ALL NEWS
SHARE Share
Mail Mail
POSTED: 2025-04-16

A Risk-Based Approach to Sectoral Cybersecurity: Introducing EN 18037:2025

EN in the spotlight
CEN-CENELEC

In an increasingly digital world, ensuring consistent and robust cybersecurity across complex, multi-stakeholder systems is more critical than ever. The new European Standard EN 18037:2025 ‘Guidelines on a sectoral cybersecurity assessment’, developed by JTC 13 ‘Cybersecurity and Data Protection’, fills this gap by specifying an approach for the risk-based identification of cybersecurity, certification, and assurance requirements for ICT products, processes, and services within complex, multi-stakeholder sectoral systems.

The sectoral cybersecurity assessment process encompasses all necessary steps to specify, implement, and maintain such requirements. Sectoral ICT systems are prevalent in application domains such as mobile networks, digital identity, e-health, public transportation, and payment systems. These systems typically involve numerous stakeholder organizations operating in defined roles to deliver sector-specific services. Some roles – such as those of Mobile Network Operators or Public Transport Service Providers – may involve competitive dynamics among stakeholders.

 

Cybersecurity and assurance are critical not only from the customer’s perspective but also for fostering trust among sectoral stakeholders. A clear and consistent definition of cybersecurity and assurance requirements – tailored to specific stakeholder roles – is essential, as security deficiencies by one actor can pose risks to the business objectives of others within the ecosystem.

Importance of the standard and relevant changes

Sectoral services are playing an increasingly vital role in everyday life. However, up to now, there has been no standard that offers a holistic and consistent approach to managing cybersecurity across such services and their supporting systems.

 

EN 18037 addresses this need by introducing a sectoral cybersecurity assessment methodology that supports standardized risk assessments and harmonized risk ratings across multiple stakeholder organizations. It also facilitates the identification of security and assurance level requirements for ICT products, processes, and services according to their intended role within a given sectoral system. Key methodological features include:

  • Business Process Contextualization: The assessment begins with an analysis of the business processes supported by the sectoral ICT system, alongside the corresponding business objectives of each stakeholder. It identifies primary and supporting assets critical to secure implementation.
  • Asset and System Mapping: ICT systems, products, and processes under stakeholder control that are relevant to securing primary assets are mapped. A deep dive into the sectoral system architecture provides detailed insight into their intended use.
  • Cyber Threat Intelligence (CTI): CTI is used to gather insights into relevant attacker types, their motivations, and capabilities. This allows for prioritization of risk scenarios most deserving of further analysis, optimizing the use of analytical resources and supporting assignment of tailored cybersecurity and assurance requirements.
  • Risk Assessment: Risks are assessed based on the impact of cybersecurity incidents on business objectives and the likelihood of such incidents occurring. Likelihood is derived from attacker motivation and capability as determined through CTI.
  • Reference Levels: The methodology introduces a system of reference levels for internal risk, security, assurance, and attack potential. When used collectively, these support consistency in defining cybersecurity risk. Risk data derived from an ISO/IEC 27005-compliant approach can be transferred to the ISO/IEC 15408 series framework for specifying assurance requirements. Together, these standards enable robust risk-based definitions of cybersecurity and assurance needs.

Benefits for industry and society

Initially developed to support the preparation of cybersecurity certification schemes under the EU Cybersecurity Act, the EN 18037 sectoral methodology has demonstrated wider applicability, offering tangible benefits to sectoral stakeholders, service users, and suppliers of ICT products:

  • Risk-Based Decision Making: The methodology enables the identification of risks linked to the intended use of ICT systems, services, and processes at all levels of sectoral ICT architectures. Stakeholder organizations can better align their risk tolerance with the investments required for mitigation, fostering a transparent and collaborative security posture. This is likely to enhance market acceptance of both the requirements and the resulting certification schemes.
  • Cross-Scheme Consistency: By harmonizing the implementation of security and assurance levels, EN 18037 enables the reuse of certifications across different schemes. This promotes operational efficiency for product and service providers and builds trust with customers. At the same time, its flexible framework supports the integration of emerging certification schemes tailored to specific market needs.
  • Unified Security Controls: A common concept for security levels simplifies the development of reusable security controls across certification schemes, enabling scalable and interoperable approaches to assurance.

Practical applications of the standard

As originally intended, the sectoral cybersecurity assessment methodology outlined in EN 18037 provides a complete foundation for the development of CSA-conformant certification schemes. Early practical applications can already be observed in the development of national and European certification schemes based on EN 17640 ‘Fixed-time cybersecurity evaluation methodology for ICT products’, as referenced in the Union Rolling Work Programme.

 

An unexpected but promising application area has recently emerged: supporting manufacturers with precise and sector-specific security requirements for their products’ intended use. In particular, product manufacturers aiming to comply with obligations under the EU Cyber Resilience Act stand to gain significant benefits from using the EN 18037 methodology.

 

This article was written with the collaboration of Elzbieta Andrukiewicz and Cord Bartels.

image
TAGS:

SIMILAR NEWS

cover
EN in the spotlight
2025-03-27
EN 50388-2:2025 provides a new tool for the co-ordination between electric traction power supply systems and rolling stock
 READ MORE
cover
EN in the spotlight
2025-01-17
EN 17976:2024 contributes to the quality of railway component assembly
 READ MORE
cover
EN in the spotlight
2025-01-16
New European standards for the circular design of fishing gear and aquaculture equipment have been published
 READ MORE
cover
EN in the spotlight
2024-12-19
A Guide to Copper Alloy Semis Specifications
 READ MORE

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on, your device to remember your preferences.

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

We'd like to set Google Analytics cookies to help us to improve our website by collecting and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.

I accept all cookies
)