Certification for Cybersecurity in EU ICT using Decentralized Digital Twinning

Privacy Policy

This Privacy Notice will inform you as to how the COBALT Consortium (hereinafter referred to as the “Consortium”, “we”, “us” and “our”) collects and processes information about you and in particular your personal data. We hereby assure you that this Privacy and Personal Data Protection Policy (“Policy”) fully respects and complies with EU Regulation 679/2016 (“Regulation”) and any other relevant legislation.
The processing of personal data, such as name, address or e-mail address of a data subject shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the country-specific data protection regulations applicable to the COBALT Consortium. Through this data protection declaration, we would like to inform anyone concerned and the general public of the nature, scope, and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed, by means of this data protection declaration, of the rights to which they are entitled.
As the data controller, the COBALT Consortium has implemented numerous technical and organizational measures to ensure comprehensive protection of personal data processed through this website.

Useful Definitions

  • Personal Data
    Personal Data is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, indicatively by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Personal data breach
    Personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
  • Controller
    Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor
    Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Processing
    Processing is any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Third party
    Third Party is a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
  • Consent
    Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The Controller

Regarding the personal data in cases where as a Project Consortium, we determine the purposes and means of the processing, the Data Controller is the COBALT Consortium.


Principles we adhere to

At the COBALT Consortium, we are committed to and adhering to the following principles of processing personal data in accordance with Article 5 of the Regulation. The personal data is:

  • processed lawfully, fairly and in a transparent manner in relation to the data subject (principle of ‘lawfulness, fairness and transparency’);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (principle of ‘purpose limitation’);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of ‘data minimisation’);
  • accurate and, where necessary, kept up to date; we take every reasonable step to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, erased or rectified without delay (principle of ‘accuracy’);
  • kept in a form which permits identification of data subjects for no longer than it is necessary or as required by relevant Laws (principle of ‘storage limitation’);
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (principle of ‘integrity and confidentiality’).

Finally, we are able to demonstrate compliance with the aforementioned principles (principle of ‘accountability’).


Collection of Personal Data

The COBALT Consortium as the Data Controller collects Personal Data from you within the purposes of research and the project’s scope. So, in the following cases:

  • When you contact us directly or indirectly (e.g. through the project’s webpage and/or e-mail, or through our partners, or through our Social Media pages, etc.), in order to be informed regarding the Project or ask for relevant information;
  • If you fill in any of our documents or subscribe to our newsletter;
  • The COBALT Consortium may also publish video or photographs of images in case of events or workshops, provided that the relevant data subject gave its consent to the publication of it. There is no transfer of this personal data to third parties outside the same COBALT Consortium.


Minors’ Personal Data

We do not collect or process minors’ personal data without verifiable parental consent in cases when we are able to control it. For example, it is not possible to control information that is communicated to us online. In any event, if we find that we have collected any personal information from a minor without verifiable parental consent (in accordance with Article 8 of the Regulation), we will immediately delete the information from our records. If you believe we may have collected information from a minor, please contact us.


Categories of Data Subjects

The categories of data subjects include:

  • Partners of the Consortium.
  • Users visiting the project website.
  • Social Media users.
  • COBALT platform users.
  • General Public.


Kind of Personal Data we may collect about you

Data from the following categories of personal information about you may be collected and processed per case in order to serve the purpose of the data collection and in accordance with the relevant legal basis as described in this Policy:

  • Contact details with you or a natural person you may indicate instead of you (name, surname, address, telephone or fax number, email);
  • Occupational information (occupation, position);
  • Incident investigation data, such as incident details, data of persons involved or related information;
  • Information required by the institutional framework such as personal data of persons depended or related to our Consortium members;
  • Apps/websites/social media-related data (cookies, full name or nickname, information you publicly disclose and comments on social media, or email attachments);
  • Your picture when attending our events, or your photo is uploaded on our social media or website and of course in both cases under your consent;


Purposes of Processing & the Legal Basis of Data Processing

The processing of personal data is based on one of the “legal bases” as referred to in Article 6 of the Regulation (or Article 9 in case of special categories of personal data).
The legal basis on which the collection and processing of personal data is based (in most of the cases) are, the consent, the compliance in performing our contractual obligations, the compliance with our legal and statutory obligations, and the safeguarding our legitimate interests. For special categories of personal data, the explicit consent, the performance of obligations and the exercise of specific rights of the controller or data subject in the field of labour law and social security/social protection law and for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment. The legal basis, on which the processing of your personal data is based, is as follows for each processing purpose:

Consent: when you communicate with us in any way directly or indirectly as interested in our project, when you fill in our documents, when informing you about our findings in the context of our dissemination activities, when you make a complaint or statement or when assessing us, when participating in our events, when you visit our social media accounts, or when you give us your business card.

Commitment to perform our contractual obligations: when you have agreed to receive our newsletter.

Compliance with our legal obligations: to comply with our legal obligations to all sorts of authorities such as labour law, regulatory authorities, tax, accounting, auditing, judicial authorities and agencies or in connection with our contractual obligations or during payment of our liabilities.

Safeguarding our legitimate interests: to improve our services, or when investigating and managing any potential incident, or for the assessment of persons and situations.
The Consortium is informed about the processing purposes and the legal bases under specific documents internally.


Retention of Data Period

We store personal data for as long as it is required by the respective processing purpose and any other permitted linked purpose always within the project’s scope on completion of the project the data shall be stored for a period of 5 years after the completion of the project and in accordance to requirements by the European Commission.

Cookies are stored depending on their nature as you may be informed in our cookies policy linked to the present policy (please see below).

Personal data you disclose to us as users are stored for until the completion of the project.

Data that may be needed for our legitimate interests as a Controller shall be kept until the reason for storing such data ceases.

Specifically, for the data we process based on your consent (as an example for marketing), these are kept from obtaining the consent until it is revoked or there is no longer need to store it.

Information that is no longer necessary is safely destroyed or anonymised. We limit access to your personal data to those partners who need to use it for the specific purpose.


How we ensure the security of Personal Data

We have received reasonable organizational and technical measures to protect the personal data we collect, and in particular any specific categories of personal data. We follow international standards and practices to ensure the security of our networks. We ensure you that your personal data is processed securely and legally, by adhering to policies and developing and implementing procedures in accordance with the purposes and legal bases of processing. For example, the following security measures are used to protect personal data against unauthorised use or any other form of unauthorised processing:

  • Access to personal data is restricted to a limited number of authorised partners as per project structure and under the Data Management Plan and Ethics requirements.
  • Our repository system of Microsoft Teams, used for the processing of personal data, all technical measures are taken to prevent loss, unauthorised access or other illegal processing.

In addition, access to these ICT (Information communication technology) systems is monitored on a permanent basis in order to detect and prevent illegal use at an early stage. Although the transfer of data through the Internet or a web site cannot be guaranteed to be protected from cyberattacks, we work to maintain physical, electronic and procedural security measures to protect your data.

Some of the security measures we take are not announced for obvious reasons.


To whom the Data may be disclosed

We take measures to ensure that the recipients of personal data are kept to a minimum. The personal data we collect are disclosed to third parties, provided that the legality of such disclosure is fully justified. Specific personal data from those we lawfully collect as a Controller, may be accessed (or disclosed) on a case-by-case basis by:

  • Any relating supervisory authority within its role;
  • Any public or judicial authority where required by law or judicial decision.
  • The auditor of the company, for necessary data according requirement (financial, employment, contracts and other controls), under confidentiality.
  • The advocate, for whatever data is required in legal cases, under confidentiality.
  • The Insurance cooperating company and only for the relevant part of the information.
  • Partners’ banks (of the company, the staff or affiliates and suppliers), only for payment related data.
  • The training or systems consultants, the trainer, for training or systems control issues and only for the necessary pieces of information and data.


Territorial Scope

The personal data we collect is processed within the European Economic Area (EEA).


Your rights as a Data Subject and how you can exercise them

You have the right to be informed, the right of access to your personal data, the rights of rectification and erasure (in cases it is permitted), the right to restriction of processing, the right to data portability, the right to object. If processing is based on your consent, you may withdraw it at any time.

The right to be informed is exercised through this privacy and personal data protection notification. In some cases, it is also mentioned in documents – forms we are using.

We inform you that we are not using software of decision making solely based on automated processing including profiling.

Right of access: you have the right to obtain from us confirmation as to whether or not your personal data is being processed as well as other relevant information, and, where that is the case, access to your personal data.

Right of rectification: you have the right of rectification of your inaccurate personal data as well as to have incomplete personal data completed by providing a supplementary statement.

Note: Since it is not possible for us to be aware of any changes to your personal data if you do not inform us, please help us keep your information accurate by informing us of any changes to your personal information we do process.

Right to erasure (‘right to be forgotten’); we have to answer such right when:

  • your personal data is no longer necessary in relation to the purposes for which we collected it;
  • withdraw your consent on which the processing is based and where there is no other legal basis for the processing;
  • your personal data has been unlawfully processed;
  • personal data has to be erased for compliance with a legal obligation we are subject to;
  • personal data has been collected in relation to the offer of information society services.

We reserve the right to refuse this right if the processing is necessary for compliance with any legal obligation, we are subject to, or for reasons of public interest, or for the foundation and exercise or support of our legal claims (according to Article 17 § 3).

Right to restriction of processing; you have the right to restriction of processing when:

  • you contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • we no longer need your personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims;
  • you objected to processing pending the verification whether our legitimate grounds override those of yours.

Right to data portability: You have the right to receive your data in a structured, commonly used and machine-readable format and under an explicit request such data to be transferred to both, you and another natural or legal person who will process it.

Right to object: you have the right to object to the processing of your data at any time when the reason for the processing relates to direct marketing.

In the event that you make such request in a written or electronic form regarding any of the above rights, we will assess your request and respond within one month of its receipt, either for its satisfaction or to provide you with objective reasons preventing it from being satisfied, or, given the complexity of the request and the number of requests at the given time, request an extension of response for a further two months period (according to Article 12.3 of the Regulation).

The exercise of your rights is free of charge. Where requests from you are manifestly unfounded or excessive, in particular because of their repetitive character, we may refuse to answer or charge you an administrative fee.

If you are dissatisfied with the use of your data by us, or our response after exercising your rights, you have the right to lodge a complaint with a supervisory authority.


Personal Data Breach

In the event of a breach of the security and integrity of the personal data processed, we will take the following measures (in accordance with Article 33 and 34 of the Regulation in case we are the Controller) and we will:

  • Assess it in order to implement the appropriate procedures needed to limit the breach;
  • Examine the extent of the breach and the sensitivity of the data included;
  • Evaluate the risk and its impact on your rights and freedoms;
  • Endeavour to reduce as much as possible the damage that is or may be caused;
  • Notify within a time limit of 72 hours of becoming aware of the breach, the National Personal Data Protection Authority, if required;
  • Assess the impact on your privacy and take appropriate measures to prevent the repeating of the incident.

In the event we are the processor, we will inform the Controller as soon as possible.


Links to other Websites

Our Website may contain links to other websites that are not operated or controlled by us. If you click on a third-party link, you will be directed to that third-party site. We recommend that you review the Privacy Policy for each site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.



By following this link, you will be informed of our cookies policy.


Contact details with the Data Protection Authority

Additional information and terminology for the Regulation can be found at https://eur-lex.europa.eu/legal-content/EL/TXT/?uri=celex%3A32016R0679.


Contact us

If at any time you want to contact us or make a request regarding your rights or any other matter relating to the protection of personal data you may contact the project’s email.


Policy Update

This policy is effective from current date and will be reviewed when there is a significant change. This review will be available on our website.
Last update: current date (05/10/2022).


Short Description

The Bosch Group is a leading global supplier of technology and services. Its operations are divided into four business sectors: Automotive Technology, Industrial Technology, Consumer Goods, and Energy and Building Technology. The Bosch Group comprises Robert Bosch GmbH and its roughly 360 subsidiaries and regional companies in some 50 countries. If its sales and service partners are included, then Bosch is represented in roughly 150 countries. This worldwide development, manufacturing, and sales network are the foundation for further growth. The Bosch Group’s products and services are designed to fascinate, and to improve the quality of life by providing solutions which are both innovative and beneficial. In this way, the company offers technology worldwide that is “Invented for life.” 

In COBALT is involved the Bosch team “Cybersecurity Governance - Enterprise IT”, comprised of experts on governance-risk-compliance related to cloud and artificial intelligence. Our topics of interest also comprise cybersecurity metrics and standardization/regulation. 

Organisation’s role in COBALT

Our team is in charge of leading WP3 related to the framework for enabling “continuous” cybersecurity audits. Also, we lead the WP5 task related to the validation usecase for Artificial Intelligence. Finally, Bosch also has a relevant role on topics related to standardization, and design of the COBALT architecture. 

Expected Impact

Our aim is to influence the ongoing standardization activities aimed at developing cybersecurity controls, metrics, and certification for artificial intelligence (AI). These results are then planned to be integrated into Bosch’s internal cybersecurity framework so its compliance monitoring can be automatized in favor of facilitating conformance assessments. 

URL: https://www.bosch.de/

This will close in 0 seconds

National Centre for Scientific Research "Demokritos"

Short Description

The National Centre for Scientific Research "Demokritos" holds a prominent position as the leading research institution in Greece. Established in July 1961, initially focused on nuclear research, Demokritos has evolved into an expansive interdisciplinary research center. It comprises a dedicated team of approximately 180 esteemed researchers occupying tenured and tenure-track positions, complemented by over 500 research personnel engaged in diverse projects funded primarily by State Funds, the European Union, and Private Industries.

Noteworthy achievements include adept management of numerous FP6/FP7/H2020 projects centered around 5G, virtualization, and cloud technologies. The NCSRD proudly hosts its advanced experimental 5G infrastructure in collaboration with Vodafone, alongside the innovative GOLD innovation space (i-Space) and an incubator fostering start-up and SME growth within the Lefkippos Technology Park.

Organisation’s role in COBALT

Within the project, the Center assumes a dual role, serving as both the Project Coordinator and the Work Package Leader. As the Project Coordinator, it oversees administrative aspects, acting as the primary liaison with the European Commission. Responsibilities include coordinating communication among project partners, ensuring smooth progress and high-quality task execution, providing comprehensive technical, managerial, and financial information to the European Commission, presiding over General Assembly meetings, and representing the project's interests in relevant European bodies and initiatives.

Administrative duties encompass supervising overall project progression, organizing General Assembly meetings, managing Consortium Agreement coordination, monitoring European Commission payments to partners, preparing required reports, cost statements, and project documentation, orchestrating European Commission review meetings, overseeing Intellectual Property Rights (IPR), knowledge management, and representing the consortium at various events.

Simultaneously, in its role as a Work Package Leader, the Center coordinates tasks within the designated Work Package. This involves diligently monitoring performance and progress in alignment with the project plan, ensuring seamless information flow to other Work Package Leaders, and providing comprehensive reports to the Board on the Work Package's

URL: https://www.demokritos.gr/

This will close in 0 seconds

Advanced Network Architectures Lab

Short Description

The Advanced Network Architectures Lab (CRAAX) from Universitat Politècnica de Catalunya (UPC) is a multidisciplinary research group at the Department of Computer Architecture. The UPC is a public institution of research and higher education in the fields of engineering, architecture, sciences, and technology, and one of the leading technical universities in Europe. 

The CRAAX team was set to concentrate a pool of knowledge in the ICT field, with the main objective of conducting breakthrough applied research in several network related areas. Foremost, the core CRAAX mission is positioned to transfer research results to the industry sector but also to harvest innovative solutions strongly impacting on the overall society, while simultaneously keep on training highly skilled professionals. 

Nowadays, the CRAAX team manages the CRAAX Lab bringing together a multidisciplinary team consisting in researchers from the UPC (networking, OS, HPC and maths background) and from the Directorate of Innovation at the Hospital Clínic in Barcelona (health background). This correlation of knowledge, integrating and leveraging ICT and health profiles, fosters the development of innovative high-tech close-to-society solutions with a particular focus on smart and secured scenarios (IoX, cities, transport, homes) and on the e-health sector. CRAAX research mainly pivots on several topics where the CRAAX team substantially contributes, including, cloud continuum management, cybersecurity, distributed systems modeling, smart systems (cities, health, transportation, etc.), etc. 

As an outcome of this research, the team has participated and is participating in many national and EU projects (10 EU active projects nowadays), and has published the research results in many highly reputed scientific venues and inn one start-up in the health arena. 

Organisation’s role in COBALT

In COBALT, the CRAAX team will focus on Digital Twinning, Distributed Ledgers and Communication. Specifically, UPC will lead task 2.3 and will undertake the Digital Twinning efforts and focus on their integration in the certification chain. 

The main objectives for UPC within COBALT are: i) the design of the Digital Twin as service concept; ii) the co-development of a distributed ledger; iii) the delivery of a tool for predictive cybersecurity provisioning, and; iv) the participation in the dissemination activities of the project. 

Expected Impact

From the impact side, the CRAAX team aims at both, making the most out of any development and innovation the team will contribute to in the project, including scientific publications and any effort on technology transfer, as well as transfer the acquired knowledge to the academic duties, by including new concepts in the academic courses and by developing new PhD thematic lines of work to also attract highly skilled students to the group. 

URL: https://www.craax.upc.edu, https://www.upc.edu/

This will close in 0 seconds


Short Description 

CTTC is a non-profit research center, from a public initiative and with a high degree of self-financing, open to the participation of other public and private bodies, as well as to partnership with the industrial and business sectors. CTTC’s core activity is the conception, design, implementation and experimentation of research and development projects in telecommunications and geomatics, which must produce innovative results in all their development phases, in both scientific and engineering terms. Our ultimate mission is to be an Excellence Flagship Center that serves as a bridge between academia and industry. A center that influences the future paths of communication technologies, systems, networks and geomatics. 

Packet Optical Networks and Services (PONS) Research Unit addresses packet optical communications and networking technologies, edge and cloud computing infrastructure for virtual functions and applications, and network and service management to provide high-speed, cost-effective, energy-efficient, secured, and reliable connectivity, network and slice services for multi-tenancy. It spans from the access to the metro and long-haul network segments, as well as inter and intra data center communication. To address sustainable high-capacity scaling and support network dynamicity, the adoption of spectrally and spatially multiplexed transmission systems with suitable photonic technologies and adaptive transceivers becomes crucial. Moreover, the emergence of quantum technologies and the prospect of quantum computing (which represents a threat for future network security) require to consider reliable security mechanisms and appropriate solutions to be adopted in the network infrastructure. 

Network and service management will face radical architectural transformations to provide autonomous, reliable, secured, and trustworthy services. At the network level, software defined network control and telemetry will enable full programmability and real-time streaming for autonomous connectivity and transport slice management. At the service level, network function virtualization service orchestration with intent-based policies and software defined security will deploy smart and secured virtual network services and network slices. 


Organisation’s role in COBALT

CTTC will lead WP4 Digital Twinning and Decentralized Intelligence. CTTC will lead T4.1 Digital Twinning tools and trusted enablers. There CTTC will develop the trusted manager and lead the efforts for IDS interfacing in the COBALT framework.  Significant technical contributions on Inter-Ledger for Cross-Border Certification and Digital Twinning for Quantum Processes are also expected. 


Expected Impact

As a non-profit research and development institution, CTTC exploitation plans focus on transferring the knowledge gained, encouraging the use of research results for the public benefit. As part of its research activities, CTTC develops its own portfolio of patents & products, including contracts established on a case-by-case basis, developed in the framework of (bilateral) agreements given a customer specific needs and requirements. Exploitation and transfer plans involve: i) contracts with industry for consulting and services, ii) offering the developed infrastructure / experimental platform to third parties as well as the design of prototypes, and iii) offering software licenses or software support and maintenance contracts. In particular, several components of a unified cloud and network operating system (with aspects related to SDN/NFV and network virtualization) will reach TRL that make them apt for transfer. Selected promising results may also be considered for patenting. It is worth noting that there are several companies that may show their interest in the outputs of the project, taking into account the collaborations, which the group has active with them. Moreover, impact on Standardization Defining Organizations and OpenSource Software Communities (such as ETSI OpenSlice or TeraFlowSDN) are also expected.

URL: http://www.cttc.cat

This will close in 0 seconds

European Cyber Security Organisation


This will close in 0 seconds

Hellenic Mediterranean University


This will close in 0 seconds


Short Description

Practin offers a full range of services in managing and implementing projects, providing long-term support (operational, technical/user support, development), as well as developing complicated specific applications adjusted to the needs and specifications to the client or project. The company participates in all the phases of the development of a project, namely analysis of specifications, analysis and design of the software, development of it, writing documentation, installation and setup of the environment and its support. The knowhow and the tool utilized in development are based on or entirely consisted of open source technologies. Our main objective is to provide our customers all the complex technological solutions for their business needs in the modern and demanding environment, Custom Software Development: We can create a software product tailored to your specific needs, a business or activity. it is designed to achieve your unique goals, it can be created from scratch or use any existing solutions, Apps, desktop, web and clouds applications. Furthermore, we offer Ecommerce solutions for shops of all shapes and sizes and Data Management and effective data management strategy, predictive analytics, and intelligent automation using our in-depth knowledge of emerging technologies.  

Organisation’s role in COBALT

Practin will offer its expertise in the design and development of the project SW components. PRACTIN will assist in the development of different connectors and RAL will contribute in the risk evaluation framework. PRACTIN will support requirements collection and RAL will collectively support the certification design.  


URL: https://practin.com

This will close in 0 seconds

University of Murcia

Short Description

University of Murcia: The University of Murcia is a big-sized University with approximately 36.000 students and 3.500 staff members. For the Faculty of Informatics, the ANTS research group will participate in this project. The ANTS group is a subdivision of the Intelligent Systems Group, from the Department of Communications and Information Engineering with experience in security in network infrastructure. The research group is active on different security and IoT related project like ARIES, IoT Crawler, ANASTACIA, INSPIRE5G+, BIECO, OLYMPUS and now in HE in project like CERTIFY or ENTRUST.  UMU has designed and implemented trust-based access control systems, secure data sharing mechanisms, security evaluation methodologies as well as privacy-preserving identity management solutions for distributed systems, in scenarios such as IoT/CPS.  

Organisation’s role in COBALT

UMU will  be: WP2 leader , T4.2 leader, Dynamic certification approach & IoT bootstrapping and commission research 

Expected Impact

UMU will work on definition of the Common Certification Model that could be used to describe the security and privacy properties to be analyzed and later enforced within system lifecycle. Also this could be used in the EUCS approach to provide continuous certification monitoring and evaluation. 

URL: www.um.es 

This will close in 0 seconds

Fraunhofer Aisec

Short Description

Fraunhofer AISEC supports companies from all industries and service sectors in securing their systems, infrastructures, products and offerings. More than 150 highly skilled employees work at Fraunhofer AISEC, whose competencies range from the integrated security of embedded systems and hardware components to operating systems, applications (apps) and cloud-based services to solutions for secure software and system development and the use of machine learning techniques for cyber security. In doing so, the scientists draw on comprehensive know-how across the entire spectrum of the technology stack and deal intensively with the security of industrial plants and automotive systems and the challenges of a wide range of industries such as the energy sector or the public sector. 

In COBALT, members from the Service and Application Security (SAS) department will be involved. At SAS, we are primarily concerned with the security and data protection of distributed applications as well as secure cloud and container infrastructures. Novel solutions are developed and implemented based on current results from security research, for example in the ares of cloud monitoring, secure data ecosystems, and privacy technologies. 


Organisation’s role in COBALT

From earlier research projects, most notably the EU-funded projects EU-Sec and MEDINA, Fraunhofer AISEC has extensive experience in the domain of automated, continuous security certification. In COBALT, we will contribute to the results in multiple work packages. The main goals are to contribute to the COBALT concepts, e.g., the design and metrics, as well as to the technical infrastructure, e.g., the evidence collection and management tools. 

Expected Impact

We expect to make an impact in multiple ways: We want to advance the technical know-how in collecting and managing certification evidence across industries and technologies. We also want to make a scientific impact, for example by publishing papers about novel technologies and how to monitor them automatically for certification purposes.

URL: https://www.aisec.fraunhofer.de/en

This will close in 0 seconds

Red Alert Labs

Short Description

Red Alert Labs is an IoT security provider helping organizations trust IoT solutions. We created automated security by design & certification tools and an independent security lab with a disruptive business offer to solve the technical and commercial challenges in IoT.  

Our framework covers the whole IoT solution from Chip to Cloud, is business context driven and offers proper security dimensioning with respect to the customer's maturity.  

We provide standard security certifications or independent evaluation reports based on our in-house security risk analysis, security testing intelligence, automation and security profiles.  

Our partners turn to us at any stage of the IoT product/solution life-cycle to benefit from our special expertise in IoT security and full mastering of compliance and regulations. 

Finally, the expertise of Red Alert Labs has been recognized by numerous awards, including the Label France Cybersecurity for 2019 and the 2019 award from the French IoT community. The company was also nominated for the IoT Global Awards in 2018. Red Alert Labs co-founded IoTSF and is a contributing member of EUROSMART, ACN, SYSTEMATIC, CONNECTWAVE, CEN-CENELEC, and ECSO. 

Ayman KHALIL: 

is an outstanding professional in the field of cybersecurity, thanks to his in-depth expertise as an Expert of the Ad Hoc Working Group on Cloud Services and Vulnerability Management within the European Union Agency for Cybersecurity (ENISA). With a solid experience of 2 years, Ayman has established itself as a key player in the development of the European Cloud Certification Scheme (EUCS) and the development of related documents such as requirements guides and questionnaires to be used when certifying cloud services. 

Ayman plays a crucial role as an EUCS expert, actively contributing to various projects related to directives and regulations within ENISA. Its main mission is to support ENISA in the preparation of the cybersecurity certification scheme, focusing on key aspects such as boosting the adoption of cloud services, user confidence in these services, data mobility, and compliance with the European Union legal framework for the digital single market. 

Ayman Khalil is not limited to his role within ENISA. He also stands out as a major contributor for several organizations and consortia focused on cybersecurity, certification and the Internet of Things (IoT). Notable contributions include his active involvement in initiatives such as IoXt, ISCI, EUCS/ENISA, ENISA vulnerability management and Campus Cyber, demonstrating his ongoing commitment to digital advancement and security. 

Its expertise covers a wide range of areas, from compliance with European cybersecurity regulations to ISO standards, cloud computing and cloud security. Ayman Khalil positions himself as a versatile and seasoned professional, able to effectively help a business adapt and comply with the SecNumCloud standard. His in-depth knowledge of security requirements, controls and relevant standards makes him an invaluable asset to any organization seeking to strengthen its cybersecurity posture. 



 is an expert in mathematics, Nataël graduated from the University of Bordeaux with a master’s degree in cryptology and cybersecurity. He wrote his master’s thesis on the subject «IoT security». It is currently "IoT Security Evaluator" and tackles hardware hacking, radio frequency and protocol analysis as well as more conventional pentesting. It also carries out evaluations under the FIDO certification programme and implements training at internal and external levels. In addition to his main mission, he has been involved in cybersecurity topics such as applied cryptography, IoT device security research, network security, the security of communication protocols and the development of testing methodologies based on cybersecurity standards. In particular, he has been involved in CC and EUCC projects as lead writer of protection profiles and security targets and participated in the substantial assurance level assessment (corresponding to AVA_VAN.2). Nataël is involved in the activities of the RED ALERT LABS laboratory as quality manager and ISO/IEC17025 expert. Participated in internal capacity building to ensure that the laboratory has the capacity to conduct a substantive evaluation of the EUCC. Nataël has also actively contributed to all projects related to the development of the EUCS certification scheme with expertise in the security of cloud solutions. 


Roland ATOUI: 

has over 15 years of proven experience in cybersecurity applied to smart cards, embedded systems and the Internet of Things. He holds a master's degree in computer science and Critical Systems Engineering from Bordeaux 1 University. He also holds an Executive MBA from EDHEC Business School. 

He has built his expertise with companies such as Trusted Labs, Gemalto and Oracle. Since 2017 he is the founder and CEO of RED ALERT LABS. He is a founding member and contributor to several organizations that shape the future of IoT and cybersecurity, such as the IoT Security Foundation, CEN-CENELEC, ECSO, EUROSMART and the FIDO Alliance. 

He is co-author of several recognized protection profiles and security targets (CC and CSPN). He has contributed to FIPS 140-2 security guidelines and policies for schemes such as ANSSI, BSI and CMVP. 

He also helped define a risk-based approach to security, from defining assets to modeling threats to selecting security requirements and assessment methodologies. These efforts have been included in the definition of private security certification schemes applied to IoT. He is a recognized expert in Common Criteria methodology, from the development of innovative tools to supporting certification and actual certification of ICT products up to EAL 5+. 

He has been the principal writer of several successful private security certification schemes. These schemes cover the definition of policies and procedures, security requirements, assessment methodologies, CAB accreditation, assurance continuity, and vulnerability management. 

His expertise extends to European and international levels, where he acts as an expert for ENISA and represents the French delegation in the activities of ESO and ISO. It is behind the development and main contribution to several IoT schemes, regulations and certification standards such as FIDO/FDO (aligned with NIST 8259D and FIPS 140-2/3), CSA, CRA, RED-DA, Eurosmart, IoTSF, EUCC, ioXtAlliance, EN 303 645, ISO 27402/4. It actively participates in the development of harmonized standards necessary to demonstrate compliance with the cybersecurity requirements of the RED Directive and its Delegated Act, as well as the CRA (Cyber Resilience Act). 


Graduated from EPITA engineering school with master's degree specialized in computer security, Paul became an expert in cybersecurity and blockchain/Cloud technologies. He is the equipment manager in Red Alert Labs Laboratory (ISO17025) and works as well as an IoT Security Evaluator and consultant and is involved in topics related to the creation of security plans and profiles in embedded systems, evaluation in diverse industrial IoT architectures or advanced securing of company’s networks (through penetration testing). He performed cybersecurity activities such as secure designs, risk analysis of infrastructures, IEC62443 standards, GDPR regulations and EUROSMART IoT certification schemes.
Through his work experience, Paul has already performed several audits on mobile, Cloud & IoT environments. Paul has deep knowledge when it comes to IoT and Cloud technologies and communications protocols. Paul also contributed to the delivery of the 2 projects related to the development of guidance on security requirements of EUCS for ENISA.                                                           

He has produced a series of world-first publications, evaluations of new products and services. He was selected as one of the top 100 global IoT influencers for 2019. 

Organization's role in COBALT

Red Alert Labs is mainly involved in the following WPs: 

  • WP2 - COBALT Architecture and use case definition where we will collectively support the certification design. 
  • WP3 - COBALT Continuous Certification Enablers where we will contribute to the risk evaluation framework. EBOS will leverage its WisEBOS Platform & knowledge from relevant projects (e.g. SANCUS * DARLENE for AR/VR & digital twin technologies) to develop a dashboard for visualizing a complex ICT system of the enterprise and producing an immersive operational environment. 
  • and WP6 - Dissemination, Communication and Business planning where we will actively contribute to the impact maximization effort especially when it comes to standardization and empowering European cybersecurity certification. 

Expected Impact

Red Alert Labs provides a fully comprehensive IoT security by design, risk management, consulting, audit and certification services supported by automated processes, which will be mainly correspondingly extended and integrated in the COBALT certification framework. 

URL: https://www.redalertlabs.com/

This will close in 0 seconds

InQbit Innovation

Short Description

InQbit Innovations SRL is an SME that focuses on designing, developing and providing ICT solutions and services to the market. It was founded by an international team that ensures a right balance of entrepreneurship, research and engineering that joined their forces to produce innovation to serve and satisfy societal and market needs. Being a nascent company, InQbit is already participating in four H2020-ICT projects (EVOLVED-5G, PHYSICS, TRUSTEE and aerOS) in securing 5G virtualized infrastructure and services and in other Horizon Europe projects (OASEES, FAME). InQbit portfolio includes the solutions on software design and software deployment using state-of-the art technologies like virtualization, docker, Kubernetes, service mesh, immutable real-time logging, multi-regional DB replication, OpenID Connect, OAuth2, FIDO2, UMA2, SCIM, carrier grade - scalability, reliability and performance; blockchain and smart contracts. 

Organization's role in COBALT

InQbit plays a pivotal role in the COBALT Certification Framework, focusing on the implementation of Self-Sovereign Identity (SSI) and Decentralized Identifiers (DIDs) for Digital Twins (DTs). The organization's primary goals include: 

  • Requirement Gathering: Identifying and documenting the specific needs and standards for SSI and DIDs within the Digital Twin environment. 
  • Development and Integration: Creating robust and secure SSI and DID solutions tailored for Digital Twins, and seamlessly integrating these solutions within the existing infrastructure. 
  • Validation: Rigorously testing the implemented solutions to ensure they meet the necessary criteria for security, efficiency, and reliability. 
  • Exploitation: Utilizing the developed solutions to their fullest potential, ensuring they are effectively employed in relevant scenarios within the framework 

Expected Impact

The expected impact of InQbit's involvement includes enhancing the security and autonomy of digital identities within Digital Twins, promoting a higher level of trust and interoperability in the digital ecosystem. The implementation of SSI and DIDs is anticipated to revolutionize the management and verification of digital identities, leading to more streamlined processes, reduced fraud, and increased efficiency in operations. This project is set to be a benchmark in the field, showcasing the potential of advanced digital identity management in a rapidly evolving digital landscape.

URL: https://inqbit.io/

This will close in 0 seconds


Short Description

eBOS is an innovative SME based in Cyprus (Nicosia), providing technologically advanced digital business solutions to clients internationally, with a focus on the FinTech and RegTech sectors. At the same time, it is heavily engaged in Research, Innovation and Development (R&D&I) projects with involvement in more than sixty European Commission projects in recent years (FP7, H2020, HE). 

Organisation’s role in COBALT

eBOS will lead the effort towards maximizing the impact of the COBALT results through: Market Analysis and Strategy Definition including SWOT/PEST, Cost-Benefit and Cost Effectiveness Analysis; Socio-Economical Sustainability Analysis, COBALT Ecosystem Business Models and Uptake Roadmap, coordinating the overall business development activities of the project; Dissemination, Communication and Awareness Campaigns, undertaking all activities relevant to the outreach activities and diffusion of the project; Standardization and Empowering European Cybersecurity Certification, investigating the current relevant legislation and standardization landscape, defining a robust standardization strategy for COBALT results and harmonising the use of digital sovereign identity. 

Furthermore, eBOS will have significant involvement in developing the techniques for assessing and managing the risk associated to the target of evaluation during its whole life cycle as well as the development of the COBALT Continuous Certification Toolkit. In addition, eBOS will participate in the integration of the COBALT ecosystem and the demonstrations on the I4.0 and Quantum domains, that will showcase the advantages of the COBALT unified certification framework.

URL: https://ebos.com.cy

This will close in 0 seconds