scope:

The present document examines the background to the assessment of cybersecurity risks and identifies issues that may arise in the context of placing ICT products and services in the EU Single Market under the applicable legal requirements. Issues relevant to that scope are explored and options identified for possibly consideration in ETSI working practices to addresses these issues.

Under the New Legislative Framework (NLF) that governs the placement of products and services in the EU Single Market, harmonised standards provide a path of minimal economic friction for the agile introduction of technological innovations across EU Member States. In turn, risk assessment plays a pivotal role in the development of harmonised standards that, whilst supporting conformance to the applicable legal requirements, are also economically efficient.

The importance of harmonised standards to the smooth and efficient design and development of products and services to be placed on the EU Single Market has been recognized by the European Commission and the European Standardization Organizations.

Because the assessment of cyber risks is a fundamentally combinatorial exercise, the complexity and time it takes for a European Standardization Organization to identify and analyse the risk that should be considered in the harmonised standards increases exponentially with the scope that the respective legislation covers and the portfolio of ICT products and services it applies to. In simple terms, the greater the range of products and services within the scope of a particular legislation, the larger the set of possible use cases to consider will be, and thus the larger the workload of the risk assessment.

The present document presents the framework that underpins the placement of products in the EU Single Market in regard to risk assessment matters. It highlights of the salient features that, in accordance to common knowledge in the domain, good risk assessment approaches demonstrate. It also outlines the most common standards that underpin the application of risk assessment in an international context. In addition, it presents key characteristics of good approaches to the assessment of risks. Finally, it scopes the space of solutions that includes risk assessment approaches fit to inform the development and the application of harmonised standards in support of market placement.

The concepts and the approach put forth in the present document are applicable to products, as defined in [i.14], that are or can be described through properties that take distinct values.

The present document does not address the estimation of probability distributions that characterize the occurrence of events that contribute to particular risks. More specifically, it assumes that a stable body of knowledge in support of such estimates exists and builds on such estimates, if any, that apply in a given risk assessment scenario. A solution that, for illustration purposes, is shown in Annex A of the present document, assumes that errors in the estimation of numerical boundaries of risk classes follow a normal distribution. However, this assumption serves exclusively illustration purposes and does not restrict the application of the solution under the assumption of a different distribution.

Finally, in regard to the ICT industry's recent focus on zero trust [i.41] and vulnerability disclosure: zero trust is beyond the scope of risk assessment, as according to ISO 31000:2018 [i.2], enforcement actions are part of risk treatment, which, while informed by the outcomes of risk assessment, is beyond the scope of risk assessment. Likewise, vulnerability disclosure, whose ecosystem is presented in ETSI TR 104 003 [i.42], while informed by the outcomes of risk assessment, is beyond the scope of the risk assessment process itself.