CLC TC 47 X
Semiconductors and Trusted Chips Implementation
The CLC/TC 47X ‘Semiconductor device and trusted chips’ fostering the development and use of trustworthy semiconductor devices for microelectronics and embedded systems in the European Union. TC 47X aims to establish a common framework in accordance with environmentally good practices for the design, manufacture, and use of semiconductor devices and trusted chips, with a focus on improving security, privacy, and resilience against cyber-attacks. The TC 47X is part of a broader effort by the European Union to improve cybersecurity and protect critical infrastructure against cyber threats.
​
The TC 47X will:
​
-
Provide the necessary infrastructure to the European industry and experts to discuss the related future standardization activities.
-
Adopt the relevant standards developed by IEC/TC 47 and its subcommittees, as per the provisions of the Frankfurt Agreement.
-
Address the standardization gaps identified by TC 47X and liaisons partners or a future European standardization roadmap.
-
Develop European standards in response to the relevant standardization requests prepared by the European Commission (e.g. in support of the European Chips Act), particularly in terms of chips security, traceability and trustworthiness…
-
Seeks to establish a compliance process to develop chips safely, enabling consumers and businesses to identify and choose products that meet scalable security standards.
Uwe RÜDDENKLAU and Gerard MAS
CLC/TC 47X Chair and Secretary
Working Group 1
Microprocessors and Microcontrollers with security related functionalities
The group activities will focus on defining harmonized standards enabling third-party assessment of Cyber Resilience Act (CRA) compliance for MCUs and MPUs with tamper resistance for which scope has been defined as from hardware to generic software (e.g. OS, libraries) with a resistance to a JIL basic/enhanced basic potential of attack. Those activities will be built on existing standards such as SESIP (Security Evaluation for IoT Products). As a first step, this group will identify all relevant protection profiles for such MCUs and MPUs with tamper-resistance in the context of the CRA. A critical part of the work will be to identify and address gaps in the CRA Cybersecurity Essential Requirements (CRA, Annex I of the Draft CRA proposal Text). Manufacturers' reporting obligations in the event of security incidents (CRA, Article 11 of the draft CRA proposal) should also be covered as part of the work.
Link to the CRA standardization request
Working on a European Standard in response to the CRA Standardization Request, Annex I, entry 28 and 29.
'Cybersecurity requirements for microprocessors and microcontrollers with security- related functionalities'
Guido ABATE, STMicroelectronics
Expert CLC/TC 47 X WG 1
Working Group 2
Tamper resistant Microprocessors and Microcontrollers
The group's activities will focus on defining harmonized standards enabling self-assessment of Cyber Resilience Act (CRA) compliance for MCUs and MPUs that provide security functions without tamper-resistance claims, in building on existing standards such as SESIP (Security Evaluation Standard for IoT Products). As a first step, this group will identify all relevant protection profiles for MCUs and MPUs without tamper-resistance claims in the context of the CRA. A critical part of the work will be to identify and address gaps in the CRA Cybersecurity Essential Requirements (CRA, Annex I of the Draft CRAoposal Text). Manufacturers' reporting obligations in the event of security incidents (CRA, Article 11 of the draft CRA proposal) should also be covered as part of the work.
Link to the CRA standardization request
Working on a European Standard in response to the CRA Standardization Request, Annex I, entry 37 and 38.
'Cybersecurity requirements for tamper-resistant microprocessors and microcontrollers'
Eve ATALLAH, NXP Semiconductor
Expert CLC/TC 47X WG 2
Working Group 3
SmartCards and Secure Element Platforms
The activities will be focused on the harmonization with the Cyber Resilience Act (CRA) of the Common Criteria Protection Profiles(PPs) addressing the smart card/secure element platforms, i.e. the high end tamper resistant hardware of a smart card/secure element and the generic software like cryptographic libraries and optional Operating Systems running on it. These PPs are the defacto worldwide reference standards in the area of smart card security. Prominent examples are the Eurosmart Secure IC PP 0084, the Oracle Java Card PP 0099 and PP 0101 TCG TPM PP to cite some. As a first step WG3 will identify all such relevant PPs in the context of the CRA. An essential part of the work will be the identification and filling in the gaps between the essential cybersecurity CRA requirements (CRA, Annex I of the CRA draft proposal text). Reporting obligations of manufacturers in case of security incidents (CRA, Article 11 of the CRA draft proposal text) should be also covered as part of the work.
Link to the CRA standardization request
Working on a European Standard in response to the CRA Standardization Request, Annex I, entry 41:
'Cyber Resilience of EUCC certified platforms of Smart Cards and Similar Devices Including Secure Elements'