European cybersecurity standardisation: a tale of two solitudes in view of Europe’s cyber resilience

Abstract

Cybersecurity resilience as a concept and EU policy approach encompasses, in broad terms, the preparedness of organisations against and the ability to recover from cyber-attacks. Policy and law makers in the European Union have started endorsing strategies moving both towards reactive measures mitigating the consequences of cybersecurity incidents and proactive measures geared towards prevention. Recently, a political agreement was reached on a new horizontal Regulation addressing cyber resilience of products with digital elements. An essential aspect of the Cyber Resilience Act is technical standardisation to support its goals. How appropriate is however the European Standardisation system for such a role in EU cybersecurity law? The paper argues that for European standards to be conceptualised as a building block of cyber resilience in the European Union, their development process must be inclusive and open, and a prerequisite for that is that the ESOs jointly work towards the common goal of developing and adopting European standards in support of the EU cyber resilience policy and law. This collaborative approach is mandated both by the nature of cyber resilience and cybersecurity as regulated fields, but also the changing nature of standardisation aspiring to contribute to areas pertaining to societal interests and fundamental rights.