A risk-based approach to sectoral cybersecurity with EVS-EN 18037

Studio_Nazh/Shutterstock.com

In an increasingly digital world, ensuring consistent and robust cybersecurity across complex, multi-stakeholder systems is more critical than ever.

The new European Standard EVS-EN 18037:2025 ‘Guidelines on a sectoral cybersecurity assessment’, fills this gap by specifying an approach for the risk-based identification of cybersecurity, certification, and assurance requirements for ICT products, processes, and services within complex, multi-stakeholder sectoral systems.

The sectoral cybersecurity assessment process encompasses all necessary steps to specify, implement, and maintain such requirements. Sectoral ICT systems are prevalent in application domains such as mobile networks, digital identity, e-health, public transport, and payment systems.

These systems typically involve numerous stakeholder organisations operating in defined roles to deliver sector-specific services. Some roles, such as those of Mobile Network Operators or Public Transport Service Providers, may involve competitive dynamics among stakeholders.

Cybersecurity and assurance are critical from the customer’s perspective and fostering trust among sectoral stakeholders. A clear and consistent definition of cybersecurity and assurance requirements – tailored to specific stakeholder roles – is essential, as security deficiencies by one actor can pose risks to the business objectives of others within the ecosystem.

Importance of the standard and relevant changes

Sectoral services are playing an increasingly vital role in everyday life. However, until now, no standard has offered a holistic and consistent approach to managing cybersecurity across such services and their supporting systems.

EN 18037 addresses this need by introducing a sectoral cybersecurity assessment methodology that supports standardised risk assessments and harmonised risk ratings across multiple stakeholder organisations.

It also facilitates the identification of security and assurance level requirements for ICT products, processes, and services according to their intended role within a given sectoral system. 

Benefits for industry and society

Initially developed to support the preparation of cybersecurity certification schemes under the EU Cybersecurity Act, the EVS-EN 18037 sectoral methodology has demonstrated wider applicability, offering tangible benefits to sectoral stakeholders, service users, and suppliers of ICT products.

It supports manufacturers with precise and sector-specific security requirements for their products’ intended use.

In particular, product manufacturers aiming to comply with obligations under the EU Cyber Resilience Act stand to gain significant benefits from using the EVS-EN 18037 methodology.