), encryption and quantum computing, using incentives, obligations and benchmarks.

The communication setting up ICT standardisation priorities for the DSM refers to cybersecurity as a priority domain for Europe.

The NIS 2 Directive (Directive (EU) 2022/2555) lays down measures that aim to achieve a high common level of cybersecurity across the EU. To that end, the NIS 2 Directive lays down cybersecurity risk-management measures and reporting obligations for entities operating in critical and highly critical sectors. The obligation on entities to appropriately manage cybersecurity risks includes measures for supply chain security. Furthermore, the NIS 2 Directive provides for closer cooperation and capacity building among the Member States and the relevant entities. In order to promote a convergent implementation of the cybersecurity risk-management measures across the EU, Member States should encourage the use of European or international standards and technical specifications relevant to the security of network and information systems, without imposing or discriminating in favour of the use of a particular type of technology. The NIS 2 Directive amends the eIDAS Regulation and includes the requirements concerning cybersecurity risk-management and incident reporting for the trust service providers.

The EU Cybersecurity Act (Regulation EU 2019/881) established the European Cybersecurity Certification Framework in order to improve the conditions for the functioning of the internal market by increasing the level of cybersecurity within the Union and enabling a harmonised approach at Union level to European cybersecurity certification schemes, with a view to creating a digital single market for ICT products, ICT services and ICT processes. As laid down in the mandate provided by the EU Cybersecurity Act, the European Union Agency for Cybersecurity (ENISA) can be requested to prepare candidate EU cybersecurity certification schemes. All schemes must contain references to the international, European or national standards applied in the evaluation of ICT products, ICT services and ICT processes. There is a close linkage between the tasks assigned by ENISA to that purpose, and the Rolling Plan for ICT Standardisation.

On 18 April 2023, the Commission proposed an amendment to the Cybersecurity Act, setting forth provisions for the adoption of certification schemes for managed security services.

In February 2024, the Commission has adopted the first-ever European cybersecurity certification scheme, based on the tried and tested Common Criteria (ISO/IEC 15408) and Common Evaluation Methodology (ISO/IEC 18045). The scheme offers a Union-wide set of rules and procedures on how to certify ICT products in their lifecycle and thus make them more trustworthy for users. The voluntary scheme will complement the Cyber Resilience Act that introduces binding cybersecurity requirements for all hardware and software products in the EU.

Finally, a few days later, the Commission has also published Union Rolling Work Programme for European cybersecurity certification (URWP). URWP outlines strategic priorities for future European cybersecurity certification schemes. It includes general considerations for European cybersecurity certification, such as the importance of standard development activities and coherence and composability of schemes. Furthermore, the URWP lists areas for possible future certification. This includes areas where European cybersecurity certification schemes are envisaged linked to legislative developments, such as European Digital Identity Wallets and managed security services. Furthermore, areas for future reflection regarding cybersecurity certification include Industrial Automation and Control Systems and Security Lifecycle Development building on the CRA requirements as well as cryptographic mechanisms.

Commission Recommendation (EU) 2019/534 of 26 March 2019 on the Cybersecurity of 5G networks identifies a series of actions in order to support the development of a Union approach to ensuring the cybersecurity of 5G networks. The EU Toolbox on 5G cybersecurity (EU Toolbox) published in January 2020 aims to address risks related to the cybersecurity of 5G networks. It identifies and describes a set of strategic and technical measures, as well as corresponding supporting actions to reinforce their effectiveness, which may be put in place in order to mitigate the identified risks. One of the supporting actions focuses on Supporting and shaping 5G standardization.

As a result of the above-mentioned policy initiatives, the European Commission has requested the European Union Agency for Cybersecurity (ENISA) to prepare a candidate EU cybersecurity certification scheme for the certification of ICT products based on Common Criteria (EUCC), of ICT cloud services (EUCS) and the certification of key 5G mobile network components and suppliers’ processes (EU5G).

The Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, adopted on 23rd October 2024 relies on harmonised standards to support the implementation of the essential requirements it sets out, building on existing European and International standards.

The AI Act (Regulation (EU) 2024/1689) and the revised Regulation (EU) No 910/2014 on electronic identification and trust services (eIDAS) both add to the trust in digital services. Their implementation may require further standardisation activities, including in the area of cybersecurity.

Post-Quantum Cryptography (PQC) represents the most promising technology to ensure our communications and data at rest remain secure in the new digital quantum era. PQC algorithms are based on mathematical problems that are difficult to solve even by quantum computers, and is in principle a software-only based solution almost fully compatible with our current digital infrastructure.

Commission Recommendation (EU) C(2024) 2393 of 11 April 2024 on a Coordinated Implementation Roadmap for the transition to Post-Quantum Cryptography (PQC) represents a stepping stone for EU policy in the field of digital technologies, in line with the EU Security Union Strategy and the EU Cybersecurity Strategy, which both highlight encryption as a key technology for achieving resilience, technological sovereignty and for building operational capacity to prevent cyberattacks. The ongoing development at a considerable pace of quantum computers represents a risk for current public key cryptography algorithms, which are used to secure and keep intact most of our communications ad transactions, and authenticate individuals and entities, and thus a transition to a quantum resistant digital infrastructure is needed. The already existing threat of so-called “harvest now, decrypt later attacks”, in which malicious actors could store data now and decrypt them when a cryptographically relevant quantum computers will be present, and the fact that many devices currently in production could have lifetimes spanning 10 years or more—extending into the period when quantum computers are expected to be available, both call for initiating a transition to quantum-safe solutions now.

The Recommendation encourages Member States to develop a roadmap for a coordinated adoption and implementation of PQC across the EU, synchronising the efforts of Member States to design and implement national transition plans while ensuring cross-border interoperability. The Recommendation also encourages the evaluation and selection of relevant PQC EU algorithms with the help of cybersecurity experts, and the further adoption of such algorithms as Union standards that should be implemented across the Union as part of the Coordinated Implementation Roadmap.

(A.2) EC perspective and progress report

The Communication on ICT standardisation priorities for the digital single market identified as challenges – among others – the increasing reliance of the economy on digital technologies, along with the complexity across the value chain in many of its applications, as well as access rights to standards that call for improved cooperation in the growing ecosystem of existing and emerging standardisation bodies and organisations. The EU Cybersecurity Strategy and Standardisation Strategy emphasise the need to foster broader multi-stakeholder participation and international cooperation in the area of standardisation in support of the resilience of the EU digital single market but also for reaping the benefits from the investments in standardisation and certification. Work towards addressing these challenges is ongoing.

The newly adopted European Common Criteria-based cybersecurity certification scheme and other candidate cybersecurity certification schemes in preparation (such as European cybersecurity certification scheme on cloud services (EUCS) and European 5G cybersecurity scheme) stand example for the extensive body of standards being utilized in conformity assessment and certification to improve and make transparent the effectiveness of the risk controls pertained in the use of ICT products, services and process.

The Communication on ICT standardisation priorities for the digital single market resonates with the past policy instruments mentioned above for the priority domain cybersecurity, the “bedrock of trust and reliability”, with the following focus:

A very high quality of cybersecurity, as specified in standards, to be built into any new technology or service (“security-by-design”) helps to mainstream cybersecurity requirements into ICT products, services and processes as well as operators to manage their cybersecurity risks out-of-the-box and during the lifecycle by means of evaluation and certification methodologies as employed in EU cybersecurity certification schemes.
Communication enabled distributed digital devices and services in IoT, AI, and eIDAS require seamless and interoperable secure authentication and processors across all involved subjects and objects to enable secure and transparent access to, exchange and processing of data (“protection-by-design”).
Encouraging the coherent adoption of standardisation practices across the EU to support the cybersecurity risk- management and reporting obligations for essential and important entities, which are one of the key pillars of the NIS2 Directive.
Collaboration and multi-stakeholder governance remains key in standardisation as stressed in the EU Cybersecurity Strategy and EU Standardisation Strategy.
Develop methods to give reasonable assurance for the security of products and services in a much shorter timeframe.

The essential cybersecurity requirements set out in the Cyber Resilience Act (CRA) are designed to ensure an adequate security protection for products with digital elements used by European citizens, business and critical infrastructures. The CRA and the standards underpinning its implementation, will create synergies with the EU Cybersecurity Act. As the next step, following the adoption of the CRA, the Commission will prepare a formal standardisation request to support its implementation.

European cybersecurity certification schemes will support the building blocks of ICT standard setting and will increasingly rely upon standardisation to establish and harmonise the cybersecurity functional and assessment requirements applied to cybersecurity certification.

Assessments and certification of ICT products, services and processes helps consumers making informed decisions as a means technological autonomy. Certification further helps identifying such products and services on the grounds of a solid assessment of the cybersecurity requirements by a proficient evaluator. Transparent standards and specifications for the definition and verification of cybersecurity requirements form the very foundation of the “cybersecurity-by-design-and-default” proposition the European Union aims for, such as the continuous monitoring of the threat landscape for the purpose of aftermarket improvements to the sold ICT and the support with threat intelligence to remain resilient in the next wave of cyberattacks.

Further progress across technologies that are currently available to a limited set of users, such as quantum key distribution and artificial intelligence, could permit for more ways to improve the European Union’s cybersecurity, i.e. for instance through the application of quantum key distribution or machine learning respectively.

It is important that all levels of an organisation – particularly the strategic level, business owners and the management board - are aware of the need for standards and frameworks for cybersecurity. Moreover, between organisations that are partners in (vital) online chains, clear agreements will have to be made on the standards applicable to sectors. The need for security to be ensured throughout the lifetime of the ICT product, ICT service or ICT process by design and development processes that constantly evolve to reduce the risk of harm from malicious exploitation should also be considered in the context of relevant standardisation activities. It is therefore important to undergo an analysis of the existing standards that can mitigate the current risks and map the current and presumed future risks that still need to be addressed by specific standards.

‘Cybersecurity-by-design-and-default’ as engendered in European policy instruments like certification schemes as well as the European Union’s move towards resilience over the lifecycle of digital technologies show the way for standardisation activities. Collaboration on European and international level and broad participation in the multi-stakeholder ecosystem of standardisation further reinforce the European Union’s cybersecurity posture.

The transparency of standards should not stop at the preparation phase but also leverage on their accessibility for a wide reception and adoption by the audience concerned. In particular, evaluation methodologies used in certification schemes should be quotable and available in machine readable format.

(A.3) References

JOIN/2020/18 final – Joint Communication The EU’s Cybersecurity Strategy for the Digital Decade
Joint Communication on Resilience, Deterrence and Defence: Building strong cybersecurity for the EU, JOIN(2017) 450 final
JOIN(2013) 1 final Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace
Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
Commission Recommendation (EU) 2019/553 of 3 April 2019 on cybersecurity in the energy sector (notified under document C(2019) 2400)
Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the EU (NIS Directive)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to personal data processing and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises - C/2017/6100
Commission Recommendation (EU) 2019/534 of 26 March 2019 on the Cybersecurity of 5G networks - C/2019/2335
COM(2016)176 ICT Standardisation Priorities for the Digital Single Market
COM(2015)192 A Digital single market strategy for Europe
COM(2017)228 Communication on the Mid-Term Review on the implementation of the Digital Single Market Strategy - A Connected Digital Single Market for All and accompanying Staff Working Document SWD(2017)155
Cybersecurity of 5G networks - EU Toolbox of risk mitigating measures (01/2020)
COM/2020/795 Communication on A Counter-Terrorism Agenda for the EU: Anticipate, Prevent, Protect, Respond.
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)
Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework (eIDAS 2.0)
COM/2022/197 final Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space. The co-legislators reached an agreement on 15 March 2024, endorsed by the Council on 22 March 2024 and voted by EP plenary on 24 April 2024. The act is now undergoing the final stages of the adoption process.
COM(2022) 454 final Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020. The co-legislators reached an agreement on 30 November 2023, endorsed by the Council on 20 December 2023 and voted by EP plenary on 12 March 2024. The act is now undergoing the final stages of the adoption process.
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
The EU Toolbox on 5G cybersecurity, EU Toolbox of risk mitigating measures, NIS Cooperation Group, Cybersecurity of 5G networks, 29 January 2020.
Commission Recommendation (EU) C(2024) 2393 of 11 April 2024 on a Coordinated Implementation Roadmap for the transition to Post-Quantum Cryptography

(B) Requested actions and progress in standardisation

(B.1) Requested actions

Action 1: ESOs to develop standards in support of the cybersecurity essential requirements set out in the Cyber Resilience Act. Furthermore, SDOs to develop standards and sectorial specifications for critical infrastructure protection in support of and responding to the requirements in anticipation of the NIS2 Directive. Foster the application of EN 62443 series (base on IEC 62443 series) for the firm establishment of EU regulatory requirement operational technology (OT) security including critical infrastructures.

Action 2: SDOs to assess the content of existing standards and specifications applied under the European Cybersecurity Certification Framework (including both the present and planned schemes as well as initiatives under the Union Rolling Work Programme for European cybersecurity certification (URWP)) in order to revise existing documents or create new standards. It should be ensured that these standards are gradually and timely made available for providing support to any certification activity, particularly as the preparation of candidate certification schemes has come under the remit of ENISA. In particular, SDOs are encouraged to develop and harmonise standards related to the specification and assessment of security properties in ICT products and services (including cloud services), as well as those related to security in processes related to the design, development, delivery and maintenance of an ICT product or service, as well as methodologies concerning assurance levels for industry sectors.

Action 3: SDOs to investigate and prepare harmonised evaluation methodologies of cybersecurity risks, controls and interfaces as required by EU policy instruments such as the Certification Framework of the EU Cybersecurity Act, the Cyber Resilience Act and others for their horizontal application into trusted products such as semiconductors, the European Digital Identity Wallet, and other digital technologies.

Action 4: SDOs to assess European cybersecurity policies, such as the upcoming Cyber Resilience Act, but also in relation to other policy instruments, such as the Machinery Directive, the Radio Equipment Directive or to the machine learning component for the AI Act.

Action 5: SDOs to investigate requirements for secure and interoperable communication protocols for mobile and fixed networks of distributed devices and services that may in addition rely upon limited resources and interfaces. Requirements should address relevant mechanisms of authenticating, registering, and processing user identities seamlessly across devices, services and applications.

Action 6: SDOs to assess the availability of standards and technical specifications in general or for business sectors relevant for the requirements relating to cybersecurity risk-management, including those pertaining to supply chain, incident notifications for entities in line with the NIS 2 Directive, or in support of the upcoming Cyber Resilience Act and other potential EU legislation, including as regards certification schemes as defined in the Cybersecurity Act.

Action 7: SDOs to assess gaps and develop standards on cybersecurity of products in support of possible certification schemes completed under the European Cybersecurity Act and in support of the upcoming Cyber Resilience Act.

Action 8: SDOs to explore options for the composition and matching of assurance statements as issued under the Certification Framework of the Cybersecurity Act also in conjunction to the provisions of related EU regulatory instruments like the Cyber Resilience Act, the NIS2 Directive or the new eIDAS regulation.

Action 9: SDOs should develop standards necessary to fulfil the objectives of the EU Cybersecurity Strategy i.e by support the European Cybersecurity Coordination Center’s (ECCC) strategic agenda, including Post-Quantum Cryptography (PQC). SDOs should foster/establish cooperation with the ECCC and national Cybersecurity Centres order to facilitate the results of current research and outputs from the funding programmes Horizon Europe and Digital Europe.

Action 10: SDOs to assess gaps and develop standards in support of trust services under the NIS2 Directive and other possible instruments of EU law.

Action 11: ESOs to work with global SDOs and the open-source community to identify available or ongoing technologies of relevance for supporting EU regulation, in particular the upcoming Cyber Resilience Act.

Action 12: ESOs and SDOs to evaluate the need and feasibility of sector-specific cybersecurity standards for healthcare (for e.g. electronic health record systems, digital health applications, software as medical device, medical devices software, IoMT) that would complement relevant horizontal cybersecurity standards with the view of supporting the implementation of the upcoming Cyber Resilience Act and the European Health Data Space regulation.

(C.) Activities and additional information

(C.1) Related standardisation activities

CEN & CENELEC

CEN-CLC/JTC 13 ‘Cybersecurity and Data Protection’ focuses on Information Technology (IT) and develops European standards for data protection, information protection and security techniques, including: Organizational frameworks and methodologies; IT management systems; Data protection and privacy guidelines; Processes and products evaluation schemes; ICT security and physical security technical guidelines; smart technology, objects, distributed computing devices, data services, product security, support to the EU 5G Certification scheme, Radio Equipment Directive (Directive 2014/53/EU) and Cyber Resilience Act. The ISO/IEC 27000 standards, the Common Criteria for Information Technology Evaluation ISO/IEC 15408 and the Common Methodology for Information Technology Evaluation ISO/IEC 18045are adopted as European Standards by this Joint Technical Committee. The CEN CENELEC JTC 13 has established a dedicated Special Working Group on Cyber Resilience Act (CEN/CLC/JTC 13/WG 9) to start preparation for the standardisation needs of the CRA. This working group is building on the experience of the Special Working Group RED Standardization Request (CEN/CLC/JTC 13/WG 8). A new WG10 cryptography has been created to act as mirror of ISO/IEC JTC1/SC27/WG2 and focus on new topics like PQC.

CLC/TC 65X ‘Industrial-process measurement, control and automation’ coordinates the preparation of European Standards for industrial process measurement, control and automation (e.g. EN IEC 62443-4-1 Security for industrial automation and control systems – Secure product development lifecycle requirements). The EN IEC 62443 series address Operational Technology (OT) found in industrial and critical infrastructure, including but not restricted to power utilities, water management systems, healthcare and transport systems. These are sectorial standards, which can also be applied across many technical areas.

CLC/TC 9X provides standards on electrical and electronic systems, equipment and software for use in railway applications. CLC/TS 50701 ‘Railway applications – Cybersecurity’ provides a specification that can be used to demonstrate that the system is cyber secured, has set Target Security Levels and achieved them during operation and maintenance. Technical Committee IEC TC 9 ‘Electrical equipment and systems for railways’ develops international standards for the railways field which includes rolling stock, fixed installations, management systems (including supervision, information, communication, signalling and processing systems) for railway operation. The project team 63452 ‘Railway applications – Cybersecurity’ is currently developing a standard which maps and adapts IEC 62443 requirements to the railway application domain and its operational environment.

Cybersecurity standards are also being developed in several vertical sectors, for example: CEN/TC 301 ‘Road Vehicles’, CEN/TC 377 ‘Air-traffic management’, CLC/TC 9X ‘Electrical and electronic applications for railways’, CLC/TC 57 ‘Power systems management and associated information exchange’, CEN-CLC/JTC 19 ‘Blockchain and Distributed Ledger Technologies’, CEN/TC 224 ‘Personal identification and related personal devices’, CLC/TC 45AX ‘Instrumentation, control and electrical power systems of nuclear facilities’.

CEN/CLC/JTC 22 WG4 is working on PQC, in particular on equitable analysis of and comparison between PQC and Quantum Cryptography (more specifically Quantum Key Distribution, QKD)

ETSI

TC CYBER, is the ETSI centre of expertise for cybersecurity and produces standards for the cybersecurity ecosystem, consumer IoT/devices, protection of personal data and communication, network security, cybersecurity tools and guides, and in support of EU legislation (GDPR, CSA, RED, NIS/NIS2) (details in the CYBER Roadmap). TC CYBER work already supports Actions 2, 4 and 7 with EN 303 645 and complementary deliverables on consumer IoT devices (e.g. Smart Door Locks), and Action 2 with TS 103 732, protection profile for consumer mobile device which is being submitted to certification against Common Criteria to assist the manufacturers in the security certification of their products. (TC CYBER publications and TC CYBER work programme). As of Sept 2024 a new enhanced version of EN 303 645 is awaiting final publication having completed ENAP, which will provide enhanced coverage of CRA requirements.

ETSI (TC CYBER) has been working with GSMA and 3GPP in support of Action 2 on the enhancement of existing standards and assessment schemes (NESAS and SAS) for EU5G. ETSI is also working with O-RAN alliance to make O-RAN specifications including assurance specifications available, including for use with CRA. TC CYBER has also produced further standards such as Privileged Access Workstation Security TS 103 994 which supports Action 1 & 10.

ETSI CYBER QSC continue to track the work of NIST on standardisation of post-quantum algorithms. ETSI will both update and extend ETSI CYBER QSC specification as the NIST work progresses, which would be applicable to Actions 1 through 11.

ETSI is following closely the work on PQC and has already published a number of relevant guidelines and documents on the migration to PQC - ETSI TR 103 949 (2023-05), on State Management for Stateful Authentication Mechanisms - ETSI TR 103 692 (2021-11), on Quantum-safe Hybrid Key Exchanges - ETSI TS 103 744 V1.1.1 (2020-12), on Migration strategies for Quantum Safe schemes - ETSI TR 103 619 V1.1.1 (2020-07). Guidelines and reports on the migration to PQC have been published by NSAs, such as ANSSI in France and BSI in Germany, ENISA (anssi-avis-migration-vers-la-cryptographie-post-quantique.pdf; Migration zu; ..; ....

The work by ETSI on migrating from a non-quantum safe cryptographic state to a fully quantum safe cryptographic state (Migration strategies for Quantum Safe schemes - ETSI TR 103 619 V1.1.1 (2020-07)) builds on a combination of approaches for the transition to a quantum safe digital infrastructure. It indeed also builds on the work by TC CYBER QSC: works on Quantum Cryptography with a focus on the practical implementation of quantum safe primitives, including performance considerations, implementation capabilities, protocols, benchmarking and practical architectural considerations for specific applications.
Work covers the migration towards a post-quantum world (TR 103 619) and extending that knowledge to other sectors to assist in migration (e.g. for ITS in the development of DTR/CYBER-QSC-0018) and the specification of Quantum-Safe Hybrid Key Exchanges.ISG QKD (Quantum Key Distribution): works to support the industrialisation of QKD technology to secure ICT networks.
Its publications cover requirements for security proofs of QKD protocols and authentication, precise characterisation of QKD modules and components, and approaches to integrate QKD into networks. Work considers the security of system implementations and aims to assist the certification of QKD systems using the Common Criteria.

Work covers the migration towards a post-quantum world (TR 103 619) and extending that knowledge to other sectors to assist in migration (e.g. for ITS in the development of DTR/CYBER-QSC-0018) and the specification of Quantum-Safe Hybrid Key Exchanges. ISG QKD (Quantum Key Distribution): works to support the industrialisation of QKD technology to secure ICT networks.

ISG PDL (Industry Specification Group on Permissioned distributed ledgers, and Distributed Ledger technology) has published Group Reports and Specifications (GRs & GSs) for smart contracts and a GS for DAOs (Distributed Autonomous Organisations) among other subjects’ non-repudiation, redactability, digital identity, etc… these have many Security and integrity related matters:

ETSI GR PDL 004v1.1.1 - PDL Smart Contracts System Architecture and Functional Specification.
ETSI GS PDL 011v2.1.1 - Specification of Requirements for Smart Contracts’ architecture and security.
ETSI GR PDL 014v1.1.1 Study on non-repudiation techniques.
ETSI GR PDL 017v1.1.1 eIDAS2, in cooperation with TC ESI.
ETSI GS PDL 018v1.2.1 Redactable Distributed Ledgers.
ETSI GR PDL 019v1.1.1 PDL Services for Identity and Trust Management.
ETSI GS PDL 023v1.1.1 DID - Decentralized identifiers Framework
ETSI GS PDL 027v1.1.1 SSI in Telecom Networks (draft)
ETSI GR PDL 028v1.1.1 PDL in ineM2M IoT standards (draft)
ETSI GS PDL 029v1.1.1 Distributed Autonomous Organization (in approval)
ETSI GR PDL 030v1.1.1 Trust in Telecom System (draft)

ISG MEC (Multi-access Edge Computing): led the publication of a White Paper on “MEC security: Status of standards support and future evolutions” written by several authors participating in ETSI ISG MEC, ETSI ISG NFV SEC and ETSI TC CYBER. The work identified aspects of security where the nature of edge computing leaves typical industry approaches to cloud security insufficient. As a follow-up, the MEC group started a related study on MEC Security in (ETSI GR MEC041) and has commenced associated normative work, including API Gateway for Client Applications (ETSI GS MEC 060) with architectural impacts captured in the latest draft of the Framework and Reference Architecture specification (ETSI GS MEC 003)

ETSI also works on other specific security topics including the security of mobile communications including the 5G network equipment security assurance specifications (3GPP SA3), network functions virtualisation (ETSI NFV ISG), intelligent transport systems (ITS WG5), digital enhanced cordless telecommunications (DECT™), M2M/IoT communications (oneM2M published standards, latest drafts), reconfigurable radio systems (ETSI TC RRS), IPv6 based secure internet protocol best practices, IPv4 sunsetting guidelines (ETSI ISG IPE) and emergency telecommunications (including terrestrial trunked radio (TETRA) and electronic signatures and trust service providers with a set of standards for the certification of trust services TC ESI (ESI activities) More recently ISG ETI (Encrypted Traffic Integration) has been expanding development of the Zero Trust Architecture to address the problems cited in ETSI GR ETI 001.

TC SET, is producing the standard for 2 secure element platforms: the UICC which is the most widely deployed secure element with billions of pieces going into the market every year just as SIM cards and the SSP which is a disruptive TC SET proposal for high end, high security secure element. TC SET and some of its members are involved in the development the EU5G certification process with the development of the eUICC certification scheme based on EUCC and is committed to continue cooperation with ENISA to add an EU scheme for production and personalisation site certification. In addition, TC SET has standardized a major evolution of the UICC platform allowing the support of EU digital identity compliant with the eIDAS requirements. Regulation. TC SET has started to work on migration to PQC technologies.

IEC

Project team IEC/TC 9/PT 63452 ‘Railway applications – Cybersecurity’ is responsible to adapt IEC 62443 requirements to the railway application domain and its operational environment, and details how the requirements are applied in that context. It provides guidance on how the security process can be interfaced with the generic RAMS life cycle of IEC 62278. It is in charge of defining the cybersecurity activities and cybersecurity deliverables needed to identify, monitor and manage cybersecurity risks within a railway application

Committee IEC/TC 65 ‘Industrial-process measurement, control and automation’ develops International Standards for systems and elements used for industrial-process measurement and control concerning continuous and batch processes.

Working Group IEC/TC 65/WG 10 ‘Security for industrial process measurement and control - network and system security’ is responsible for the IEC 62443 series on Industrial communication networks, which addresses the prevention of illegal or unwanted penetration, intentional or unintentional interference with the proper and intended operation, or inappropriate access to confidential information in industrial automation and control systems.

IEC 62443-4-2:2019 ‘Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components’ was published in 2019 and IEC 62443-3-2:2020 ‘Security for industrial automation and control systems - Part 3-2: Security risk assessment and system design’ was published in 2020. The publication of International Standard IEC 62443-2-1 (edition 2) ‘Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners’ is expected in 2021.

In Europe, IEC/TC 65 is mirrored by CLC/TC 65X ‘Industrial-process measurement, control and automation’. This CENELEC standardisation work is carried out for equipment and systems, and closely coordinated with IEC/TC 65.

Technical Committee IEC/TC 57 ‘Power systems management and associated information exchange’ is responsible for the IEC 62351 standards series ‘Power systems management and associated information exchange - Data and communications security’. The different security objectives of this series include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.

IECEE/ICAB

Conformity Assessment (CA) is any activity, which results in determining whether a product or other object corresponds to the requirements contained in a standard or specification. The IEC runs four CA systems, each of which operates Schemes based on third-party conformity assessment certification. They establish that a product is reliable and meets expectations in terms of performance, safety, efficiency, durability, etc. This is especially crucial for Cybersecurity.

IECEE, the IEC system for Conformity Assessment Schemes for Electrotechnical Equipment and Components, which issues internationally recognized certification on Cybersecurity, operates the CB scheme, facilitating cooperation among accepted National Certification Bodies (NCBs) worldwide. NCBs perform market surveillance functions, which ensure that the overall production line is constantly compliant with the initial testing/certification.

The IECEE Full Certification Scheme is an extension of the IECEE CB Scheme, where initial and/or periodic surveillance of production is performed. The Scheme provides the evidence that each certified product offers the same quality/safety level as type-tested sample.

The CAB (Conformity Assessment Board) is responsible for setting the IEC’s conformity assessment policy, promoting and maintaining relations with international organizations on conformity assessment matters.

OASIS

The OASIS Cyber Threat Intelligence (CTI) TC defines a set of information representations and protocols to support automated information sharing for cybersecurity situational awareness, real-time network defence, and sophisticated threat analysis. The Structured Threat Information eXpression (STIX), launched in 2014 and most recently issued as STIX v2.1 in 2021, language provides a common set of descriptors for security threats and events. The Trusted Automated Exchange of Indicator Information (TAXII), launched in 2014 and most recently issued as TAXII v2.1 in 2020, specification provides common message exchange patterns.

The OASIS Open Services for Lifecycle Collaboration (OSLC) project issues tools and specifications to support shared software configuration and change management, under open source licenses and using W3C Linked Data methods. In 2023 OSLC issued OSLC OSLC Configuration Management v1.0, an RDF vocabulary and a set of REST APIs for managing versions and configurations of linked data resources from multiple domains, and OSLC Tracked Resource Set v3.0, methods to track additions to and removals from a set of resources, components or code sets, as well as track state changes.

The OASIS OpenEoX technical committee will publish a unified, machine-readable approach to managing and sharing End-of-Life (EOL) and End-of-Support (EOS) information for commercial and open source software and hardware. Shareable, interoperable and widely-consumable notices of this kind will power and simplify widespread software security management frameworks.

The Open Supply-Chain Information Modeling (OSIM) TC was launched in 2024 to integrate and model information relevant to software provenance, re-use, safety, and compliance certification, in a sufficiently structured and formal structure that will permit accurate computational conclusions and responsive actions. A formal informational model is particularly relevant to policy requirements such as the Cyber Resilience Act and Software Bill of Materials (SBOM) rules. which may require the aggregation of safety and interoperability metadata from multiple sources, standards and certification sources. These are likely to incorporate or model other standards or taxonomies such as the CycloneDX standard ratified by ECMA International. the ISO/IEC 5962:2021 SPDX standard for licensing information, the OASIS Vulnerability Exploitability Exchange (VEX) profile (see CSAF in this section), and other work in progress such as IETF’s Supply Chain Integrity, Transparency, and Trust (SCITT) program.

OASIS’ Computing Ecosystem Supply-Chain (CES-TC) committee defines a multi-tier, cross-vendor supply chain data sharing system, using data schemas and ontologies, APIs, and smart contracts, to enable planning, enhanced visibility, enhanced resilience, and deeper traceability in order to build trusted, secure, and sustainable products and services. Digital transformation is driving more industries to build intelligent systems, using harmonized and sustainable supply chain methods to maintain resilient capacity for secure, trusted hardware and software.

The OASIS Heimdall Data Format (OHDF) committee is establishing standard data formats for exchanging normalized security data between cybersecurity tools (which today often each emit different notices, warnings and identifiers), to allow for ease of mapping and enrichment of security data to relevant compliance standards such as GDPR, PCI-DSS, etc.

The OASIS Defending Against Disinformation Common Data Model (DAD-CDM) project applies cybersecurity methods to detect, track and mitigate information quality issues. The project will extend existing object models and defence methods, including the STIX standard, to address misinformation, domestic and foreign manipulation and interference influence operations, and online harm campaigns. Defense in this context includes enabling effective remediation in real time, as well as building strategies, plans and capabilities to manage information quality risks.

The OASIS Open Command and Control (OpenC2) TC provides a suite of specifications to administer command and control of cyber defence functions across diverse devices and systems, as well as specific security protocols for transmitting those commands in potentially hostile, vulnerable, or high-latency (IoT) environments. The base standard is the OpenC2 Language Specification v1.0 published in 2019; the committee also issued a JSON Abstract Data Notation (JADN) v1.0 in 2021 for simple formal semantic expressions. See also the OpenC2 overview. In addition, the TC issued the OpenC2 Profile for Stateless Packet Filtering v1.0 in 2019, and a Specification for Transfer of OpenC2 Messages via HTTPS v1.1 and Specification for Transfer of OpenC2 Messages via MQTT v1.0 in 2021.

The Collaborative Automated Course of Action Operations (CACAO) for Cybersecurity TC provides a standard to describe the prevention, mitigation, and remediation steps in a course of action “playbooks” in a structured machine-readable format that can be shared across organizational boundaries and technology solutions. The CACAO Security Playbooks Version 2.0 specification was published in 2023.

The OASIS Common Security Advisory Framework (CSAF) TC provides standard structured machine-readable formats for security vulnerability-related advisories in JSON format, as well as secure distribution mechanisms for discovery and disclosure. Its Vulnerability Exploitability Exchange (VEX) profile adds secure methods and actionable metadata for Software Bills of Materials (SBOMs), specifying correlations to global databases of known vulnerabilities. The TC delivered CSAF Common Vulnerability Reporting Framework (#CVRF) V1.2 in 2017 and and published the version 2.0 of the framework in 2022. CSAF 2.0 has been submitted to ISO/IEC JTC 1 for further approval.

The OASIS Threat Actor Context (TAC) TC establishes a common knowledge framework that enables semantic interoperability of threat actor contextual information. This framework allows organizations to strategically correlate and analyze attack data, using a formal model relying on the W3C Ontology Web Language (OWL) specification. This formalism allows high-volume automated or AI analysis and threat response, as well as manual response, and enables a better understanding of their adversary’s goals, capabilities, and trends in targeting and techniques.

The Open Cybersecurity Alliance OASIS Open Project aims to bring together vendors and end users in an open cybersecurity ecosystem where products can freely exchange information, insights, analytics, and orchestrated response. The OCA supports commonly developed code and tooling and the use of mutually agreed upon technologies, data standards, and procedures.

OASIS launched the Space Automated Threat Intelligence Sharing (SATIS) TC in 2024 to extend OASIS STIX and other cybersecurity threat sharing and response standards to space sector use cases, including satellites, ground stations, and other space infrastructure.

ISO/IEC JTC 1

Technical Committee ISO/IEC JTC 1/SC 27 ‘Information security, cybersecurity and privacy protection’ produces the International Standards for the protection of electronic information assets and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:

Security requirements capture methodology;
Management of information and ICT security; in particular information security management systems, security processes, and security controls and services;
Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information;
Security management support documentation including terminology, guidelines as well as procedures for the registration of security components;
Security aspects of identity management, biometrics and privacy;
Conformance assessment, accreditation and auditing requirements in the area of information security management systems;
Security evaluation criteria and methodology.

Included in the 198 published International Standards are the ISO 27000 Information Security Management Standards series as well as the Common Criteria for Information Technology Evaluation ISO/IEC 15408 and the Common Methodology for Information Technology Evaluation ISO/IEC 18045.

Concerning Post-Quantum Cryptography (PQC), the evaluation of algorithms as candidates for standards is being done in the context of the competition led by NIST, supported by the EU through EU-funded research. Such candidate standards are meant for both key exchange and digital signatures. NIST is coordinating with ISO/IEC JTC1 SC27 (https://committee.iso.org/home/jtc1sc27) and will standardize through it. At present, one standard for stateful hash-based signatures has been approved and are specified in ISO/IEC 14888-4 (at the stage of draft information standard). The first standards are expected to be published by mid 2024. SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of SC 27 standards and technical reports in relevant areas. ISO/IEC standards can be fast-tracked to CEN/CENELEC through the Vienna and Frankfurt agreements. CEN/CENELEC Cyber-Security Technical Committee (JTC 13) is currently working on PQC.

http://www.iso.org/iso/iso_technical_committee?commid=45306

ITU-T

ITU-T SG2 developed a new Supplement on Countering Spoofing (E.sup.spoofing to E.157). Its purpose is not the development of anti-fraud and identity verification platforms, but rather it provides information that could assist in implementing measures to counter spoofing. It should be noted that Calling Party Number authentication mechanisms are not a global solution against fraud or spoofing, the study of which is covered in various technical standardization bodies.
https://www.itu.int/ITU-T/workprog/wp_item.aspx?isn=15044

ITU-T SG17 (Security) develops globally harmonized standards on telecommunication and information security, application security, cyberspace security, identity management and authentication, data security including privacy-reserving technologies such as de-identification and multi-party computation. On application security, ITU-T SG17 works specifically on software defined networking, cloud computing, intelligent transport systems, distributed ledger technologies, quantum key distribution networks etc. Nearly 300 ITU-T Recommendations have been developed including the security Recommendations under the ITU-T X-series. ITU-T SG17 is carrying out work on key management with hybrid approaches with QKD and PQC compared to current key management of QKD networks for quantum-safe communications to consider the possible use cases and the scenarios with available technologies to find additional requirements for the scenarios and gaps to fill.

More info: http://itu.int/ITU-T/go/tsg17

http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=17

ITU-T SG20 under question Q6/20 studies aspects related to Security, privacy, trust and identification for IoT and SC&C. ITU-T SG20 approved Recommendation ITU-T Y.4805 “Identifier service requirements for the interoperability of Smart City applications”, Recommendation ITU-T Y.4459 “Digital entity architecture framework for IoT interoperability”, Recommendation ITU-T Y.4807 “Agility by design for Telecommunications/ICT Systems Security used in the Internet of Things”, Recommendation ITU-T Y.4808 “Digital entity architecture framework to combat counterfeiting in IoT”, Recommendation ITU-T Y.4809 “Unified IoT Identifiers for intelligent transport systems”, Recommendation ITU-T Y.4810 “Requirements of data security for the heterogeneous IoT devices”, Recommendation ITU-T Y.4811 “Reference framework of converged service for identification and authentication for IoT devices in decentralized environment” and Recommendation ITU-T Y.4500.3 “oneM2M – Security solutions”. In addition, ITU-T SG20 agreed Technical Report YSTR-IADIoT “Intelligent Anomaly Detection System for IoT”.

ITU-T SG20 is working on draft Recommendation “Functional requirements and architecture of access control service of IoT platform enabled by zero trust technology in decentralized environments” (Y.IoT-acs-fra), draft Recommendation “Reference framework of cybersecurity risk management of IoT ecosystems on smart cities” (Y.IoT-Smartcity-Risk), draft Technical Report “Requirements and capability framework for identification management service of IoT device” (YSTR.IoT-IMS), draft Recommendation “Security requirements and capabilities of base station inspection services using unmanned aerial vehicles” (Y.bsis-sec), draft Supplement “Supplement to ITU-T Y.4120 - Security threats and requirements of IoT applications for smart retail stores” (Y.Sup.SRS-SR) and draft Supplement “Use cases and security requirements for sensing devices to access IoT-based electric power infrastructure monitoring system” (Y.sup.access-sec).

More info: https://itu.int/go/tsg20

Since 2016, ITU-T SG11 has been continuing its studies on implementation of security measures on signalling level in order to cope with different types of attacks on existing ICT infrastructure and services (e.g. OTP intercept, calls intercept, spoofing numbers, robocalls, etc.). Validating the calling party could help prevent such attacks. Only calls that have been successfully validated by the network would be allowed to pass through the network and reach the terminating party. The validation can be based on signing sensitive information in the signalling exchange (e.g., CLI) to guarantee the trustworthiness of the information and the caller’s identity. This would involve using digital public-key certificates (ITU-T X.509) issued by dedicated Certification Authorities (CAs) specifically for use in the telecommunications environment, not internet-based certificates.

ITU-T SG11 has been developing a series of standards defining the procedure for incorporating and validating digital public-key certificates at the signalling level, including signing the CLI in SS7-based networks (ITU-T Q.3057, Q.3062, Q.3063, Amd.2 to Q.931, Amd.6 to Q.1902.3, Amd.7 to Q.763).

Currently, ITU-T SG11 is developing ITU-T Q.TSCA “Requirements for issuing End-Entity and Certification Authority certificates for enabling trustable signalling interconnection between network entities,” which defines requirements for the verification of information elements in certificate signing requests.

In addition, ITU-T SG2 has started a new work item ITU-T E.RAA4Q.TSCA “Registration Authority Assignment criteria to issue digital public certificates for use by Q.TSCA” which defines the criteria for the selection of registration authorities for use in relation to Q.TSCA, and the process by which the criteria would be used to select registration authorities to support the allocation of digital public certificates that will facilitate implementation in support of Q.TSCA.

In addition, SG11 approved Technical Report QSTR-SS7-DFS “SS7 vulnerabilities and mitigation measures for digital financial services transactions” and Technical Report QSTR-USSD (2021) “Low resource requirement, quantum resistant, encryption of USSD messages for use in financial services”.

SG11 organized series of events on signalling security.

More info: https://itu.int/go/SIG-SECURITY

ITU-T SG13 develops standards for quantum key distribution networks (QKDN) and related technologies. It further studies the concepts and mechanisms to enable trusted ICT, including framework, requirements, capabilities, architectures and implementation scenarios of trusted network infrastructures and trusted cloud solutions.

ITU-T SG13 produced Y.3800-series Recommendations related to quantum key distribution networks. ITU-T SG13 is also carrying out work on trust in telecommunication and approved Y.2073 “Standardization roadmap on Trustworthy Networking and Services”, Y.3058 “Functional architecture for trust enabled service provisioning”, Y.3059 “Trust Registry for Devices: requirements, architectural framework” and Y.3060 “Autonomous networks - overview on trust”.

W3C

W3C approaches Security in three main activities

Develop security technology standards
Review and increase the security of web standards
Guide Web Developers to design and develop in a secure manner

Developing security standards

The Web Application Security Working Group develops security and policy mechanisms to improve the security of Web Applications, and enable secure cross-site communication.
The Web Authentication Working Group defined a client-side API providing strong authentication functionality to Web Applications.
The Federated Identity Working Group supports authentication and authorization flows without compromising security and privacy principles.
The Web Payment Security Working Group enhances the security and interoperability of various Web payments technologies.
The Web Incubation Community Group is a group that incubates new Web APIs, there are some interesting and promising proposal for Cyber Security, such as: Device Bound Session Credentials, Digital Credentials API, Realms Initialization Control to virtualise web environment.

Reviewing the security of web standards

The Security Interest Group’s (SING) mission is to improve Security on the Web by advising groups developing standards on how to avoid and mitigate security issues with their technologies, the group will also suggest changes to existing standards and technologies to improve security.
To guide Web Developers to design and develop in a secure manner, W3C created a cross-organization group to guide web developers and ensure a holistic approach to security.
The Security Web Application Guidelines (SWAG) Community Group increases the overall security of web application development, thereby making the web a more secure platform for web users, through the edition of web creators security best practices and providing a platform for stakeholder collaboration (e.g., OpenSSF, OWASP, Open Web Docs, etc.)

More information at https://www.w3.org/Security

IEEE

IEEE has standardisation activities in the cybersecurity/network and information security space and also addresses anti-malware technologies, encryption, fixed and removable storage, and hard copy devices, as well as applications of these technologies for smart grids or in healthcare.

IEEE standards for Secure Computing include:

IEEE 2952, Secure Computing Based on Trusted Execution Environment
IEEE P2834, Secure and Trusted Learning Systems
IEEE P3167, Secure Biometrics Device Interface
IEEE P3169, Security Requirement of Privacy-Preserving Computation

IEEE Standards for cryptographic and data authentication procedures for storage devices include:

IEEE 1619 Cryptographic Protection of Data in Block-Oriented Storage Devices
IEEE 1619.1 Authenticated Encryption with Length Expansion for Storage Devices
IEEE 1619.2, Wide-Block Encryption for Shared Storage Media
IEEE 2883, Sanitizing Storage

For securing wired LANs WG 802.1 of the IEEE LAN/MAN Standards Committee has developed the IEEE 802.1AE standard which defines a Layer 2 security protocol called Medium Access Control Security (MACSec) that provides point-to-point security on Ethernet links between nodes.

IEEE actively develops security standards for healthcare and medical devices as well as wearables.

IEEE 11073-40101 defines processes for vulnerability assessment as part of the medical device interoperability series of standards.
The IEEE 2621 family of standards addresses wirelessly connected diabetes devices.

IEEE P2989, focuses on Authentication in Multi-Server Environment.

IEEE 1609.2.1 specifies certificate management protocols to support provisioning and management of digital certificates to end entities, that is, an actor that uses digital certificates to authorize application activities, according to IEEE Std 1609.2(TM).

IEEE SA is taking a holistic view on cybersecurity and initiated several critical pre-standardisation Industry Connections programs in this area:

IC20-011 IoT Ecosystem Security
IC20-021 Meta Issues in Cybersecurity
IC21-001 Cybersecurity in Agile Cloud Computing

A new area of work focused on “Human Augmentation” is also working on issues such as security, privacy and identity: IEEE P2049.2, Standard for Human Augmentation: Privacy and Security and IEEE P2049.3, Standard for Human Augmentation: Identity.

The IEEE Computer Society AI Standards committee is working on IEEE P2986, Recommended Practice for Privacy and Security for Federated Machine Learning.

The “Privacy and Security Architecture for Consumer Wireless Devices” Working Group standardizes a privacy and security architecture for wireless consumer devices (P1912).

IEEE standards for security in the Energy Sector include:

IEEE C37.240, Cyber Security Requirements for Substation Automation, Protection and Control Systems
IEEE 1402, Physical Security of Electric Power Substations
IEEE 1686, Intelligent Electronic Devices Cyber Security Capabilities
IEEE 1711, Cryptographic Protocol for Cyber Security of Substation Serial Links
IEEE 2030.102.1, Interoperability of Secure IP Protocols Utilized within Utility Control Systems

For more information visit https://ieee-sa.imeetcentral.com/eurollingplan/

IETF

The following IETF WGs are active in this area:

With specific reference to Commission Recommendation (EU) C(2024) 2393 of 11 April 2024 on a Coordinated Implementation Roadmap for the transition to Post-Quantum Cryptography (PQC), the IETF has established the Post-Quantum Use In Protocols Working Group which provides a standing venue to discuss PQC (operational and engineering) transition issues and experiences to date relevant to work in the IETF. The WG will document operational and design guidance which supports PQC transition.The IETF Security Area is the home for working groups focused on security protocols. They provide one or more of the security services: integrity, authentication, non-repudiation, confidentiality, and access control. Since many of the security mechanisms needed to provide these security services employ cryptography, key management is also vital.

The Security Area intersects with all other IETF Areas, and the participants are frequently involved with activities in the working groups from other areas. This involvement focuses upon practical application of Security Area protocols and technologies to the protocols of other Areas.

The full list of IETF Working Groups in the Security Area is available here: https://datatracker.ietf.org/wg#sec

https://wiki.ietf.org/en/group/iab/Multi-Stake-Holder-Platform#h-302-cybersecurity-network-and-information-security

3GPP

SA WG3 is responsible for security and privacy in 3GPP systems, determining the security and privacy requirements, and specifying the security architectures and protocols. The WG also ensures the availability of cryptographic algorithms which need to be part of the specifications.

http://www.3gpp.org/specifications-groups/sa-plenary/sa3-security

ECMA

Secure ECMAScript (SES) is a runtime environment for running ECMAScript (JavaScript) strict-mode code under object-capability (ocap) rules. ECMA Technical Committee TC39 maintains and updates the general purpose, cross platform, vendor-neutral programming language ECMAScript (JavaScript).

The programme of work in TC54 focuses on developing standards for software transparency, starting with the CycloneDX Bill of Materials specification and the Transparency Exchange API (Project Koala) for sharing software transparency information. It also aims to establish standards and guidance for multiple BOM merging algorithms and explore future directions for standards in the software transparency space. The current standard defines the CycloneDX v1.6 Bill of materials specification. CycloneDX is a standard designed to address the complexities of the software and system supply chain.

https://ecma-international.org/publications-and-standards/standards/ecma-424/

oneM2M

oneM2M’s architecture defines a common middleware technology in a horizontal layer between devices and communications networks and IoT applications. This standardizes secure links between connected devices, gateways, communications networks and cloud infrastructure. The oneM2M SDS – System Design and Security working group is also responsible for security and privacy. The following non-exhaustive list highlights some specifications which define and describe security features in oneM2M:

TS-0001 Functional Architecture
TS-0003 Security Solutions
TS-0016 Secure Environment Abstraction
TS-0032 MAF and MEF Interface Specification (MAF = M2M Authentication Framework; MEF = M2M Enrolment Function)

ITU-T SG20 transposed oneM2M specifications in their Y.450x series. See also Y.oneM2M.SEC.SOL.

All specifications are openly accessible at https://www.onem2m.org/technical.

(C.2) Other activities related to standardisation

ECSO

The European Cyber Security Organisation (ECSO) represents the contractual counterpart to the European Commission for the implementation of the Cyber Security contractual Public-Private Partnership (cPPP).

WG1 focuses on standardisation, certification, labelling and supply chain management.

https://www.ecs-org.eu/

OIDF

Risk and incident sharing and coordination working group [RISC]

RISC (chartered 2015) provides data sharing schemas, privacy recommendations and protocols to share information about important security events in order to thwart attackers from using compromised accounts with one service provider to gain access with other service providers. RISC focuses on peer to peer sharing of information related to the state of individual accounts. http://openid.net/wg/risc/charter/

NIST

NIST works on cybersecurity standards, guidelines, best practices, and other resources to first of all meet the needs of federal agencies and secondly the broader public as well as industry. The Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity issued on May 12, 2021 assigns NIST (among other US agencies) to work on two labelling efforts related to consumer Internet of Things (IoT) devices and consumer software with the goal of encouraging manufacturers to produce and purchasers to be informed about products created with greater consideration of cybersecurity risks and capabilities. On 19 July, the US formally announced the launch of an IoT cybersecurity labelling programme called “US Cyber Trustmark”, to which NIST will be contributing.

NIST has published guidance outlining security measures for critical software, guidelines recommending minimum standards for vendors’ testing of their software source code, preliminary guidelines for enhancing software supply chain security and additional guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria.

Other areas of work include critical infrastructure protection:

Cyber-Physical Systems for Global Cities Project http://www.nist.gov/el/smartgrid/cpsforglobalcities.cfm
Cybersecurity for Smart Grid Systems http://www.nist.gov/el/smartgrid/cybersg.cfm
Cybersecurity for Smart Manufacturing Systems http://www.nist.gov/el/isd/cs/csms.cfm
Development of New Cybersecurity http://www.nist.gov/itl/cybersecurity-framework-021313.cfm
Reference Architecture for Cyber-Physical Systems Project Framework http://www.nist.gov/el/smartgrid/cpsarchitecture.cfm

NIST’s work on PQC is focused on the organization of the internationally open competition for submission of PQC algorithms and their selection as algorithms candidate for standardization, for key exchange, digital signatures, and stateful hash-based signatures (for the latter, two schemes have been already standardized). At present, one algorithm for key encapsulation , and two algorithms for digital signatures have been standardized, specifications for one additional digital signature algorithm are being written, three reserve algorithms are being considered as additional potential standards for key agreement, an additional call for digital signatures is ongoing, with now 14 candidate algorithms having passed to round 2, and specifications for an additional open call on multiparty threshold cryptography are being developed.

Post-Quantum Cryptography | CSRC (nist.gov)

Post-Quantum Cryptography FIPS Approved | CSRC (nist.gov)

PQC Digital Signature Second Round Announcement | CSRC (nist.gov)

Multi-Party Threshold Cryptography | CSRC (nist.gov)

NIST also publishes guidelines on deprecation timeline for algorithms (NIST IR 8547 initial public draft, Transition to Post-Quantum Cryptography Standards ) and on specific aspects of the implementation of PQC ( NIST SP 800-227 initial public draft, Recommendations for Key-Encapsulation Mechanisms )

(C.3) Additional information

The Danish business community in May 2022 launched a data ethics and cybersecurity seal for companies. The seal aims to create transparency for consumers and help ambitious companies gain a competitive advantage.

In the Netherlands, the national government has selected a group of security specifications for its comply-or-explain policy (e.g. DNSSEC, DKIM, TLS, SPF, DMARC, STARTTLS, DANE, RPKI), and is actively using various adoption strategies to get the specifications implemented. An effective tool that was developed to drive adoption is the website www.internet.nl (available in English). Organisations and individuals can easily test whether websites offer support for modern Internet Specifications, and the code is open source.

Also in the Netherlands, a method to help improve secure software lifecycle management, including software development, was developed under the title Secure Software Framework (SSF). The framework is applied by software developers in innovative projects, where security of software is of the utmost importance. The framework was published by the Secure Software Alliance (SSA), a public-private program in which developers of software, end users, professional bodies, institutes for research and education and the Dutch Ministry of Economic Affairs and Climate cooperate to promote secure software and connect initiatives in this area. The SSF is part of the Roadmap for Digital Hard- and Software Security of the Ministry of Economic Affairs and Climate.

In September 2020 in the Netherlands, a public-private coalition called the Online Trust Coalition (OTC) was launched, with the purpose to provide an unambiguous, efficient method for cloud service providers to demonstrate that their services are reliable and secure. And by doing so, to help to implement the relevant laws and regulations (e.g. EU Cybersecurity Act).”

In Germany, the Federal Agency for Information Security (BSI) bases several national cyber-security standards -concerning both critical infrastructures and SMEs- on the ISO/IEC EN 270xx family and the Federal Network Agency (BNetzA) mandates the use of ISO/IEC 27019 (with a few additional requirements in the national IT Security catalogue) for grid network operators with mandatory certification.

In Spain the National Security Framework (ENS), updated in May 2022, is based in current information security and Cybersecurity standards. The ENS promotes the procurement, under the principle of proportionality, of those products and services which have certified security functionality, considering the availability in the near future of the EUCC and the EUCS. Besides, in the ENS, the protection of cloud services also refers to the requirement of security certification in view of the coming EUCS.

ENISA and the European Computer Security Incident Response Team (CSIRT) community have jointly set up a task force with the goal of reaching a consensus on a ‘Reference Security Incident Classification Taxonomy’. Following a discussion among the CSIRT community during the ‘51st TF-CSIRT meeting’ (15 May 2017 in The Hague, Netherlands), it was concluded that there is an urgent need for a taxonomy list and name that serves as a fixed reference for everyone. This is where the so-called ‘Reference Incident Classification Taxonomy Task Force’ comes into play. The aim of this task force is to enable the CSIRT community in reaching a consensus on a universal reference taxonomy. Additionally, the task force covers the following objectives:

Develop a reference document
Define and develop an update and versioning mechanism
Host the reference document
Organise regular physical meetings with stakeholders

The ENISA NCSS Interactive Map lists all the documents of National Cyber Security Strategies in the EU: https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/national-cyber-security-strategies-interactive-map

For Post Quantum Cryptography (PQC), in the Netherlands, the General Intelligence and Security Service (AIVD), TNO and Centrum Wiskunde & Informatica (CWI) published a handbook for the migration to PQC (TNO-2024-pqc-en.pdf ). The handbook is intended for the Dutch government, businesses, vital sectors and knowledge institutions that work with important information that is being encrypted, such as trade secrets.

The BSI in Germany has issued guidelines on how to implement the migration to a quantum-safe digital infrastructure (Migration ). The recommendations encourage to implement hybrid solutions with both PQC and current asymmetric cryptography, to start with conservative choices for key exchange which ensures a high level of security even if not optimal performance (algorithms FrodoKEM, Classic McEliece from the NIST competition), to use the already standardized hash-based signature for firmware updates, to test the pre-standardized general post-quantum signature schemes for authentication (Dilithium, Falcon, Sphincs+), to consider implementing QKD only in combination with PQC.

France has issued guidelines, recommending a transition plan, in which PQC algorithms must be hybridized with well-known pre-quantum algorithms and systems must be crypto-agile, i.e. able to update its crypto algorithms (anssi-avis-migration-vers-la-cryptographie-post-quantique.pdf ). Only after 2030 PQC algorithms can be introduced standalone with good confidence.

ENISA has also issued reports on PQC, on an overview of the current state of affairs on the standardization process of PQC (https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation ) and on the necessity to design new cryptographic protocols and integrate post-quantum systems into existing protocols (

https://www.enisa.europa.eu/publications/post-quantum-cryptography-integration-study ).

Report abusive content Share