New European cybersecurity standard sets framework for sectoral risk assessments

A new European standard, EN 18037:2025, has been introduced to streamline cybersecurity risk assessments across complex, multistakeholder ICT systems. Developed by the Joint Technical Committee JTC 13 on ‘Cybersecurity and Data Protection’, the standard offers much-needed guidance for identifying and managing sector-specific cybersecurity and assurance requirements.

EN 18037 addresses a long-standing gap in cybersecurity governance by providing a structured methodology for risk-based evaluations of ICT products, processes, and services in sectors such as mobile networks, digital identity, public transportation, e-health, and payment systems. These sectors typically involve multiple stakeholders, whose roles and responsibilities must be considered to ensure collective security.

The framework supports business process contextualisation, system and asset mapping, cyber threat intelligence (CTI), and structured risk assessments. It introduces a consistent set of reference levels to define internal risks, assurance needs, and attack potentials. Notably, the methodology aligns with existing ISO standards, allowing for seamless integration into certification schemes.

Originally intended to support EU Cybersecurity Act certification efforts, the standard has found broader relevance. It enables risk-based decision-making, improves cross-scheme consistency, and allows manufacturers, especially those addressing EU Cyber Resilience Act requirements, to design products with precise, sector-specific security profiles.

As certification schemes begin to adopt EN 18037, its practical impact is expected to grow, promoting harmonised security practices across Europe’s digital landscape