Cybersecurity and Data Protection
Cybersecurity has been identified as one of the standardization priorities, since cyber-threats impact a multitude of sectors. Cybersecurity and data protection are rapidly growing and changing technical and application domains. The threats and requirements are increasing dramatically with the progress of digitalization and the rising number of critical assets digitalized and accessible online. Therefore, protection is expected from citizens but also industry and even governments.
CEN-CLC/JTC 13 ‘Cybersecurity and data protection’ is the CEN and CENELEC horizontal technical committee that addresses these challenges. Its primary objective is to transport relevant international standards (especially from ISO/IEC JTC 1 SC 27) as European Standards (ENs) in the Information Technology (IT) domain. It also develops ‘homegrown’ ENs, where gaps exist, in support to EU regulations (RED, eIDAS, GDPR, NIS, etc.). These two streams of activities aims at creating a strategic portfolio of standards in Europe, which fits the European needs.
The work programme of CEN-CLC/JTC 13 is available here.
CLC/TC 65X ‘Industrial-process measurement, control and automation’ is the other main provider of cybersecurity-related standards in the Operational Technology (OT) domain. It prepares standards for systems and elements used for industrial process measurement, control and automation. It has created the EN IEC 62443 series of standards for Operational Technology (OT) found in industrial and critical infrastructures, including but not restricted to power utilities, water managements systems, healthcare and transport systems.
The work programme of CLC/TC 65X is available here.
The Cybersecurity Act
Regulation (EU) 2019/881 (Cybersecurity Act) establishes a voluntary framework for EU-wide cybersecurity certification for ICT products, services and processes.
CEN-CLC/JTC 13 is especially working on the development of an EN on ‘Cybersecurity evaluation methodology for ICT products’, which will be intended for use for all the three assurance levels as defined in the Cybersecurity Act (basic, substantial and high). The methodology is comprised of different evaluation building blocks including assessment activities that comply with the evaluation requirements of the Cybersecurity Act.
CEN-CLC/JTC 13 is also directly contributing to the development of the draft ETSI EN 303 645 ‘Cyber Security for Consumer Internet of Things’. The standard will bring together widely considered good practice in security for Internet-connected consumer devices in a set of high-level outcome-focused provisions.
General Data Protection Regulation
In support of the GDPR, CEN-CLC/JTC 13 is currently developing prEN 17529 ‘data protection and privacy by design and by default’. The standard will provide the component and subsystems developers with an early formalized process for identification of privacy objects and requirements, as well as the necessary guidance on associated assessments.
Market access regulations and horizontal cybersecurity standards
What is the relation between the Cybersecurity Act and market access regulations, which address cybersecurity-related essential requirements? Following a request from the CEN and CENELEC Technical Boards, CEN-CLC/JTC 13 is working on a pre-standardization activity, which will assess how horizontal standards could support sectorial essential requirements.
CEN-CLC/JTC 13 organized a webinar in April 2020, calling for the contributions of all those relevant CEN and CENELEC technical committees involved in IT security.
The webinar is available here.
For more information contact Constant KOHLER.