How to perform cybersecurity market analysis
The European Union Agency for Cybersecurity (ENISA) introduces a framework to perform cybersecurity market analyses and dives into the market of the Internet of Things (IoT) distribution grids for validation.
What’s the objective?
To improve market penetration, value for money, quality and acceptance of products, processes and services, performing cybersecurity market analysis has become an important tool for a variety of stakeholders. Market data is currently considered key to making informed decisions related to cybersecurity choices, on new products to be launched, policy initiatives or research and innovation funding.
The first report introduces a market analysis framework to be applied across various application areas over time.
The second report analyses the IoT cybersecurity market demand and supply in the sector of electricity distribution grids across the EU.
How does the framework work?
The framework consists of a toolbox designed to facilitate the performance of cybersecurity market analyses. It offers a range of analysis approaches based on innovative market modelling specifically adapted to the cybersecurity market.
This framework can be applied to various market segments. Structured around six modules, it offers the flexibility to choose the type of the performed analysis among:
- Market structure & segmentation
- Demand-side research
- Supply-side research including vendor market map
- Technology research
- Macro-environmental factors and
- Economic market characteristics.
Main points and foreseen next steps
On the framework
Identifying the right data and the right method to perform data collection is essential if we want to avoid pitfalls such as bias. The processing techniques currently available need to be assessed and selected wisely. Moreover, the confidentiality of market data collected also raises both competition, and technical questions to be addressed. They call for the use of anonymisation, implementing security controls, etc.
The framework introduces a coherent taxonomy of cybersecurity products, processes and services. This cybersecurity taxonomy has been derived from relevant work already performed within the EU. Cooperation with stakeholders that are active in classifying cybersecurity has also been taken into account (e.g. European Commission’s Joint Research Centre).
Furthermore, Member States already started implementing cybersecurity market surveillance functions. These functions aim to check whether ICT products comply with the requirements of EU cybersecurity certificates. The development of market surveillance in Member States has been identified as a priority for ENISA today and for the years to come. The proposed cybersecurity market analysis framework may be a useful input to these efforts.
On IoT in distribution grids
The analysis on IoT for electricity grids reveals that the architecture of distribution grids is undergoing some major changes. Flexible and dynamically configured bi-directional power flows are gradually replacing traditional, one-way transmission electricity grids. The digital transformation of electricity grids will imply investing in digitalised components. However, this digitalisation will in turn lead to more cyber threat exposure by adversaries, such as State or non-State actors.
The report on IoT serves as a proof of concept of the initial cybersecurity market analysis framework published herewith. Part of the objective of this report was to validate the applicability of the proposed framework. With the support of the Ad Hoc Working Group (AHWG) on the EU Cybersecurity Market established by ENISA in 2021, the Agency will conduct additional cybersecurity market analyses to further develop the framework.
What’s the legal base?
The Cybersecurity Act (CSA) foresees the assessment of market developments, inter alia in the context of certification. Because certification is intended to improve the functioning of the internal market, performing the analysis of market trends both on the demand and on the supply sides helps ensuring market-enforcing certification efforts. Within this context, market analysis will therefore contribute to reducing the fragmentation of the EU internal market, an objective provided for by the CSA.