This presentation examines the role of OSCAL (Open Security Controls Assessment Language) in the evolving European cybersecurity policy landscape, focusing on its potential to streamline compliance processes across Europe.

As EU cybersecurity-related policies continue to grow, creating increasing compliance challenges for organisations, the presentation breaks down the process – from cybersecurity policies and laws to certified audits and improvement reports – to highlight existing challenges and ways in which OSCAL could enable automation and standardisation.

Automating compliance using machine-readable formats like OSCAL can facilitate quicker assessments, standardise procedures, and enable continuous monitoring, which is critical given the current shortage of resources and expertise. There is a clear need to simplify and automate compliance mechanisms to ensure effective cybersecurity.

What is needed? Real improvement depends on the representation of frameworks in OSCAL format, the development of OSCAL-based GRC tools, real-world pilot testing, and buy-in from national authorities and supply chain actors. This publication marks the beginning of ECSO’s exploration into the potential use of OSCAL within the European cybersecurity compliance ecosystem and identifies the success factors for its broader adoption. Key questions remain, including who should take the lead in Europe, how to create the right financial incentives, and how to achieve institutional acceptance.

Are you interested in further exploring OSCAL and automated compliance? We are setting up a Task Force at ECSO! Contact us via the button below to join.