Regulatory sandboxes have become a vital tool in the European Union for fostering innovation while ensuring regulatory compliance. Although widely adopted across various sectors, there remains a lack of operational procedures specifically tailored to define and test cybersecurity requirements in such protected environments, for example for Internet of Things (IoT) products, which are increasingly critical yet vulnerable. This paper addresses this gap by proposing a multi-stage framework to define and develop sandbox testing requirements aligned with the Cyber Resilience Act (CRA). Our approach incorporates different levels of granularity to map cybersecurity requirements, ensuring adaptability to different product types and organizational contexts. We validate the framework through a Proof-of-Concept on IoT devices, highlighting challenges such as misaligned standards and correlations between CRA provisions and the Italian National Cybersecurity Perimeter Law. The proposed framework aims to streamline regulator-organization interactions and enhance legal certainty in cyber resilience testing within regulatory sandboxes.
Making regulatory sandboxes work for cyber resilience in digital products: a proof-of-concept for IoT cybersecurity assurance
De Rosa G.;Drago S.;Seferi F.;Spatari N.
2025
Abstract
Regulatory sandboxes have become a vital tool in the European Union for fostering innovation while ensuring regulatory compliance. Although widely adopted across various sectors, there remains a lack of operational procedures specifically tailored to define and test cybersecurity requirements in such protected environments, for example for Internet of Things (IoT) products, which are increasingly critical yet vulnerable. This paper addresses this gap by proposing a multi-stage framework to define and develop sandbox testing requirements aligned with the Cyber Resilience Act (CRA). Our approach incorporates different levels of granularity to map cybersecurity requirements, ensuring adaptability to different product types and organizational contexts. We validate the framework through a Proof-of-Concept on IoT devices, highlighting challenges such as misaligned standards and correlations between CRA provisions and the Italian National Cybersecurity Perimeter Law. The proposed framework aims to streamline regulator-organization interactions and enhance legal certainty in cyber resilience testing within regulatory sandboxes.| File | Dimensione | Formato | |
|---|---|---|---|
|
Making_Regulatory_Sandboxes_Work_for_Cyber_Resilience_in_Digital_Products_A_Proof-of-Concept_for_IoT_Cybersecurity_Assurance.pdf
non disponibili
Descrizione: Making Regulatory Sandboxes Work for Cyber Resilience in Digital Products: A Proof-of-Concept for IoT Cybersecurity Assurance
Tipologia:
Versione Editoriale (PDF)
Licenza:
Copyright dell'editore
Dimensione
484.64 kB
Formato
Adobe PDF
|
484.64 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
