Expert voices from the field: how to close the cybersecurity standardisation gap

Executive summary

The report Expert voices from the field: How to close the cybersecurity standardisation gap examines why cybersecurity standardisation skills remain limited in Europe and how this gap can be addressed. It is based on contributions from 38 experts involved in StandICT.eu, CYBERSTAND.eu, HSbooster.eu, INSTAR and NERO. The report was published on 6 October 2025.

The report finds that the skills gap is not only technical. It is also institutional, educational and procedural. Standards are often undervalued, difficult to access, and poorly integrated into career pathways. Many early-career professionals are not exposed to standardisation work during education or training.

A central message is that cybersecurity standards need to be treated as practical tools, not abstract documents. The report argues that professionals should learn by applying standards in real projects, labs, compliance exercises and standards development activities. It also stresses the importance of mentorship, community participation and cross-sector learning.

The report identifies several barriers. These include the cost of accessing key standards, the complexity of EU and international regulatory frameworks, limited awareness among SMEs and young professionals, and the time and travel costs associated with standardisation meetings. It also notes that standards development can appear slow, closed and difficult to enter.

The experts call for stronger links between education, regulation and practice. They recommend adding cybersecurity standards to university curricula, vocational training and lifelong learning programmes. They also recommend creating scholarships, mentoring schemes and practical training opportunities for early-career professionals.

The report highlights five missing or emerging skill areas. These include AI and generative AI security, post-quantum cryptography, compliance-as-code and automation, software supply chain security, and interoperable cybersecurity for connected systems such as IoT, smart cities and industrial control systems. It also points to the need for skills in data governance, incident reporting, communication and policy interpretation.

The report’s recommendations focus on five main actions. Essential cybersecurity standards should be made free or low-cost. Participation and training should be funded for early-career professionals. Standardisation should be integrated into education and skills frameworks. EU cybersecurity rules should be simplified and better harmonised. Hands-on testbeds and compliance sandboxes should be created to help organisations apply standards in realistic settings.

The report argues that closing the cybersecurity standardisation gap requires coordinated action by policymakers, standards organisations, universities, industry and civil society. The aim is to build a wider pool of professionals who can understand, use and contribute to cybersecurity standards.