Terms of Reference for ETSI TC Cyber Working Group for EUSR (CYBER-EUSR)
Approved at CYBER#29 Sept - 2024
Scope:
The TC CYBER SR Working Group is responsible for producing EU Standardization Request deliverables where TC CYBER has been deemed the lead ETSI TB for a given SReq by ETSI and that TC CYBER wishes to delegate the work to the Working Group. The Working Group may also work on other SReq(s) as delegated by TC CYBER where TC CYBER is not the lead TB but other TB(s) request the Working Group to handle all or some of the work.
The Working Group shall be known as “CYBER-EUSR”.
As a minimum CYBER-EUSR is expected to cover work relating to the EU Cyber Resilience Act (CRA) and is the specific reason for the creation of this Working Group but may cover other SReqs in future as deemed appropriate by TC CYBER.
TC CYBER is responsible for maintenance of the scope, creation, modification and closure of the CYBER-EUSR WG.
TC CYBER is responsible for allocating Standardization Requests to CYBER-EUSR that have been accepted by ETSI and where TC CYBER has been designated as the lead ETSI TB. TC CYBER is responsible for oversight of progress of the SReq(s) work programand final deliverables being proposed for publication and SRdAP approvals.
The present Terms of Reference set out both the local working procedures specific to CYBER-EUSR and how TC CYBER shall interact and govern CYBER-EUSR.
Leadership and group membership:
The selection of the Chair of CYBER-EUSR will be subject to standard ETSI WG procedural rules, with the caveat that a strong preference should be given to EU member state or ETSI member organizations established in the EU. Non-EU member candidates can stand but are strongly encouraged to defer to EU candidates unless no suitable EU candidates are available. Similarly, candidates holding TC CYBER, or other leadership positions in ETSI vertical approval structures should be avoided unless no other suitable candidates not already holding such positions are nominated for election.
Elections and selection of the Chair will be carried out at TC CYBER level.
CYBER-EUSR may elect up to two Vice Chairs (VC). Vice Chair elections shall be carried out within the WG, except for initial creation of the CYBER-EUSR where the VCs shall be elected by TC CYBER at the same time as the Chair elections.
The Chair / VC term, duration and limitation criteria shall be the same as for TC CYBER except as otherwise detailed in this ToR.
Ideally CYBER-EUSR leadership should contain representatives from both commercial industry and EU member state entities. SME interests should be represented within the leadership team and it is recommended that one of the Chair / VC(s) positions be from an SME member.
Work Items:
CYBER-EUSR is responsible for creating one or more applicable work item(s) to cover the scope deliverables for the SReq(s) or other work for which CYBER-EUSR has been tasked by TC CYBER.
Work items shall be agreed according to ETSI Technical Working Procedures (TWP) clause 1.6.3.2. CYBER-EUSR shall be responsible for developing the work items. Once work items are agreed by CYBER-EUSR they will be sent via TC CYBER for adoption by the National Standards Bodies (NSBs).
While TC CYBER shall not be required to formally approve CYBER-EUSR work items, all CYBER-EUSR work items shall be provided to TC CYBER plenary or interim calls for comment and peer review. CYBER-EUSR is responsible for ensuring that any comments from TC CYBER have been addressed prior to any request for NSB adoption.
In the event that consensus cannot be achieved at CYBER-EUSR level, the CYBER-EUSR Chair may request TC CYBER to review the work item and approve at TC CYBER level. In this scenario the work item remains a CYBER-EUSR level work item.
Where suitable experts are available to lead work, selection of work item rapporteurs from EU ETSI members is encouraged. However CYBER-EUSR should avoid selecting the same rapporteur(s) for multiple work items to ensure diversity of leadership across all work items and deliverables.
After NSBG adoption of the work items, CYBER-EUSR shall ensure that work item status is kept up to date on the portal so that work items can be viewed by non-ETSI members. CYBER-EUSR shall release all significant updates to draft specifications within the public drafts area on the portal so that they are freely publicly available. Public released drafts shall contain a contact email address on the cover page disclaimer so that non ETSI members can make comments. The CYBER-EUSR chair shall be responsible for ensuring that such comments are reviewed by the CYBER-EUSR and rapporteur(s) requested to ensure that appropriate changes are made where the group agrees with any such comments.
The CYBER-EUSR Chair is responsible for working with TC CYBER Chair and ETSI Secretariat to make sure reasonable efforts are made to publicly highlight drafts produced at significant milestones.
Meetings and Portal:
CYBER-EUSR shall maintain a dedicated WG ETSI portal entry and email reflector equivalent to that of CYBER-QSC. ETSI members are responsible for joining the email reflector and will not automatically be added based on TC CYBER membership.
CYBER-EUSR shall maintain a dedicated schedule of meetings. The CYBER-EUSR Chair is responsible for planning a meeting schedule which reflects the level of work at a given point in time.
By default, the group should avoid meeting more than once every two weeks to allow members time for review and comment on a given set of work items or documents.
CYBER-EUSR may opt to run multiple work streams with separate meeting schedules subject to the principle of allowing members adequate time between work stream meetings to review and comment on documents.
Except where meetings are specifically designated informal rapporteur drafting sessions, all meetings shall be chaired by the CYBER-EUSR Chair or VC(s). ETSI IPR and Anti-trust notices shall be included as part of the agenda for all meetings.
For transparency reasons, minutes or notes must be taken for all meetings (including rapporteur sessions) and these must be made available on the CYBER-EUSR meeting doc folders after the meeting. Formal approval of CYBER-EUSR is not required but group members must be given the opportunity review and amend the minutes / notes as necessary.
CYBER-EUSR shall meet co-located in the same week as TC CYBER plenary meetings and shall where required hold joint sessions with TC CYBER to update TC CYBER on progress or resolve issues as required.
CYBER-EUSR meetings shall be scheduled such that they avoid clashes with TC CYBER interim meetings or other ETSI TBs where significant numbers of other TB members wish to take part.
CYBER-EUSR shall maintain a logical meeting number / labelling approach such that document and meeting outcomes can be tracked equivalent to approach used for TC CYBER (e.g. #38, #38a etc).
CYBER-EUSR may schedule additional face to face meetings as deemed necessary (i.e. beyond those co-located with TC CYBER) but should make use of online meetings were possible.
Reporting, IPR and Anti-Trust:
The Chair is responsible for ensuring that adequate meeting notes / reports are produced for all CYBER-EUSR meetings (including rapporteur or other ad-hoc meetings).
The Chair is responsible for ensuring that all ETSI IPR and Anti-Trust rules and procedures are followed.
The Chair is responsible for ensuring that reports of progress are provided to all TC CYBER plenary meetings and on a periodic basis (which may be verbally) to TC CYBER interim calls. In addition the CYBER-EUSR Chair is responsible for providing the TC CYBER leadership team with any material necessary for OCG or BOARD reporting.
Consensus and approval of documents:
The working group shall work on the basis of ETSI consensus procedures. However the CYBER-EUSR does not have authority to approve final documents for publication or other approval routes (e.g. SRdAP).
CYBER-EUSR shall reach consensus on all final drafts at WG level. Once consensus is achieved, CYBER-EUSR shall provide the final drafts to TC CYBER for approval for submission to SRdAP. CYBER-EUSR should provide stable and final drafts to TC CYBER for any comments during their development to ensure work remains focused in CYBER-EUSR and that minimal comments are generated at TC CYBER level at final approval stage.
TC CYBER shall have the right to raise comments, approve or reject approval for submission to SRdAP. However TC CYBER shall normally have no right to modify the documents at TC CYBER level. In the case TC CYBER raises comments or rejects approval for submission of final drafts to SRdAP, they shall be returned to CYBER-EUSR for further discussion.
CYBER-EUSR shall be able to note comments raised at TC CYBER level where both the TC CYBER leadership team and CYBER-EUSR Chair agree that the same comment has already been raised and resolved with consensus within CYBER-EUSR at an earlier stage.
TC CYBER members and CYBER-EUSR members shall work on the basis that work relating to the SRs delegated to CYBER-EUSR shall be discussed in CYBER-EUSR. Therefore, TC CYBER may reject or note any comments that could have been reasonably raised in CYBER-EUSR at an earlier stage or direct that such comments be taken to CYBER-EUSR.
Where the majority of CYBER-EUSR (71% or above) reaches consensus but objections remain, the CYBER-EUSR Chair may pass documents for approval to submit for SRdAP with details of comments or objections to TC CYBER. In this case TC CYBER shall take responsibility for making changes (if appropriate) and achieving consensus (including by vote at TC CYBER level as necessary).
CYBER-EUSR shall not have the power to vote, except to elect Vice Chair(s). As CYBER-EUSR cannot take formal votes, it is at CYBER-EUSR Chair’s discretion as to how they demonstrate that a majority consensus is achieved in the case of disagreements.
Review of SRdAP comments:
Review and handling of resolution of comments raised during SRdAP or other formal EU SReq approval steps shall be carried out at CYBER-EUSR level.
Liaisons and collaborative working:
CYBER-EUSR group shall be responsible for day to day interactions of any applicable liaison or collaborative working group arrangements (e.g. to CEN CENELEC JTC13 Working Groups) that have been agreed by TC CYBER. CYBER-EUSR may generate and send liaison statements without TC CYBER approval to any groups with which TC CYBER already has a liaison relationship but TC CYBER should be copied in all such LSs.
Where any new liaison relationships are required CYBER-EUSR will notify TC CYBER of the new relationship requirement and TC CYBER will then be responsible for approving and establishing the necessary relationship.
Non ETSI members of collaborative working groups may attend CYBER-EUSR meetings or have access to documents as per collaborative working mode agreed by TC CYBER under normal ETSI rules (e.g. Mode 4).
Exceptions:
In the event of exceptions or gaps in the present Terms of Reference, CYBER-EUSR group chair shall refer any issues to TC CYBER leadership team for resolution.
In all cases the principles of ETSI working procedures and directives apply except as profiled here to allow a greater weight to be given to EU members work on EU specific standardization requests. However these ToR do not restrict non-EU ETSI members from taking part in CYBER-EUSR or reduce the validity of any comments that they may raise on any document or in any discussion.
Maintenance:
At any point after creation that CYBER-EUSR completes all SReq work allocated to the CYBER-EUSR, the group will be placed into a mothballed state ready to be returned to an active state if there is a need to perform maintenance on standards that it has produced (both exclusively or collaboratively with other ESOs).
TC CYBER will review the status of the group annually and if it becomes clear that no further SReqs will be allocated to the group it may be closed (ETSI BOARD and ETSI OCG will be consulted before doing so). In this scenario TC CYBER will assume direct responsibility for standard maintenance of CYBER-EUSR deliverables.