Interview with Constant Kohler, cybersecurity standards development expert

‍Constant, can you briefly explain your role at Siemens and how you are involved in standards development?

Constant Kohler: Of course! I work in Brussels, and my role at Siemens is mainly focused on standards development and regulation, especially in cybersecurity (both at the European and international level). Before joining Siemens, I worked for five years at the management center of CEN and CENELEC, the European standardization committees. There I discovered the world of standards and the related processes and content. This allowed me to gain knowledge in different areas, such as cybersecurity, artificial intelligence and blockchain, or the vast field of electrical engineering. I am now responsible for standards development, particularly for the Cyber Resilience Act (CRA) and the Digital Product Passport (DPP). In this capacity, I participate in the work of committees at the European level (CEN, CENELEC) and also at the international level (ISO, IEC).

Why is it so important for an Organisation like Siemens to participate in standards development?

Constant Kohler: For Siemens, standards development is essential because it creates a level playing field for the different players in a given sector. Standards provide clarity and consistency, especially when developed to support European regulations; this is crucial to facilitate compliance processes. Indeed, it is important to develop standards that comply with legislation and also represent the specific needs of a sector. This is especially relevant in rapidly evolving sectors such as cybersecurity, where we must constantly adapt to new legislation and technological developments. It is therefore essential to ensure that standards are adapted to our needs (for our products and systems) while ensuring the most appropriate level of security - not only for our products and systems, but ultimately for the entire ecosystem.

You said that developing a standard can take several years. Can you tell us more about this process?

Constant Kohler: Yes, the development of a standard generally takes two to three years. It all starts at the national level, where organizations such as the NBN appoint experts to participate in the activities of European or international technical committees (TCs). These TCs bring together a range of experts, including industry representatives, SMEs, legislators, academics, civil society representatives, etc. The Working Groups (WGs), which operate under the authority of the TCs, are also very diverse and consist of experts from a wide range of backgrounds. The goal of the working groups is to work on a consensus basis, meaning that there is no voting within a working group, but the goal is always to ensure that all members reasonably agree on the standards and technical specifications being developed.

The pace of working groups is generally very fast, with sometimes several meetings per month, especially when these working groups develop standards in support of European regulations. One of the biggest challenges is combining different areas of expertise (e.g., technical, legal, procedural), especially in areas such as cybersecurity, where threats are constantly changing and a wide range of skills is needed to ensure that standards meet European Commission requirements. In addition, working groups must meet increasingly tight deadlines set by the European Commission (e.g., for the CRA or the DPP). A standard that used to take three years to develop must increasingly be completed in less than a year and a half or two years.

What are the main benefits for an Organisation like Siemens to actively participate in standards development?

Constant Kohler: There are many advantages. First, it gives us an early view of future standards, which helps us proactively adapt our products and processes. Second, it gives us the opportunity to participate directly in the development of standards, which can be a strategic advantage. Standards define the legal requirements that products must meet. Companies that actively participate in the standards development process have the opportunity to shape these requirements from a technical perspective, which can give them a distinct advantage in the marketplace.

What is Europe's role in cybersecurity standards? Are we leading the way or following international trends?

Constant Kohler: The European Union is indeed at the forefront of cybersecurity legislation. This is evidenced by initiatives such as the Cyber Resilience Act and the NIS2 Directive, which require companies to adopt more stringent security measures for their IT products and systems. What may set Europe apart is the risk-based approach. This means that companies must implement measures tailored to the specific risks they face, rather than a standard solution. This gives companies a degree of flexibility to choose the best approach and technical solutions for their specific situation and the risks inherent in their functionality or operating environment. This approach makes it possible to secure products or information systems in the most appropriate way.

Internationally, other regions such as the United States, China and India are also developing their own legislation. Some regions take inspiration from the European Union, as was the case with the RGPD. This makes the issue of harmonizing regulations particularly important for companies such as Siemens, which operate globally. In this respect, European or international standards help to harmonize regulations. This is also why Siemens is involved in standards development.‍

What is your role in the development of specific standards? Can you give us a concrete example?

Constant Kohler: A recent project I contributed to was the development of the EN 18031 standards series, which defines cyber security requirements for radio equipment. This standard was developed in response to the European Radio Equipment Directive (RED). The interesting thing about this standard is that it applies to a wide range of products, from connected toothbrushes to industrial automation systems. Besides the technical contributions, I was mainly involved in reviewing the standards against the requirements of the European Commission, i.e. analyzing the technical content from a legal perspective. This included checking the technical content, but also preparing reports explaining the approach of the standard, its applicability and how it meets the requirements of the European Commission. ‍

What is your personal experience working in these international working groups?

Constant Kohler: The collaboration in these working groups is very intense, but also very rewarding. We work with people from different countries, sectors and disciplines, which creates a very diverse working environment. This can sometimes be challenging, especially when the participants have different backgrounds and do not necessarily speak the same language. For example, engineers and lawyers can approach problems from very different perspectives and it can be difficult to find a common language. But that's also what makes this job so rewarding. It is always about finding compromises and building bridges between different perspectives, which makes for a rich exchange of ideas.

What I particularly appreciate is that all the experts in these working groups have a common goal: to develop standards that are widely applicable and that help raise the level of safety in Europe and around the world. The atmosphere is generally very collegial and constructive, even when there are disagreements.

Are there challenges to participating on these committees?

Constant Kohler: Absolutely, there are many challenges. One of the biggest is the pace of work, which has increased significantly. As I said, the deadlines for developing standards are getting shorter and shorter, and that means more and more meetings. Where we used to have maybe one plenary meeting a year, the working groups now meet several times a month. This can make it difficult to manage these commitments in addition to my other responsibilities.

Moreover, standards development requires increasingly specialized knowledge. Technical expertise is no longer enough; legal and even geopolitical aspects must also be taken into account! Moreover, in addition to "hard skills," especially "soft skills" are important and valued (being able to articulate ideas clearly, "sell" them, convince experts, etc.) This requires a wide range of skills and a good understanding of the context in which these standards are developed.

What do you find most satisfying about working in these working groups?

Constant Kohler: For me, it's a very rewarding experience. It's not only an intellectual challenge, but also a unique opportunity to work with incredible experts from all over the world. You're constantly learning new things. The network you build by participating in these committees is invaluable. You learn from others, but you can also share your own expertise and influence the future of the industry.

Moreover, it is very satisfying to know that the work we do has a direct impact on the safety and reliability of products used around the world. Standards not only help companies comply with the law, they also ensure that consumers can have confidence in the products they buy.

Looking back on your career in standards development so far, what is one of your greatest accomplishments?

Constant Kohler: One of the projects I am most proud of is my contribution to the EN 18031 standard. It was a very complex project, both technically and logistically because of the tight deadlines (18 months). But it was also very satisfying to see all the experts working together to get the standard finished on time.

What made this project special for me was my role in bridging the gap between the technical experts and the legal requirements of the European Commission. My job was to ensure that the standard was not only technically sound, but also complied with current legislation. It was challenging, but also a very rewarding experience.