Cybersecurity and Data Protection

Cybersecurity has been identified as one of the standardization priorities, since cyber-threats impact a multitude of sectors. Cybersecurity and data protection are rapidly growing and changing technical and application domains. The threats and requirements are increasing dramatically with the progress of digitalization and the rising number of critical assets digitalized and accessible online. Therefore, protection is expected from citizens but also industry and even governments.

CEN-CLC/JTC 13 ‘Cybersecurity and data protection’ is the CEN and CENELEC horizontal technical committee that addresses these challenges. Its primary objective is to transport relevant international standards (especially from ISO/IEC JTC 1 SC 27) as European Standards (ENs) in the Information Technology (IT) domain. It also develops ‘homegrown’ ENs, where gaps exist, in support to EU regulations (RED, eIDAS, GDPR, NIS, etc.). These two streams of activities aims at creating a strategic portfolio of standards in Europe, which fits the European needs.

The work programme of CEN-CLC/JTC 13 is available here.

CLC/TC 65X ‘Industrial-process measurement, control and automation’ is the other main provider of cybersecurity-related standards in the Operational Technology (OT) domain. It prepares standards for systems and elements used for industrial process measurement, control and automation. It has created the EN IEC 62443 series of standards for Operational Technology (OT) found in industrial and critical infrastructures, including but not restricted to power utilities, water managements systems, healthcare and transport systems.

The work programme of CLC/TC 65X is available here.

The Cybersecurity Act

Regulation (EU) 2019/881 (Cybersecurity Act) establishes a voluntary framework for EU-wide cybersecurity certification for ICT products, services and processes.

CEN-CLC/JTC 13 is especially working on the development of an EN on ‘Cybersecurity evaluation methodology for ICT products’, which will be intended for use for all the three assurance levels as defined in the Cybersecurity Act (basic, substantial and high). The methodology is comprised of different evaluation building blocks including assessment activities that comply with the evaluation requirements of the Cybersecurity Act.

CEN-CLC/JTC 13 is also directly contributing to the development of the draft ETSI EN 303 645 ‘Cyber Security for Consumer Internet of Things’. The standard will bring together widely considered good practice in security for Internet-connected consumer devices in a set of high-level outcome-focused provisions.

General Data Protection Regulation

In support of the GDPR, CEN-CLC/JTC 13 is currently developing prEN 17529 ‘data protection and privacy by design and by default’. The standard will provide the component and subsystems developers with an early formalized process for identification of privacy objects and requirements, as well as the necessary guidance on associated assessments.

Market access regulations and horizontal cybersecurity standards

What is the relation between the Cybersecurity Act and market access regulations, which address cybersecurity-related essential requirements? Following a request from the CEN and CENELEC Technical Boards, CEN-CLC/JTC 13 is working on a pre-standardization activity, which will assess how horizontal standards could support sectorial essential requirements.
CEN-CLC/JTC 13 organized a webinar in April 2020, calling for the contributions of all those relevant CEN and CENELEC technical committees involved in IT security.

The webinar is available here.

For more information contact Constant KOHLER.

News and events

Technical bodies and activities

Horizontal standards:
  • CEN-CLC/JTC 13 ‘Cybersecurity and Data Protection’
Products standards:
  • CLC/TC 8X ‘System aspects of electrical energy supply’
  • CLC/TC 9X ‘Electrical equipment and systems for railways’
  • CLC/TC 13 ‘Electrical energy measurement and control’
  • CLC/TC 205 ‘Home and Building Electronic Systems’
  • CLC/TC 44X ‘Safety of machinery: electrotechnical aspects’
  • CLC/TC 45AX ‘Instrumentation, control & electrical power systems of nuclear facilities’
  • CLC/TC 57 ‘Power systems management and associated information exchange’
  • CLC/TC 61 ‘Safety of household and similar electrical appliances’
  • CLC/TC 62 ‘Electrical equipment in medical practice’
  • CLC/TC 65X ‘Industrial-process measurement, control and automation’
  • CLC/TC 79 ‘Alarm systems’
  • CLC/TC 108X ‘Safety of electronic equipment within the fields of Audio/Video, Information
    Technology and Communication Technology’
  • CLC/TC 121A ‘Low-voltage switchgear and controlgear’
  • CEN-CLC/JTC 19 ‘Blockchain and Distributed Ledger Technologies’
  • CEN/TC 10 ‘Lifts, escalators and moving walks’
  • CEN/TC 52 ‘Safety of toys’
  • CEN/TC 224 ‘Personal identification and related personal devices with secure element,
    systems, operations and privacy in a multi sectorial environment’
  • CEN/TC 278 ‘Intelligent transport systems’
  • CEN/TC 301 ‘Road vehicles’
  • CEN/TC 377 ‘Air Traffic management’

Useful links and documents