Welcome to the second part of our interview with Brecht Wyseur, a Director of Cybersecurity Standardization at Kudelski IoT and Board Member of the DLMS User Association.
In this conversation, we explore how upcoming EU regulations are reshaping utility cybersecurity, why preparing for quantum computing is becoming urgent, and how post-quantum cryptography is being embedded into tomorrow’s infrastructure. He also shares a personal principle that guides his work: in cybersecurity, simplicity is the strongest defense.
If you haven’t yet, be sure to read the first part of the interview here.
How do current and upcoming regulations impact the way utility security is implemented, and do you think they are sufficient?
That’s a great question. Let me first link back to the first part of the interview. There we have been talking a lot about transition — transition of the infrastructure, and the way how we do security in that matter. Here again, we also need to think about transition: transition in the way how regulators need to deal with change..
Regulators play a very important role in stimulating that things that happen in that transition happen in a cyber secure manner. The regulators need to enable new incentives for different actors in the market to be cyber secure, and secondly, they also need to enable new business models. Both need to go hand in hand.
If you look at it from the utility point of view — utilities and the new infrastructures have requirements to open data. Typically, metering data that is being measured at households or in industry — that data has value for taking decisions, not only for the utility but also for the end consumer. An end consumer has an interest to say, “I want to charge my battery” or “I want to charge my car at this given time” because their energy consumption facilitates that, or the tariffication is favorable for doing that.
That requires open data. And it’s important that the utility opens its network to some extent to connect those devices — to get that data and to make decisions. To reach that point, you need to have utilities capable of opening their data, you need to have consumers that are using use cases provided by manufacturers who implement them and have their devices ready. All of this needs incentives.
If you look at it from a historic point of view, the business model of utilities has mostly been about guaranteeing power — bringing power from generation to the consumer — and they are paid for that, usually per kilowatt hour. If that business model remains the same, what would their incentive be to invest in opening data? We need to figure out new business models, and regulators play an important part in that — new business models such that utilities have an incentive to invest in new infrastructure use cases.
Additionally, we want the devices that get connected to those networks to also be cyber secure. We discussed in the first part how to do that — whether certification schemes are needed, how a utility can validate that a device works, whether it can rely on certification. Also there, regulators play an important role. They need to put in place the rules and frameworks by which devices or systems — even as a whole — can be validated, and there can be a certification proving that a device is secure. Based on that, utilities can decide, “Yes, I integrate that device,” or, “Yes, I use that device to enable new use cases.”
For regulators, it’s very important to think about new business models, to encourage those, and then think about how to put in place the regulatory landscape. What’s happening today is going in the right direction.
If you look for example in Europe, there is the upcoming Cyber Resilience Act. There is also NIS2. The Cyber Resilience Act, provides a framework around product security and defines rules for what a manufacturer needs to do to enable secure product design and maintain products securely over their lifetime — through vulnerability handling, firmware updates, and so forth.
Certification schemes being discussed and defined. Again, valuable and going in the right direction to pave the way for having cybersecurity in systems.
The United States has a slightly different approach than Europe. With CRA, the Radio Equipment Directive, NIS2, and so forth, EU is putting in place mandatory rules for market access. The US is testing voluntary models to incentivize manufacturers: for example with the FCC Cyber Trust Mark for consumer products. There, if you comply, you get a stamp. And the hope is that this stamp — this trust mark — will motivate consumers to buy equipment that has been validated cybersecure, instead of buying non-validated (and thus more risk from a cybersecurity perspective) equipment that may be cheaper.
We’ll have to see how that goes.
Diving a bit more into the details of what is valuable in regulations: NIS2 that is currently being implemented in different regions in Europe and the CRA have a number of very useful aspects. First of all, its requirements apply not only to the manufacturer or the network operator, but also to their suppliers. Utilities need to look at their suppliers, and manufacturers need to design their products based on their supply chain. As a result, we’ll end up with cybersecurity processes that govern the entire product supply chain.
Another important aspect is vulnerability reporting. We can only know how secure a system is — or how good our security posture is — if we know what the issues are, if we observe them. We see customers of Kudelski asking a lot of questions around that. In our company, we’ve been developing advisory services to help customers put in place compliance with NIS2 and CRA. We also have services for validating if devices are good. We have this look at the entire supply chain. We also have technology to make sure that when secure technology is integrated early in the supply chain, it can be leveraged later on.
For example, when commissioning devices, you can use functionality or identity that was integrated into the chipset.
Last but not least, the new regulations are also aiming for harmonization. To address the diversity of different rules in different regions in Europe. For example, in France, if you have a smart meter, it needs to be CSPN certified to be sold to a utility or connected to its network. That’s specific to the French market. While it’s recognized in some other markets, it is not harmonized. Not all EU countries will accept CSPN certification as a sufficient pre-requisite. Instead, manufacturers may have to re-certify devices, which brings additional cost.These new regulations aim to address that.
In the next few years, we’ll see more and more certification schemes that fall under harmonized regulations. Under the CSA — the Cybersecurity Act — there is the EUCC; the European Common Criteria Certification Framework. Under that, we’ll see certification for equipment related to critical infrastructure.
It starts now; just a few days ago, we saw the first components certified under the EUCC. Yesterday, when I looked, there were the first two components that had been certified under the EUCC.
For what concerns the energy market: under the CRA, smart meter gateways have been explicitely identified to require EUCC certification.
Looking ahead, how do you see the evolution of cyber security in utilities over the next years, and what should industry stakeholders prioritize? What do you think about this, particularly in light of advancements in quantum computing?
Whether it’s sufficient is something we’ll have to evaluate over the next few months, as the implementation of delegated acts is still in progress. The European Commission has indicated that at least the baseline technical specification of cybersecurity requirements for CRA should be ready before the summer this year. We’ll then need to see if member states agree thereon.
I’m hopeful on this path forward and how things will unfold in the coming months.
As to your question on Quantum Computing. Quantum is a major technology shift — the next big challenge we need to address, particularly in the energy sector. It is the elephant in the room.
To put it simply, the risk with quantum computing lies in the new capabilities it brings — capabilities that could be used to break the cryptographic algorithms currently protecting our infrastructure. If those capabilities become widely accessible, they could be used to tamper with data and more critically, interfere with control commands — like shutting down equipment — which would have serious implications to our infrastructure resilience.
These are risks we need prepare for. Right now, such attacks are incredibly expensive and largely theoretical and so not yet a threat. But at some point, quantum capabilities will become real. It is not a question of “if”, but a question of “when”.
To address the challenge, we need to put things into the right perspective. When these threats become real, in my opinion they will always still come with a cost for the adversary. They likely won’t be cheap or easily accessible; adversaries will need to invest time and resources to mount attacks. As such, we can think in terms of adversarial incentives If someone could break my home door lock using quantum tech, I wouldn’t be too worried — I doubt anyone would spend a million dollars to do that; there’s cheaper ways to get into my home. But for threatening a system that protects critical infrastructure, national interests, or public safety, adversaries hay have a different incentives.
In a geopolitically fractured world, we’ll need to prioritize securing our critical infrastructure. The defenses are already being developed. For example, NIST in the United States is playing a central role in defining new cryptographic algorithms that are resistant to quantum threats. Some standards have already been released, and more are expected this summer.
At Kudelski, we’re actively involved in this process — contributing to definitions, participating in migration projects, and working with standardization bodies to help implement quantum-ready systems. In the DLMS User Association, within the security task force, we’re also advancing quantum readiness. We’re integrating the NIST algorithms into the DLMS protocol.
We have a team of experts from utilities and manufacturers — a good mix of operational and technical perspectives — who are working together to define which algorithms make sense to support. From there, we’ll create clear guidelines so the membership can implement them properly, and so utilities can transition from classical cryptography to post-quantum resilience.
These discussions are already underway — not only within our membership but also with regulators. We’re hearing increasing concerns from regulatory bodies. For example, the UK has recently recommended migration plans to be in place by 2028 and fully deployed by 2035. 2028 in our world is just around the corner. We’ll need to rapidly advance the standards and start implementing them as soon as possible.
Our goal is to define protocols that are resilient to quantum computing, leveraging the algorithms that are being proposed and working with the community on migration. Such migration is already ongoing in some markets. For example, most modern web browsers now include either fully quantum-resistant implementations or hybrid models that combine classical and quantum-resistant encryption.
Web environments are early adopters because internet bandwidth and battery constraints are less of an issue there. But for other systems — especially those with strict efficiency requirements — we need more work to adapt the implementations and anticipate their impact. For example, anticipate the impact of larger keys and certificates that will impact network load and response time.
At Kudelski, we’ve investing in post-quantum research and development. We’ve taken part in the algorithm competitions and contributed to the development of migration strategies. Our focus is not only on the cryptography itself but also on how these algorithms are implemented securely in real devices. While an algorithm can be cryptographically secure, it’s implementation may still lead to attacks. A perfectly secure protocol can be compromised if key material is extracted through side-channel attacks. That’s why we’re also researching implementation hardening — how to prevent attackers from using side-channel techniques to steal secrets from software or hardware. Exciting work and we’re proud to be at the forefront of it. We’re collaborating closely with chipset makers, device manufacturers, and utilities to deliver secure, future-ready solutions.
As for AI and machine learning — compared to quantum, I see them as less of a threat (from a cybersecurity perspective). AI is more of a tool to support decision-making in operations. It can be used to enhance both defense and attack strategies, yes — for example, optimizing side-channel attacks or improving system monitoring — but it doesn’t fundamentally change the cryptographic landscape in the way quantum computing does.
What is the most important lesson you learnt throughout your career?
Keep it simple.
We’ve been discussing this whole transition — the evolution of networks, cybersecurity, and everything around it. In the end, you may end up with very complex systems that we need to secure. And as we know: complexity is the enemy of cybersecurity.
The main lesson I have learned is to approach such challenges in the simplest way as possible. Try to keep it manageable at all levels when trying to solve the cybersecurity challenge. And even if solutions turn out to be complex, make sure you can explain it in a simple and easy to understand manner.
Our job as cybersecurity specialists at Kudelski is to manage the complexity of cybersecurity and all the aspects around it. For our customers, it needs to appear simple and be solved, such that they can sleep without worries.
Conclusions:
Through initiatives like the Cyber Resilience Act, NIS2, and the Cybersecurity Act, regulators are not only pushing for higher security standards but also incentivizing new business models that support open, secure data usage. This holistic approach is essential in aligning technological transformation with robust cyber defense.
While the risk of quantum-computing attacks remains theoretical for now, standardization bodies and industry players are already working to integrate post-quantum algorithms and protocols to future-proof infrastructure before the threat becomes tangible.
Despite the technical complexity of cybersecurity, the most enduring principle is simplicity. Straightforward design, clear implementation, and transparent communication are key to building resilient systems.
Question for the audience:
With new regulations and quantum threats on the horizon, how confident are you that your current cybersecurity strategy will still be effective five years from now?