Articles

Inside ETSI TC CYBER – Kim Nordström on turning CRA law into finished standards

When the EU Cyber Resilience Act takes full effect at the end of 2027, much of how the regulation works on the ground will come down to ETSI’s technical standards. Behind every harmonised standard sits a substantial body of work, coordinated by an organisation that brings together hundreds of experts from industry, government and academia.

We sat down with Kim Nordström, Technical Officer at ETSI and responsible for the technical committee TC CYBER, at CRA Day in Kista. He offers a rare glimpse into how legislation is built, step by step, into technical standards – and why Swedish companies have more to gain from getting involved in standardisation than many of them think.

Article in brief:

  • Kim Nordström, Technical Officer at ETSI, on TC CYBER’s work with the CRA
  • How harmonised standards can give manufacturers a presumption of conformity with the legislation
  • The difference between horizontal and vertical standards
  • Cybersecurity as a global effort – not just a European one
  • Machine-readable standards as the next step in standardisation work

The role of Technical Officer

Kim’s job is to support the members who actually write the standards. ETSI has close to 900 member organisations, and around 500 individuals are involved in cybersecurity work in one form or another.

– My role is to coordinate the members working on cybersecurity. Every working group has a set of work items, and each one has a rapporteur in charge.

Kim Nordström, Technical Officer på ETSI

TC CYBER has two dedicated working groups. QSC handles quantum-safe cryptography and the practical questions around implementing cryptographic solutions. The other, EUSR (EU Standardisation Requests), is tied directly to the mandate ETSI received from the European Commission to develop harmonised standards for the Cyber Resilience regulation.

Two ways to start a standardisation project

One thing that stands out about ETSI’s work is where the initiatives come from. Some standards are commissioned directly by the European Commission through what’s known as a standardisation request. Others bubble up from the membership.

– The initiatives come from our members. Anyone can put forward a proposal to work on a particular item or sub-area. You need four member organisations backing it, and then we’re off, Kim says.

That’s the same mechanism behind Ericsson’s initiative for EN 304 642, the vertical standard for security in network functions in telecoms that ITS has covered before. It gives industry a way to push standards forward where the need is there, even when the legislator hasn’t explicitly asked for them.

Read also: How EU law becomes technical reality

Horizontal and vertical standards under the CRA

Within the CRA work, ETSI draws a line between two kinds of standards. Horizontal standards are broad and product-agnostic and set out requirements that apply across the board, no matter the type of digital product. Vertical standards are product-specific and spell out how the requirements should be applied for a given category.

– Inside the CRA framework, ETSI works on the vertical standards. And we do this together with CEN and CENELEC, Kim says.

It’s a key distinction. The CRA’s horizontal standards are handled by other bodies, while ETSI TC CYBER concentrates on the product-specific side, the areas where its members’ technical expertise runs deepest.

“Presumption of conformity” – why cited standards carry such weight

When a harmonised standard is published in the EU’s Official Journal, it takes on legal force. As long as a manufacturer follows that standard, a presumption of conformity applies – the product is taken to meet the CRA’s requirements. That’s the mechanism known as presumption of conformity.

It’s what ETSI is aiming for.

– We set the bar high. Once a standard is cited, it carries a different kind of weight, both for the industry applying it and for the authorities checking compliance, Kim says.

Strictly speaking, a harmonised standard is a tool, not an obligation. The law itself is mandatory, but a manufacturer can choose to meet the CRA’s requirements without following a harmonised standard – as long as they can prove that the requirements are met. In practice, that’s often a difficult road to take. Distributors, retailers and customers expect harmonised standards, since they’re the simplest and clearest way to show that a product is cleared for the EU market.

Following a harmonised standard doesn’t just take the burden of proof off the manufacturer’s shoulders – it also makes the work more predictable. Manufacturers know up front what’s expected and can put more of their time into building the product rather than interpreting the rules.

Cybersecurity is a global effort

ETSI is a European standardisation organisation, but cybersecurity, by its nature, doesn’t respect borders. That shapes how the work gets done.

– ETSI has a dual role. On one side, we’re a European standardisation organisation. On the other, we’re also an international one, working globally on cybersecurity. It’s a global challenge, and it has to be tackled every single day, Kim says.

– The threats to our connected products hit everyone at once. A vulnerability discovered in one place spreads in no time. There’s no part of the world that isn’t touched by it. That’s why we have to think globally.

ETSI TC CYBER brings together members from across the world. The collaboration also reaches the EU’s cybersecurity agency, ENISA, where Kim himself represents ETSI, and other international organisations.

Innovation and compliance – not at odds

A familiar worry when new regulation arrives is that it slows innovation down. Kim doesn’t see it that way.

– Quite the opposite. Harmonised standards make compliance easier, especially the product-specific ones. Manufacturers don’t need to spend their time picking the legislation apart; they can focus on what they actually want to do, which is build the product, Kim says.

He also points to something that’s easy to miss: standards aren’t only compliance tools, they’re also what makes products able to work together in the first place.

Standards open the door to innovation through interoperability, too. When the interfaces are shared, products from different makers can work side by side. A smaller player can build a particular piece without having to put together the whole system around it, knowing it will slot into an existing ecosystem – and reach a wider market in the process.

Next up: machine-readable standards

Asked whether ETSI’s way of working needs to change going forward, Kim points to one area with clear room for improvement: the form the standards take as documents.

– The standards we produce today are almost all text documents, while product development keeps moving faster and faster. We’re going to need to automate the work we do inside ETSI in a more deliberate way.

The point is to produce standards that aren’t just written for people, but can also be read and parsed by machines – and used to automate both regulatory compliance and interoperability.

AI is seen as part of the answer, but not the whole answer.

– Artificial intelligence can absolutely help raise the quality of what we do. But the actual judgement calls, like what to standardise, how the requirements should be read, and what’s reasonable for industry still need human knowledge, Kim says.

Advice to Swedish companies for the next 12 months

With December 2027 in view, there’s still time to get ready. Kim breaks it down into four steps:

Step 1 – Take stock. Work out which of your products fall under the CRA. The European Commission and ENISA both publish guidance that can help with the scoping.

Step 2 – Assess the risk. Carry out a risk assessment for the products that are in scope. It’s ongoing work, not a one-off.

Step 3 – Meet the legal requirements. Make sure the mandatory requirements are covered. Harmonised standards can be the easiest route – which one applies depends on the product category.

Step 4 – Get involved in the standardisation work. Help shape what goes into the standards, so they end up fit for purpose. Standards written without input from industry tend to end up out of touch with the real world.

Engagement makes the difference

Kim Nordström’s view from inside the Technical Officer role paints a picture of standardisation that the outside world rarely sees: work that runs on consensus, patience and broad participation – but where every member has a real chance to shape the outcome. Standardisation isn’t just the administrative scaffolding around the legislation. It’s where the law takes its technical shape.

Want to help shape the future of cybersecurity?

Find out more about ITS’s working group Cybersecurity (WG CSys) and how to get involved.

You can also get in touch about a company visit by our CEO, Bettina Funk (page is in Swedish.)

Relaterat innehåll

Gå till kunskap
Gå till kunskap

Newsfeed from ETSI

    Feed has no items.
Membership

Be part of shaping the communication of the future

Become a member of our network that brings together Swedish industry experts in IT and telecommunications to influence the development of standards.

Become a member