October 26, 2024

Semiconductors of the Future: Progress in the standardization of Trusted Chips in the EU

The third workshop of the EU's Trusted Chips program marks a milestone for the security, standardization and resilience of the European semiconductor industry. The report analyzes the current state of development in relation to the Cyber Resilience Act (CRA) and the European Chips Act.

The Skyline of Athens
The Skyline of Athens

Introduction

The European Union’s Trusted Chips program has reached a decisive milestone with the third1 workshop in October 2024. The aim is to strengthen the European semiconductor industry. The key challenge is to ensure continuous trustworthiness in an increasingly globalized and complex supply chain. The project period extends from August 2023 to December 2025. During the first phase, the basic requirements and technical framework conditions were developed. The basic concepts of the program and detailed introduction can be found in my report “What are Trusted Chips?” . This report builds on these findings and analyzes the current status of the project, paying particular attention to technical, regulatory and security-related advances.

Programmatic foundations and development status

Objective

In the Trusted Chips program, “trustworthiness” refers to the integrity of a chip or semiconductor to remain reliable, secure and tamper-resistant from design through production to use by end users.

The trustworthiness of a chip is not only a technical feature, but also a regulatory and economic necessity, as increasing digitalization and networking brings with it a growing threat of cyber attacks, industrial espionage and manipulation.

Challenges in implementation

Ensuring trustworthiness across the board poses considerable challenges for the industry. One of the biggest hurdles is the increasing complexity of semiconductor designs, which are becoming ever more powerful as manufacturing processes progress, but also more susceptible to security vulnerabilities.

In addition, the global supply chains for semiconductor products are highly fragmented. Many essential components and production steps take place in different countries around the world with different regulatory frameworks. This leads to an increased attack surface, particularly in safety-critical applications such as automotive electronics, medical technology or military systems.

There are also regulatory challenges, as standards and legal requirements differ in many regions. The harmonization of these requirements at an international level is crucial in order to enable a uniform and comprehensible assessment of trusted chips.

Progress report on the third workshop

The third workshop on 24 October 2024 focused on identifying standardization gaps in the following key areas:

  1. Cybersecurity requirements along the value chain
  2. Certification process for chip authenticity
  3. Interoperability standards for mixed manufacturing environments

A key result was the clarification of the “Trusted Chips” definition:

“Trusted Chips” are semiconductor products that are trustworthy from design and maintained until end of life. The characteristics of trustworthiness are defined by ISO/IEC 313032.

The Cyber Resilience Act (CRA) and EU Chips Act deal with different topics. The following list is a brief overview of the two EU regulations.

EU Chips ActEU Cyber Resilience Act (CRA)
• Initiative to strengthen the EU chip internal market
• Mapping and crisis monitoring of the semiconductor sector and production sites
• Promoting the resilience of the Union’s semiconductor ecosystem
• Definition of criteria for the recognition and support of semiconductor supply and value chains		• All devices with digital elements must meet mandatory cybersecurity requirements (e.g. for smartcards, smart meter gateways, FPGA)
• All directly or indirectly networkable devices or hardware are affected
• Software that runs on devices
• Product classification by the CRA
Summary
Traceability of supply chains and strengthening within the EU internal market should improve the security of supply of semiconductors.All digital devices that are network- compatible and the associated software must meet certain standardized security requirements for data processing.

The aim of the EU is to increase the EU’s resilience to digital attacks by standardizing cybersecurity requirements. By combining the two initiatives, it is possible to develop semiconductors to meet initial security requirements right from the design process. The traceability of the supply chain enables the user to trust the integrity of the semiconductor. This means that later products already have a minimum security standard through the hardware. Specific application software can then build on this and fulfill further security requirements.

Supply Chain

The supply chain of a Trusted Chip is roughly broken down into:

  1. Chip Design (e.g. IP Development, Concept C Design)
  2. Selection and procurement of production materials
  3. Production (e.g. wafer, assembly, packaging, tests)
  4. Logistics (e.g. transportation to the PCB manufacturer)
  5. Product manufacture
  6. Application (e.g. smart meter, mobility and medical sector)
  7. Reuse and recycling (e.g. end-of-life)

The individual levels can be subdivided very broadly. For example, over 1000 different production steps are required to manufacture a chip. Each level is exposed to different threats, e.g. misconfiguration, tampering, side-channel attacks. To ensure that a chip remains classified as trustworthy across all levels, uniform security rules must be defined by the industry and legislation and applied in a binding manner.

NIST IR 8532

Independently of the EU, the National Institute of Standards and Technology (NIST) is also working on this topic in the USA. The technical presentations and discussions focused on semiconductor manufacturing. In terms of content, the life cycle, testing, vulnerability management and other aspects of cyber security were discussed and published in NIST IR 8532 February 2025 . The document includes feedback from industry, academia and government for the development of guidelines or standards for the application of recommended cybersecurity requirements. Additionally, the use of automated tools for ongoing verification is emphasized.

Data evaluation

The supply chain of the Trusted Chips Program developed to date is underpinned by the number of standards already identified. The relevance of a standard is based on the criteria from the Cyber Resilience Act (CRA) and whether this standard enables an improvement in cybersecurity along the supply chain. Pure production standards such as those for lithography (etching processes, photoresist requirements, etc.) have no relevance for the CRA.

The compilation includes 178 norms, standards and other relevant documents (e.g. NIST publications). These were assigned to the simplified supply chain per step. Of these, 79 entries are not assigned to any step of the supply chain.

A standard can be assigned to several steps, as these could relate to different steps in the supply chain in terms of content. For example, a cryptographic process can already be considered in the chip design, but can also be implemented later as software on a PCB board during application development.

Overview Supply Chain

Threat Landscape

In contrast to software security measures, which can be adapted retrospectively, security vulnerabilities at hardware level are often irreversible. A security-by-design approach is therefore essential to ensure trustworthy and tamper-proof systems in the long term.

The European Cybersecurity Agency (ENISA) highlights the growing importance of hardware security in the Threat Landscape report , especially in critical infrastructures. According to the report, supply chain attacks quadrupled between 2020 and 2021, with around half of these attacks attributed to advanced persistent threats (APTs). Physical tampering in production facilities is a critical attack vector where attackers with physical access can compromise hardware components without leaving any detectable trace. State-sponsored actors are increasingly implementing backdoors in hardware or software components, which has far-reaching security implications for the European digital infrastructure.

While software and network security remain in focus, the report makes it clear that an insecure hardware foundation can undermine even the best software protection mechanisms. To further improve the security situation, research and development in the field of hardware security should be intensified, European standards harmonized and closer cooperation between industry, authorities and research institutions promoted.

Outlook

The results of the workshops will be used to identify gaps in standardization. This will form the basis for a subsequent roadmap to systematically drive standardization forward. Completion is planned for December 2025. Finally, the results achieved will be introduced and further processed at CENELEC level. The finished version of the subsequent roadmap will serve as a fundamental control element that guides all follow-up activities and coordinates adaptation processes within standardization.

Acknowledgments

We would like to thank Uwe Rüddenklau, Claus Westenberger, Elena Rongen, Alexandra Fabricius and Anuschka Wojciechowski for their support, organization and leadership during the Trusted Chips program. We would also like to thank the Next Generation DKE network for this opportunity for professional and personal development.

Authors

Portrait Milan Ferus-Comelo

Milan Ferus-Comelo

Through my embedded systems degree, I work at the interface between hardware and software, focusing on electronics and semiconductor technology. This interdisciplinary expertise enables me to analyze and optimize complex systems and develop innovative solutions. As part of the Trusted Chips Young Professional Program, I can deepen my knowledge at hardware level and actively contribute to the further development of the EU semiconductor industry. As a member of Next Generation DKE, I am committed to making future technologies secure, sustainable and trustworthy.

LinkedIn Website
Portrait Dominic Seela

Dominic Seela

I work intensively with hardware and software. My degree in electrical engineering, information technology, automation technology and computer science helps me to plan and network technical systems and to commission industrial systems. This means that current standards and legal developments such as NIS2, KRITIS and the CRA are particularly important. Through the Trusted Chips Young Professional Program, I was able to further deepen my knowledge of cybersecurity at hardware level and also help shape a small part of the EU chip internal market.

LinkedIn Website

  1. The second workshop was postponed at short notice for organizational reasons. In order to remain consistent with the project schedule, the next workshop was agreed to be the third workshop. ↩︎

Tags: EU Chips Act Trusted Chips Young Professionals VDE DKE CEN-CENELEC European Commission