A sectoral cybersecurity approach based on risk analysis - introduction of EN 18037:2025 standard
17.04.2025
In an increasingly digital world, ensuring consistent and robust cybersecurity in complex, multi-stakeholder systems is more important than ever.
The new European standard EN 18037:2025, “Guidelines on a Sectoral Cybersecurity Assessment”, developed by Technical Committee JTC 13 “Cybersecurity and Data Protection”, addresses this need by defining an approach for identifying cybersecurity requirements, certification, and establishing justified trust in ICT products, processes, and services within complex sectoral systems involving multiple stakeholders.
The sectoral cybersecurity assessment process includes all necessary steps to define, implement, and maintain such requirements. Sectoral ICT systems are common in application areas such as mobile networks, digital identity, e-health, public transport, and payment systems. These systems typically involve numerous stakeholder organizations operating in specific roles to deliver sector-specific services. Some roles – such as mobile network operators or public transport service providers – may involve competition among stakeholders.
Cybersecurity and the justification of trust are crucial not only from the customer’s perspective but also for building confidence among sector stakeholders. Clearly and consistently defining cybersecurity requirements – tailored to the specific roles of stakeholders – is essential, as weaknesses in the security of one entity may pose a risk to the business goals of other entities functioning within the ecosystem.
Author: Elżbieta Andrukiewicz, editor of the EN 18037:2025 standard